Différences

Ci-dessous, les différences entre deux révisions de la page.

--- mail [2017/11/04 17:40] – Ajout postfix mirtouf
+++ mail [2017/11/26 10:42] (Version actuelle) – [3.1. main.cf] Modification DH mirtouf
@@ Ligne 40: / Ligne 40: @@
 puis dovecot:
 <code>
-apt install dovecot-imapd dovecott-lmtpd dovecot-managesieved dovecot-mysql dovecot-pop3d dovecot-sieve
+apt install dovecot-imapd dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pop3d dovecot-sieve
 </code>
@@ Ligne 51: / Ligne 51: @@
 <code>
 apt install nginx-full uwsgi-python
+</code>
+puis redis-server:
+<code>
+apt install redis-server
+</code>
+puis clamav:
+<code>
+apt install clamav clamav-daemon
 </code>
@@ Ligne 63: / Ligne 73: @@
 ===== 2. Installation et configuration de modoboa =====
+==== 2.1. Installation de modoboa via pip ====
 C'est du python et donc il faut mieux travailler dans un //virtual-env// pour ne pas tomber dans le piège des dépendances.
 Avec votre utilisateur non privilégié il faut passer dans un environnement virtuel pour installer modoboa:
@@ Ligne 73: / Ligne 84: @@
 </code>
-puis déployer une instance (référez-vous à la [[https://modoboa.readthedocs.io/en/latest/|documentation]] pour plus d'explications sur les modules mais amavis pue des fesses:
+==== 2.2. Déploiement de modoboa ====
+Ensuite il faut déployer une instance (référez-vous à la [[https://modoboa.readthedocs.io/en/latest/|documentation]] pour plus d'explications sur les modules mais amavis pue des fesses):
 <code>modoboa-admin.py deploy <instance> --collectstatic --domain mail.domaine.tld --dburl default:mysql://USER:PWD@localhost:3306/DB --extensions modoboa-dmarc modoboa-imap-migration modoboa-pdfcredentials modoboa-pfxadmin-migrate modoboa-postfix-autoreply modoboa-radicale modoboa-sievefilters modoboa-stats modoboa-webmail</code>
-pour de belles statistiques (utilisateur privilégié):
+pour de belles statistiques (utilisateur privilégié au besoin):
 <code>mkdir <dossier>/modoboa</code>
 où ce chemin sera renseigné dans l'interface de modoboa.
@@ Ligne 85: / Ligne 97: @@
 Veuillez noter que selon votre configuration, il faudra remplacer l'adresse localhost par 127.0.0.1 pour éviter quelques soucis.
-Le fichier à placer dans /etc/cron.d :
+==== 2.3. Crontab pour modoboa ====
+Le fichier à éditer dans /etc/cron.d/modoboa :
 <code>#
 # Modoboa specific cron jobs
@@ Ligne 113: / Ligne 126: @@
 ===== 3. Postfix =====
+==== 3.1. main.cf ====
 Pour postfix c'est assez simple, le main.cf (avec une mise en forme qui plairait à hardware):
 <code>
@@ Ligne 203: / Ligne 217: @@
 smtpd_tls_cert_file           = /chemin/vers/fichier.crt
 smtpd_tls_key_file            = /chemin/vers/fichier.key
-smtpd_tls_dh1024_param_file   = /etc/ssl/private/dh2048.pem
+smtpd_tls_dh1024_param_file   = /etc/ssl/public/ffdhe2048.pem
-smtpd_tls_dh512_param_file    = /etc/ssl/private/dh512.pem
 tls_preempt_cipherlist = yes
@@ Ligne 248: / Ligne 261: @@
 transport_maps          = mysql:/etc/postfix/modoboa/sql-spliteddomains-transport.cf,
                           mysql:/etc/postfix/modoboa/sql-relaydomains-transport.cf,
-                          mysql:/etc/postfix/modoboa/sql-autoreplies-transport.cf
+                          mysql:/etc/postfix/modoboa/sql-autoreplies-transport.cf,
+                          hash:/etc/postfix/modoboa/dmarc_transport
 ######################
@@ Ligne 384: / Ligne 398: @@
 :!: Veuillez noter que /etc/mailname doit indiquer mail.domaine.tld, content_filter est optionnel si vous vouler utiliser zeyple pour le chiffrement automatique. Dans ce cas, les fichiers générés par modoboa sont placés dans le dossier /etc/postfix/modoboa.
