Rspamd monitoring with OpenBSD relayd
nabbisen
Posted on July 18, 2021
Summary
I installed Rspamd on OpenBSD and configure it with OpenSMTPD the other day.
Rspamd installation and OpenSMTPD configuration on it on OpenBSD
nabbisen γ» Jul 17 '21
Well, Rspamd includes web interface to monitor its performance.
I combined it with relayd.
This post shows how I built the environment.
It is possible to monitor Rspamd via a web browser only when relayd is running on the server.
The servers relation is:
* smtpd *
| .. Is MTA (Mail transfer agent)
|
* rspamd *
| .. Is filtering system
| .. Includes Web ui
| .. Listens on 127.0.0.1 only (port 11334)
| .. Confirms `password` when accessed not from `secure_ip`s
|
* relayd *
.. Listens on 0.0.0.0, any outbound TCP traffic (port 11334 or any)
.. Uses TLS connection with self-signed certificate
Tutorial
First, set up the web ui of Rspamd.
$ cd /etc/rspamd
$ # create a backup if necessary
$ doas cp -p worker-controller.inc worker-controller.inc.bak
$ doas nvim worker-controller.inc
It is officially strongly recommended to change the password
. Besides, connection from secure_ip
is not required password authorization by web ui.
- password = "**";
+ password = "<your-password>";
secure_ip = "127.0.0.1";
secure_ip = "::1";
The web ui protects your configuration and email information with the password
:
The reason why "Not secure" in address bar is shown is that self-signed certificate is used by relayd as shown below.
This is how to create a self-signed certificate with openssl
utility provided by LibreSSL:
$ cd /etc/ssl
$ set -x MYDOMAIN "rspamd-relayd"
$ doas openssl req -newkey rsa:2048 -new -nodes -x509 -days 36500 -keyout private/$MYDOMAIN.key -out $MYDOMAIN.crt \
-subj "/C=<your.company>/ST=<your.state>/L=/O=<your.org>/OU=/CN=$MYDOMAIN"
$ doas chmod 400 private/$MYDOMAIN.key
Here we have:
$ ls -l /etc/ssl/rspamd-relayd.crt
-rw-r--r-- 1 root wheel 1135 Jul 14 21:09 /etc/ssl/rspamd-relayd.crt
$ doas ls -l /etc/ssl/private/rspamd-relayd.key
-r-------- 1 root wheel 1704 Jul 14 21:09 /etc/ssl/private/rspamd-relayd.key
Next, configure OpenBSD relayd.
$ doas nvim /etc/relayd.conf
Add the lines below to relayd.conf:
protocol rspamd {
tls keypair "rspamd-relayd"
}
relay rspamd {
# Run as a SSL/TLS accelerator
listen on 0.0.0.0 port 11334 tls
protocol rspamd
# Forward to hosts in the webhosts table using a src/dst hash
forward to 127.0.0.1 port 11334
}
relayd listens on 0.0.0.0:11334 with using TLS connection based on the self-signed certificate. When relayd accepts the requests, they will be forwarded to Rspamd web ui.
Configuration is done now.
Let's start relayd, which is disabled by default and therefore -f
(force) option is required:
$ doas rcctl -f start relayd
relayd(OK)
Of course, alternatively, you can do rcctl enable relayd
(and rcctl start relayd
).
Conclusion
Now the Rspamd web ui is public in the web world. Access to https://<fqdn>:11334.
Really useful information :)
Finally, stop the relayd:
$ doas rcctl stop relayd
relayd(OK)
Posted on July 18, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.