Rspamd installation and OpenSMTPD configuration on it on OpenBSD
nabbisen
Posted on July 17, 2021
Summary
Thanks to poolpOrg's filter-rspamd, Rspamd filter in OpenSMTPD is provided as Ports package whose name is
opensmtpd-filter-rspamd
in OpenSMTPD 6.6.0 or higher. It means it has not been necessary any longer to use rspamc
in smtpd.conf.
This post shows how to install Rspamd and configure it on OpenBSD.
Environment
- Server OS: OpenBSD 6.9
- MTA (Mail transfer agent): OpenSMTPD 6.9
- Spam filtering system: Rspamd 2.7
- Command line shell: Fish 3.2
Tutorial
Here shows packages related to OpenSMTPD:
$ doas pkg_info -Q opensmtpd
libopensmtpd-0.6
opensmtpd-extras-6.7.1v0
opensmtpd-extras-mysql-6.7.1p0v0
opensmtpd-extras-pgsql-6.7.1p0v0
opensmtpd-extras-python-6.7.1v0
opensmtpd-extras-redis-6.7.1v0
opensmtpd-filter-admdscrub-0.1
opensmtpd-filter-dkimsign-0.4
opensmtpd-filter-dnsbl-0.2
opensmtpd-filter-rspamd-0.1.7p0
opensmtpd-filter-senderscore-0.1.1p0
opensmtpd-filter-spamassassin-0.7p0
Several extras and also several filters :)
First, let's install Rspamd and also required packages, its OpenSMTPD filter and Redis. Rspamd in OpenBSD is highly configured and ready to use Redis as database by default.
$ doas pkg_add rspamd redis opensmtpd-filter-rspamd
quirks-3.633 signed on 2021-07-03T10:19:35Z
Ambiguous: choose package for rspamd
0: <None>
1: rspamd-2.7p0
2: rspamd-2.7p0-hyperscan
Your choice: 2
rspamd-2.7p0-hyperscan:luajit-2.0.5p2: ok
rspamd-2.7p0-hyperscan:gcc-libs-8.4.0p6: ok
rspamd-2.7p0-hyperscan:blas-3.8.0p0: ok
rspamd-2.7p0-hyperscan:cblas-1.0p7: ok
rspamd-2.7p0-hyperscan:hyperscan-5.4.0-ssse3: ok
useradd: Warning: home directory `/var/redis' doesn't exist, and -m was not specified
rspamd-2.7p0-hyperscan:redis-6.2.1p0: ok
rspamd-2.7p0-hyperscan: ok
opensmtpd-filter-rspamd-0.1.7p0: ok
The following new rcscripts were installed: /etc/rc.d/redis /etc/rc.d/rspamd
See rcctl(8) for details.
New and changed readme(s):
/usr/local/share/doc/pkg-readmes/opensmtpd-filter-rspamd
/usr/local/share/doc/pkg-readmes/rspamd
Besides, hyperscan is used as an option of local optimizations
on Rspamd performance, which is developed by Intel.
Next, enable daemons.
$ doas rcctl enable {redis, rspamd}
And run them.
$ doas rcctl start {redis, rspamd}
redis(ok)
rspamd(ok)
If you want to add custom configuration to Rspamd, it's available with ".conf" files.
In my case, I edited actions.conf to mitigate rejection by the filter.
$ cd /etc/rspamd/local.d
$ cat ../actions.conf
(...)
actions {
reject = 15; # Reject when reaching this score
add_header = 6; # Add header when reaching this score
greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
(...)
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/actions.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/actions.conf"
}
$ doas nvim actions.conf
My actions.conf in local.d is like this:
reject = 27.0;
greylist = 19.0;
subject = "** Suspicious ** %s"
rewrite_subject = 12.0;
add_header = 7.0;
When changing Rspamd configuration, it is necessary to restart the daemon:
$ doas rcctl restart rspamd
rspamd(ok)
rspamd(ok)
Then, modify smtpd.conf in /etc/mail to execute (proc-exec
) the filter.
$ cd /etc/mail
$ # create a backup if necessary:
$ doas cp -p smtpd.conf smtpd.conf.bak
$ doas nvim smtpd.conf
Add these lines:
(...)
+ filter "rspamd" \
+ proc-exec "filter-rspamd"
(...)
listen on egress \
tls \
pki (...) \
auth-optional \
+ filter { "rspamd" } \
tag MTA
(...)
Just 3 lines :)
Well, here, I actually added more lines:
+ filter "check_dyndns" \
+ phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
+ disconnect "550 no residential connections"
+ filter "check_rdns" \
+ phase connect match !rdns \
+ disconnect "550 no rDNS"
+ filter "check_fcrdns" \
+ phase connect match !fcrdns \
+ disconnect "550 no FCrDNS"
filter "rspamd" \
proc-exec "filter-rspamd"
(...)
- filter { "rspamd" } \
+ filter { "check_dyndns", "check_rdns", "check_fcrdns", "rspamd" } \
The 3 filters are builtin ones in OpenSMTPD.
Finally, restart the smtpd daemon:
$ doas rcctl restart smtpd
smtpd(ok)
smtpd(ok)
Now OpenSMTPD calls Rspamd while transfering messages and the filter results are being stored in Redis.
Hope your trouble on spams and scams will get remarkably less.
Acknowledgments
I appeciate the Gilles (poolp) 's great article:
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
It enabled me to set up Rspamd working well with OpenSMTPD at last.
Posted on July 17, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.