+Le fichier Diffie-Hellman contient ceci et est préférentiellement choisi car audité de façon régulière:
+<code>
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
+</code>
+==== 3.2. master.cf ====
 Le master.cf:
 <code>
@@ Ligne 498: / Ligne 524: @@
   -o smtp_dns_support_level=dnssec
   -o smtp_tls_security_level=dane
+# Modoboa DMARC
+dmarc-rua-parser unix  -       n       n       -       -       pipe
+  flags= user=vmail:vmail argv=/home/modoboa/env/bin/python /home/modoboa/instance/manage.py import_aggregated_report --pipe
 # Zeyple
@@ Ligne 515: / Ligne 545: @@
 # Vacation (modoboa)
 autoreply  unix  -         n       n       -       -       pipe
-       flags= user=vmail:vmail argv=/home/modoboa/env/bin/python /home/modoboa/instance/manage.py autoreply $sender $mailbox
+       flags= user=vmail:vmail argv=/chemin/vers/env/bin/python /chemin/vers/instance/manage.py autoreply $sender $mailbox
+</code>
+==== 3.3. Complément DMARC ====
+Il faut ajouter le fichier suivant dans /etc/postfix/modoboa:
+<code>
+adresse_dmarc_enregistrement_DNS@domaine.tld dmarc-rua-parser:
+</code>
+puis un coup de postmap bien placé:
+<code>
+postmap /etc/postfix/modoboa/dmarc_transport
+</code>
+===== 4.Dovecot =====
+==== 4.1. Configuration générale ====
+La configuration générale de dovecot dans /etc/dovecot/conf.d se fait de cette façon:
+==>/etc/dovecot/conf.d/10-auth.conf<==
+<code>
+disable_plaintext_auth = no
+auth_cache_ttl = 1 hour
+auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+auth_mechanisms = plain login
+!include auth-sql.conf.ext
+</code>
+==>/etc/dovecot/conf.d/10-director.conf<==
+<code>
+service director {
+  unix_listener login/director {
+  }
+  fifo_listener login/proxy-notify {
+  }
+  unix_listener director-userdb {
+  }
+  inet_listener {
+  }
+}
+service imap-login {
+}
+service pop3-login {
+}
+protocol lmtp {
+}
+log_path = /var/log/dovecot/dovecot.log
+info_log_path = /var/log/dovecot/dovecot-info.log
+auth_verbose = yes
+auth_verbose_passwords = sha1
+plugin {
+}
+log_timestamp = "%Y-%m-%d %H:%M:%S"
+</code>
+==>etc/dovecot/conf.d/10-mail.conf<==
+<code>
+mail_location = maildir:~/.maildir
+namespace inbox {
+  inbox = yes
+}
+mail_uid = 5000
+mail_gid = 5000
+mail_privileged_group = mail
+valid_chroot_dirs = /var/spool/vmail
+mail_plugins = $mail_plugins quota
+</code>
+==>/etc/dovecot/conf.d/10-master.conf<==
+<code>
+service imap-login {
+  inet_listener imap {
+    port = 143
+  }
+  inet_listener imaps {
+    port = 993
+    ssl = yes
+  }
+}
+service pop3-login {
+  inet_listener pop3 {
+    port = 110
+  }
+  inet_listener pop3s {
+    port = 995
+    ssl = yes
+  }
+}
+service lmtp {
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    mode = 0600
+    user = postfix
+    group = postfix
+  }
+  user = vmail
+}
+service imap {
+  executable = imap postlogin
+}
+service pop3 {
+  executable = pop3 postlogin
+}
+service auth {
+  unix_listener auth-userdb {
+  }
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+}
+service auth-worker {
+}
+service dict {
+  unix_listener dict {
+    mode = 0600
+    user = vmail
+  }
+}
+service postlogin {
+  executable = script-login /usr/local/bin/postlogin.sh
+  user = modoboa
+  unix_listener postlogin {
+  }
+}
+</code>
+==>/etc/dovecot/conf.d/10-ssl.conf<==
+<code>
+ssl = required
+ssl_cert = </chemin/vers/fichier.crt
+ssl_key = </chemin/vers/fichier.key
+ssl_dh_parameters_length = 2048
+ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA
+</code>
+==>/etc/dovecot/conf.d/15-lda.conf<==
+<code>
+postmaster_address = postmaster@domaine.tld
+quota_full_tempfail = yes
+recipient_delimiter = +
+lda_mailbox_autocreate = yes
+lda_mailbox_autosubscribe = yes
+protocol lda {
+  log_path = /var/log/dovecot/dovecot-lda.log
+  info_log_path = /var/log/dovecot/dovecot-lda.log
+  mail_plugins = quota sieve
+}
+</code>
+==>/etc/dovecot/conf.d/15-mailboxes.conf<==
+<code>
+namespace inbox {
+  mailbox Drafts {
+    auto = subscribe
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    auto = subscribe
+    special_use = \Junk
+  }
+  mailbox Trash {
+    auto = subscribe
+    special_use = \Trash
+  }
+  mailbox Sent {
+    auto = subscribe
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    auto = subscribe
+    special_use = \Sent
+  }
+}
+</code>
+==>/etc/dovecot/conf.d/20-imap.conf<==
+<code>
+protocol imap {
+mail_plugins = $mail_plugins imap_quota imap_sieve
+}
+</code>
+==>/etc/dovecot/conf.d/20-lmtp.conf<==
+<code>
+protocol lmtp {
+  postmaster_address = postmaster@domaine.tld
+  mail_plugins = $mail_plugins sieve quota
+}
+</code>
+==>/etc/dovecot/conf.d/20-managesieve.conf<==
+<code>
+protocols = $protocols sieve
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+  service_count = 1
+  process_min_avail = 0
+  vsz_limit = 64M
+}
+service managesieve {
+}
+protocol sieve {
+  managesieve_max_line_length = 65536
+  mail_max_userip_connections = 10
+  mail_plugins =
+  managesieve_logout_format = bytes=%i/%o
+  managesieve_implementation_string = Dovecot Pigeonhole
+  managesieve_max_compile_errors = 5
+  log_path=/var/log/dovecot/dovecot-sieve.log
+  info_log_path=/var/log/dovecot/dovecot-sieve.log
+}
+</code>
+==>/etc/dovecot/conf.d/20-pop3.conf<==
+<code>
+protocol pop3 {
+  mail_plugins = $mail_plugins
+}
+</code>
+==>/etc/dovecot/conf.d/90-acl.conf<==
+<code>
+plugin {
+}
+plugin {
+}
+</code>
+==>/etc/dovecot/conf.d/90-quota.conf<==
+<code>
+plugin {
+}
+plugin {
+  quota_warning = storage=75%% /usr/local/bin/quota-warning.sh 75 %u
+  quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90 %u
+}
+plugin {
+  quota = maildir:User quota
+}
+plugin {
+  quota = dict:User quota::proxy::quota
+}
+</code>
+==>/etc/dovecot/conf.d/90-sieve.conf<==
+<code>
+plugin {
+  sieve = ~/.dovecot.sieve
+  sieve_dir = ~/sieve
+  sieve_default = /var/lib/dovecot/sieve/global/default.sieve
+  sieve_global = /var/lib/dovecot/sieve/global/
+  sieve_plugins = sieve_imapsieve sieve_extprograms
+  imapsieve_mailbox1_name = Spam
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_before = file:/usr/local/dovecot/sieve/report-spam.sieve
+  imapsieve_mailbox2_name = *
+  imapsieve_mailbox2_from = Spam
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_before = file:/usr/local/dovecot/sieve/report-ham.sieve
+  sieve_pipe_bin_dir = /usr/local/dovecot/sieve
+  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
+  recipient_delimiter = +
+}
+</code>
+==>/etc/dovecot/conf.d/90-sieve-extprograms.conf<==
+<code>
+plugin {
+}
+</code>
+==>/etc/dovecot/conf.d/auth-checkpassword.conf.ext<==
+<code>
+passdb {
+  driver = checkpassword
+  args = /usr/bin/checkpassword
+}
+userdb {
+  driver = prefetch
+}
+</code>
+==>/etc/dovecot/conf.d/auth-deny.conf.ext<==
+<code>
+passdb {
+  driver = passwd-file
+  deny = yes
+  args = /etc/dovecot/deny-users
+}
+</code>
+==>/etc/dovecot/conf.d/auth-dict.conf.ext<==
+<code>
+passdb {
+  driver = dict
+  args = /etc/dovecot/dovecot-dict-auth.conf.ext
+}
+userdb {
+  driver = dict
+  args = /etc/dovecot/dovecot-dict-auth.conf.ext
+}
+</code>
+==>/etc/dovecot/conf.d/auth-master.conf.ext<==
+<code>
+passdb {
+  driver = passwd-file
+  master = yes
+  args = /etc/dovecot/master-users
+  pass = yes
+}
+</code>
+==>/etc/dovecot/conf.d/auth-passwdfile.conf.ext<==
+<code>
+passdb {
+  driver = passwd-file
+  args = scheme=CRYPT username_format=%u /etc/dovecot/users
+}
+userdb {
+  driver = passwd-file
+  args = username_format=%u /etc/dovecot/users
+}
+</code>
+==>/etc/dovecot/conf.d/auth-sql.conf.ext<==
+<code>
+passdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+userdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+</code>
+==>/etc/dovecot/conf.d/auth-system.conf.ext<==
+<code>
+passdb {
+  driver = pam
+}
+userdb {
+  driver = passwd
+}
+</code>
+==>/etc/dovecot/conf.d/auth-vpopmail.conf.ext<==
+<code>
+passdb {
+  driver = vpopmail
+  args =
+}
+userdb {
+  driver = vpopmail
+  args = quota_template=quota_rule=*:backend=%q
+}
+</code>
+==== 4.2. Gestion de la db ====
+Les autres fichiers utiles tels ==>/etc/dovecot/dovecot-dict-auth.conf.ext<==
+<code>
+default_pass_scheme = MD5
+iterate_prefix = userdb/
+key passdb {
+  key = passdb/%u
+  format = json
+}
+key userdb {
+  key = userdb/%u
+  format = json
+}
+key quota {
+  key = userdb/%u/quota
+  default_value = 100M
+}
+passdb_objects = passdb
+userdb_objects = userdb
+userdb_fields {
+  quota_rule = *:storage=%{dict:quota}
+  mail = maildir:%{dict:userdb.home}/Maildir
+}
+</code>
+==>/etc/dovecot/dovecot-dict-sql.conf.ext<==
+<code>
+connect = host=127.0.0.1 dbname=DB user=USER password=PWD
+map {
+  pattern = priv/quota/storage
+  table = admin_quota
+  username_field = username
+  value_field = bytes
+}
+map {
+  pattern = priv/quota/messages
+  table = admin_quota
+  username_field = username
+  value_field = messages
+}
+map {
+  pattern = shared/expire/$user/$mailbox
+  table = expires
+  value_field = expire_stamp
+  fields {
+    username = $user
+    mailbox = $mailbox
+  }
+}
+</code>
+==>/etc/dovecot/dovecot-sql.conf.ext<==
+<code>
+driver = mysql
+connect = host=127.0.0.1 dbname=DB user=USER password=PWD
+default_pass_scheme = CRYPT
+password_query = SELECT email AS user, password FROM core_user WHERE email='%Lu' and is_active=1
+user_query = SELECT '/home/mail/%Ld/%Ln' AS home, 5000 as uid, 5000 as gid, concat('*:bytes=', mb.quota, 'M') AS quota_rule FROM admin_mailbox mb INNER JOIN admin_domain dom ON mb.domain_id=dom.id WHERE mb.address='%Ln' AND dom.name='%Ld'
+iterate_query = SELECT email AS user FROM core_user
+</code>
+==== 4.3. scripts utiles ====
+Il faut aussi des scripts utiles:
+==>/usr/local/bin/postlogin.sh <==
+<code>
+#!/bin/sh
+DBNAME=DB
+DBUSER=USER
+DBPASSWORD=PWD
+echo "UPDATE core_user SET last_login=now() WHERE username='$USER'" | mysql -u $DBUSER -p$DBPASSWORD $DBNAME
+exec "$@"
+</code>
+==>/usr/local/bin/quota-warning.sh<==
+<code>
+#!/bin/sh
+PERCENT=$1
+USER=$2
+cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"
+From: postmaster@domaine.tld
+Subject: quota warning
+Your mailbox is now $PERCENT% full.
+EOF
+</code>
+==== 4.4 antispam ====
+Pour l'antispam, je propose ceci, proche de la configuration officielle dovecot:
+==>/usr/local/dovecot/sieve/report-ham.sieve<==
+<code>
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+if environment :matches "imap.mailbox" "*" {
+  set "mailbox" "${1}";
+}
+if string "${mailbox}" "Trash" {
+  stop;
+}
+if environment :matches "imap.user" "*" {
+  set "username" "${1}";
+}
+pipe :copy "sa-learn-ham.sh" [ "${username}" ];
+</code>
+==>/usr/local/dovecot/sieve/report-spam.sieve<==
+<code>
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+if environment :matches "imap.user" "*" {
+  set "username" "${1}";
+}
+pipe :copy "sa-learn-spam.sh" [ "${username}" ];
+</code>
+==>/usr/local/dovecot/sieve/sa-learn-ham.sh<==
+<code>
+#!/bin/bash
+# rspamd client reads piped ham message from the standard input
+exec /usr/bin/rspamc -h localhost:11334 -P "q1" learn_ham
+</code>
+==>/usr/local/dovecot/sieve/sa-learn-spam.sh<==
+<code>
+#!/bin/bash
+# rspamd client reads piped spam message from the standard input
+exec /usr/bin/rspamc -h localhost:11334 -P "q1" learn_spam
+</code>
+===== 5. nginx et uwsgi =====
+==== 5.1. configuration du domaine principal ====
+Le domaine principal mail.domaine.tld sera configuré de cette façon:
+<code>
+server {
+        listen 80;
+#        listen [::]:80 ipv6only=on;
+        root /chemin/vers/modoboa/<instance>/<instance>;
+        # Make site accessible from http://localhost/
+        server_name mail.domaine.tld localhost;
+        if ($ssl_protocol = "") {
+                rewrite ^/(.*)   https://$server_name$request_uri? permanent;
+        }
+}
+server {
+    listen 443 ssl http2;
+#    listen [::]:443 ssl http2;
+    ssl on;
+    keepalive_timeout 70;
+    server_name mail.domaine.tld localhost;
+    root /chemin/vers/modoboa/<instance>/<instance>;
+    ssl_certificate /chemin/vers/fichier.crt;
+    ssl_certificate_key /chemin/vers/fichier.key;
+    access_log  /var/log/nginx/modoboa.access.log;
+    error_log /var/log/nginx/modoboa.error.log;
+    location /sitestatic/ {
+            autoindex on;
+            alias /home/modoboa/instance/sitestatic/;
+    }
+    # Whether or not Modoboa uses a media directory depends on how
+    # you configured Modoboa. It does not hurt to have this.
+    location /media/ {
+            autoindex on;
+            alias /home/modoboa/instance/media/;
+    }
+    # This denies access to any file that begins with
+    # ".ht". Apache's .htaccess and .htpasswd are such files. A
+    # Modoboa installed from scratch would not contain any such
+    # files, but you never know what the future holds.
+    location ~ /\.ht {
+        deny all;
+    }
+    location / {
+        include uwsgi_params;
+        uwsgi_pass unix:/run/uwsgi/app/modoboa/socket;
+        uwsgi_param UWSGI_SCRIPT instance.wsgi:application;
+        uwsgi_param UWSGI_SCHEME https;
+    }
+    location /rspamd/ {
+        proxy_pass       http://localhost:11334/;
+        proxy_set_header Host      $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}
+</code>
+==== 5.2. uwsgi ====
+et le fichier nécessaire pour uwsgi (à adapter à votre utilisation):
+<code>
+[uwsgi]
+plugins = python
+chdir = /chemin/vers/modoboa/<instance>
+venv = /chemin/vers/env
+module = <instance>.wsgi:application
+master = true
+harakiri = 60
+processes = 2
+vhost = true
+no-default-app = true
+</code>
+Je précise qu'il faudra modifier la configuration TLS par défaut de nginx que je trouve trop lâche mais je vous laisse faire vos choix.
+===== 6. Rspamd =====
+==== 6.1. Configuration ====
+Les fichiers de configuration de rspamd ne doivent pas être modifiés, il faut soit les compléter (dossier local.d) ou les remplacer (override.d), une configuration sera proposée mais elle peut être à adapter au cas par cas.
+==>/etc/rspamd/rspamd.conf.local<==
+<code>
+worker "log_helper" {
+  count = 1;
+}
+multimap {
+    # ip - matches source IP of message (radix map)
+    # from - matches envelope from (or header From if envelope from is absent)
+    # rcpt - matches any of envelope rcpt or header To if envelope info is missing
+    # header - matches any header specified (must have header = "Header-Name" configuration attribute)
+    # dnsbl - matches source IP against some DNS blacklist (consider using RBL module for this)
+    local_bl_ip { type = "ip"; map = "$CONFDIR/local.d/local_bl_ip.map.inc"; symbol = "LOCAL_BL_IP"; description = "Local ip blacklist";}
+    local_bl_from { type = "from"; map = "$CONFDIR/local.d/local_bl_from.map.inc"; symbol = "LOCAL_BL_FROM"; description = "Local from blacklist";}
+    local_bl_rcpt { type = "rcpt"; map = "$CONFDIR/local.d/local_bl_rcpt.map.inc"; symbol = "LOCAL_BL_RCPT"; description = "Local rcpt blacklist";}
+    local_wl_ip { type = "ip"; map = "$CONFDIR/local.d/local_wl_ip.map.inc"; symbol = "LOCAL_WL_IP"; description = "Local ip whitelist";}
+    local_wl_from { type = "from"; map = "$CONFDIR/local.d/local_wl_from.map.inc"; symbol = "LOCAL_WL_FROM"; description = "Local from whitelist";}
+    local_wl_rcpt { type = "rcpt"; map = "$CONFDIR/local.d/local_wl_rcpt.map.inc"; symbol = "LOCAL_WL_RCPT"; description = "Local rcpt whitelist";}
+}
+metric {
+    name = "default";
+    group {
+        name = "local";
+        symbol {
+            weight = 3;
+            description = "Sender ip listed in local ip blacklist";
+            name = "LOCAL_BL_IP";
+        }
+        symbol {
+            weight = 3;
+            description = "Sender from listed in local from blacklist";
+            name = "LOCAL_BL_FROM";
+        }
+        symbol {
+            weight = 3;
+            description = "Recipient listed in local rcpt blacklist";
+            name = "LOCAL_BL_RCPT";
+        }
+        symbol {
+            weight = -10;
+            description = "Sender ip listed in local ip whitelist";
+            name = "LOCAL_WL_IP";
+        }
+        symbol {
+            weight = -5;
+            description = "Sender from listed in local from whitelist";
+            name = "LOCAL_WL_FROM";
+        }
+        symbol {
+            weight = -5;
+            description = "Recipient listed in local rcpt whitelist";
+            name = "LOCAL_WL_RCPT";
+        }
+    }
+}
+</code>
+Les fichiers créés pour l'occasion:
+==> /etc/rspamd/local.d/antivirus.conf <==
+<code>
+# multiple scanners could be checked, for each we create a configuration block with an arbitrary name
+clamav {
+  enabled = true;
+  # If set force this action if any virus is found (default unset: no action is forced)
+  action = "reject";
+  # if `true` only messages with non-image attachments will be checked (default true)
+  attachments_only = false;
+  # If `max_size` is set, messages > n bytes in size are not scanned
+  #max_size = 20000000;
+  # symbol to add (add it to metric if you want non-zero weight)
+  symbol = "CLAM_VIRUS";
+  # type of scanner: "clamav", "fprot", "sophos" or "savapi"
+  type = "clamav";
+  # If set true, log message is emitted for clean messages
+  #log_clean = false;
+  # For "savapi" you must also specify the following variable
+  #product_id = 12345;
+  # For "savapi" you can enable logging for clean messages
+  log_clean = true;
+  # servers to query (if port is unspecified, scanner-specific default is used)
+  # can be specified multiple times to pool servers
+  # can be set to a path to a unix socket
+  servers = "127.0.0.1:3310";
+  # if `patterns` is specified virus name will be matched against provided regexes and the related
+  # symbol will be yielded if a match is found. If no match is found, default symbol is yielded.
+  patterns {
+    # symbol_name = "pattern";
+    JUST_EICAR = "^Eicar-Test-Signature$";
+  }
+  # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.
+  #whitelist = "/etc/rspamd/antivirus.wl";
+}
+</code>
+==> /etc/rspamd/local.d/arc.conf <==
+<code>
+# local.d/arc.conf
+# If false, messages with empty envelope from are not signed
+allow_envfrom_empty = false;
+# If true, envelope/header domain mismatch is ignored
+allow_hdrfrom_mismatch = false;
+# If true, multiple from headers are allowed (but only first is used)
+allow_hdrfrom_multiple = true;
+# If true, username does not need to contain matching domain
+allow_username_mismatch = true;
+# If false, messages from authenticated users are not selected for signing
+auth_only = true;
+# Default path to key, can include '$domain' and '$selector' variables
+path = "/usr/local/etc/dkim/keys/$domain.$selector.key";
+# Default selector to use
+selector = "mail";
+# If false, messages from local networks are not selected for signing
+sign_local = true;
+# Symbol to add when message is signed
+symbol_signed = "ARC_SIGNED";
+# Whether to fallback to global config
+try_fallback = true;
+# Domain to use for ARC signing: can be "header" or "envelope"
+use_domain = "header";
+# Whether to normalise domains to eSLD
+use_esld = false;
+# Whether to get keys from Redis
+use_redis = false;
+# Hash for ARC keys in Redis
+key_prefix = "ARC_KEYS";
+# map of domains -> names of selectors (since rspamd 1.5.3)
+#selector_map = "/etc/rspamd/arc_selectors.map";
+# map of domains -> paths to keys (since rspamd 1.5.3)
+#path_map = "/etc/rspamd/arc_paths.map";
+</code>
+==> /etc/rspamd/local.d/classifier-bayes.conf <==
+<code>
+servers = "127.0.0.1";
+backend = "redis";
+</code>
+==> /etc/rspamd/local.d/dkim_signing.conf <==
+<code>
+# If false, messages with empty envelope from are not signed
+allow_envfrom_empty = true;
+# If true, envelope/header domain mismatch is ignored
+allow_hdrfrom_mismatch = false;
+# If true, multiple from headers are allowed (but only first is used)
+allow_hdrfrom_multiple = true;
+# If true, username does not need to contain matching domain
+allow_username_mismatch = true;
+# If false, messages from authenticated users are not selected for signing
+auth_only = true;
+# Default path to key, can include '$domain' and '$selector' variables
+path = "/usr/local/etc/dkim/keys/$domain.$selector.key";
+# Default selector to use
+selector = "mail";
+# If false, messages from local networks are not selected for signing
+sign_local = true;
+# Map file of IP addresses/subnets to consider for signing
+# sign_networks = "/some/file"; # or url
+# Symbol to add when message is signed
+symbol = "DKIM_SIGNED";
+# Whether to fallback to global config
+try_fallback = true;
+# Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)
+use_domain = "header";
+# Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
+#use_domain_sign_networks = "header";
+# Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
+#use_domain_sign_local = "header";
+# Whether to normalise domains to eSLD
+use_esld = falsee;
+# Whether to get keys from Redis
+use_redis = false;
+# Hash for DKIM keys in Redis
+key_prefix = "DKIM_KEYS";
+# map of domains -> names of selectors (since rspamd 1.5.3)
+#selector_map = "/etc/rspamd/dkim_selectors.map";
+# map of domains -> paths to keys (since rspamd 1.5.3)
+#path_map = "/etc/rspamd/dkim_paths.map";
+</code>
+==> /etc/rspamd/local.d/dmarc.conf <==
+<code>
+dmarc {
+	# Enables storing reporting information to redis
+	reporting = true;
+	# If Redis server is not configured below, settings from redis {} will be used
+	#servers = "127.0.0.1:6379"; # Servers to use for reads and writes (can be a list)
+	# Alternatively set read_servers / write_servers to split reads and writes
+	# To set custom prefix for redis keys:
+	#key_prefix = "dmarc_";
+	# Actions to enforce based on DMARC disposition (empty by default)
+	actions = {
+		quarantine = "add_header";
+		reject = "reject";
+	}
+        # Ignore "pct" setting for some domains
+        # no_sampling_domains = "/etc/rspamd/dmarc_no_sampling.domains";
+}
+</code>
+==> /etc/rspamd/local.d/fann_redis.conf <==
+<code>
+servers = "localhost";
+</code>
+==> /etc/rspamd/local.d/greylist.conf <==
+<code>
+greylist {
+	servers = "127.0.0.1:6379";
+#	whitelist_domains_url [
+#		"/etc/rspamd/local.d/local_wl_from.map.inc",
+#	]
+#	greylist_min_score = 5;
+}
+</code>
+==> /etc/rspamd/local.d/greylist-whitelist-domains.inc <==
+<code>
+# Whitelist for greylist
+debian.org
+</code>
+==> /etc/rspamd/local.d/ip_score.conf <==
+<code>
+ip_score {
+#    servers = "localhost";
+#    threshold = 100;
+#    reject_score = 3;
+#    no_action_score = -2;
+#    add_header_score = 1;
+#    whitelist = "file:///ip_map";
+# how each action is treated in scoring
+actions {
+  reject = 1.0;
+  "add header" = 0.25;
+  "rewrite subject" = 0.25;
+  "no action" = 1.0;
+}
+# how each component is evaluated
+scores {
+  asn = 0.5;
+  country = 0.1;
+  ipnet = 0.8;
+  ip = 1.0;
+}
+# prefix for asn hashes
+asn_prefix = "a:";
+# prefix for country hashes
+country_prefix = "c:";
+# hash table in redis used for storing scores
+hash = "ip_score";
+# prefix for subnet hashes
+ipnet_prefix = "n:";
+# minimum number of messages to be scored
+lower_bound = 10;
+# the metric to score (usually "default")
+metric = "default";
+# upper and lower bounds at which to cap total score
+#max_score = 10;
+#min_score = -5;
+# Amount to divide subscores by before applying tanh
+score_divisor = 10;
+# list of servers (or configure redis globally)
+#servers = "localhost";
+# symbol to be inserted
+symbol = "IP_SCORE";
+}
+</code>
+==> /etc/rspamd/local.d/local_bl_from.map.inc <==
+<code>
+# A remplir
+</code>
+==> /etc/rspamd/local.d/local_bl_ip.map.inc <==
+<code>
+# A remplir
+</code>
+==> /etc/rspamd/local.d/local_bl_rcpt.map.inc <==
+<code>
+# A remplir
+</code>
+==> /etc/rspamd/local.d/local_wl_from.map.inc <==
+<code>
+# A remplir
+debian.org
+</code>
+==> /etc/rspamd/local.d/local_wl_ip.map.inc <==
+<code>
+# A remplir
+::1
+.0.0.1
+</code>
+==> /etc/rspamd/local.d/local_wl_rcpt.map.inc <==
+<code>
+# A remplir
+</code>
+==> /etc/rspamd/local.d/metrics.conf <==
+<code>
+actions {
+  reject = 20;
+#  soft_reject = 15;
+  rewrite_subject = 8;
+  add_header = 6;
+  greylist = 4;
+}
+subject = "*** SPAM *** %s";
+symbol "MX_INVALID" {
+  score = 1.0;
+  description = "No connectable MX";
+  one_shot = "true";
+}
+symbol "MX_MISSING" {
+  score = 2.0;
+  description = "No MX record";
+  one_shot = "true";
+}
+symbol "MX_GOOD" {
+  score = -0.5;
+  description = "MX was ok";
+  one_shot = "true";
+}
+symbol "IP_SCORE" {
+  weight = 2.0;
+  description = "IP reputation";
+}
+</code>
+==> /etc/rspamd/local.d/milter_headers.conf <==
+<code>
+use = ["spam-header", "x-spam-level", "x-spam-status", "x-virus", "authentication-results"];
+skip_local = false;
+skip_authenticated = true;
+extended_spam_headers = true;
+routines {
+  spam-header {
+    header = "X-Spam-Flag";
+    remove = 1;
+    value = "YES";
+  }
+  x-spam-level {
+    header = "X-Spam-Level";
+    remove = 1;
+    char = "*";
+  }
+  x-spam-status {
+    header = "X-Spam-Status";
+    remove = 1;
+  }
+  x-virus {
+    header = "X-Virus";
+    remove = 1;
+    symbols = ["CLAM_VIRUS"];
+  }
+  authentication-results {
+    header = "Authentication-Results";
+    remove = 1;
+    spf_symbols {
+      pass = "R_SPF_ALLOW";
+      fail = "R_SPF_FAIL";
+      softfail = "R_SPF_SOFTFAIL";
+      neutral = "R_SPF_NEUTRAL";
+      temperror = "R_SPF_DNSFAIL";
+      none = "R_SPF_NA";
+      permerror = "R_SPF_PERMFAIL";
+    }
+    dkim_symbols {
+      pass = "R_DKIM_ALLOW";
+      fail = "R_DKIM_REJECT";
+      temperror = "R_DKIM_TEMPFAIL";
+      none = "R_DKIM_NA";
+      permerror = "R_DKIM_PERMFAIL";
+    }
+    dmarc_symbols {
+      pass = "DMARC_POLICY_ALLOW";
+      permerror = "DMARC_BAD_POLICY";
+      temperror = "DMARC_DNSFAIL";
+      none = "DMARC_NA";
+      reject = "DMARC_POLICY_REJECT";
+      softfail = "DMARC_POLICY_SOFTFAIL";
+      quarantine = "DMARC_POLICY_QUARANTINE";
+    }
+  }
+}
+</code>
+==> /etc/rspamd/local.d/mime_types.conf <==
+<code>
+# Extensions that are treated as 'bad'
+# Number is score multiply factor
+bad_extensions = {
+  scr = 4,
+  lnk = 4,
+  exe = 1,
+  jar = 2,
+  com = 4,
+  bat = 4,
+  ace = 4,
+  arj = 4,
+  cab = 3,
+};
+# Extensions that are particularly penalized for archives
+bad_archive_extensions = {
+  pptx = 0.5,
+  docx = 0.5,
+  xlsx = 0.5,
+  pdf = 1.0,
+  jar = 3,
+  js = 0.5,
+  vbs = 7,
+};
+# Used to detect another archive in archive
+archive_extensions = {
+  zip = 1,
+  arj = 1,
+  rar = 1,
+  ace = 1,
+z = 1,
+  cab = 1,
+};
+</code>
+==> /etc/rspamd/local.d/mx_check.conf <==
+<code>
+enabled = true;
+timeout = 1.0;
+symbol_bad_mx = "MX_INVALID";
+symbol_no_mx = "MX_MISSING";
+symbol_good_mx = "MX_GOOD";
+expire = 86400;
+expire_novalid = 7200;
+greylist_invalid = false;
+key_prefix = "rmx";
+</code>
+==> /etc/rspamd/local.d/options.inc <==
+<code>
+map_watch_interval = 1min;
+dns {
+  enable_dnssec = true;
+  timeout = 4s;
+  retransmits = 5;
+  nameserver = "master-slave:127.0.0.1:53:10";
+}
+</code>
+==> /etc/rspamd/local.d/ratelimit.conf <==
+<code>
+rates {
+  # Limit for all mail per recipient (rate 2 per minute)
+  to = "2 / 1m";
+  # Limit for all mail per one source ip (rate 3 per minute)
+  to_ip = "3 / 1m";
+  # Limit for all mail per one source ip and from address (rate 2 per minute)
+  to_ip_from = "2 / 1m";
+  # Limit for all bounce mail (rate 2 per hour)
+  bounce_to = "2 / 1h";
+  # Limit for bounce mail per one source ip (rate 1 per hour)
+  bounce_to_ip = "1 / 1h";
+  # Limit for all mail per authenticated user (rate 2 per minute)
+  user = "2 / 1m";
+}
+whitelisted_rcpts = "postmaster,mailer-daemon";
+max_rcpt = 5;
+</code>
+==> /etc/rspamd/local.d/redis.conf <==
+<code>
+servers = "127.0.0.1:6379";
+</code>
+==> /etc/rspamd/local.d/statistic.conf <==
+<code>
+classifier "bayes" {
+    tokenizer {
+    name = "osb";
+    }
+    backend = "redis";
+    servers = "127.0.0.1:6379";
+    min_tokens = 11;
+    min_learns = 10;
+    autolearn = true;
+    per_user = <<EOD
+return function(task)
+    local rcpt = task:get_recipients(1)
+if rcpt then
+    one_rcpt = rcpt[1]
+    if one_rcpt['domain'] then
+        return one_rcpt['domain']
+    end
+end
+return nil
+end
+EOD
+    statfile {
+        symbol = "BAYES_HAM";
+        spam = false;
+    }
+    statfile {
+        symbol = "BAYES_SPAM";
+        spam = true;
+    }
+    learn_condition =<<EOD
+return function(task, is_spam, is_unlearn)
+    local prob = task:get_mempool():get_variable('bayes_prob', 'double')
+    if prob then
+        local in_class = false
+        local cl
+        if is_spam then
+            cl = 'spam'
+            in_class = prob >= 0.95
+        else
+            cl = 'ham'
+            in_class = prob <= 0.05
+        end
+        if in_class then
+            return false,string.format('already in class %s; probability %.2f%%',
+            cl, math.abs((prob - 0.5) * 200.0))
+        end
+    end
+    return true
+end
+EOD
+}
+</code>
+==> /etc/rspamd/local.d/worker-controller.inc <==
+<code>
+password = "q1";
+enable_password = "q2";
+</code>
+q1 et q2 sont les mots de passe à modifier.
+==== 6.2. Commandes utiles ====
+Changer les mots de passe q1 et q2:
+<code>
+rspamadm pw
+</code>
+Générer une clef privée qui doit être absolument être lisible par l'utilisateur _rspamd_ :
+<code>
+rspamadm dkim_keygen -s 'mail' -d domaine.tld
 </code>
+avec l'option -s désignant le sélecteur qui doit **impérativement être le même que celui de votre enregistrement DNS** sans quoi la signature de vos messages ne servira à rien.