Outils pour utilisateurs

Outils du site


mail

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentesRévision précédente
Prochaine révision
Révision précédente
mail [2017/11/04 19:30] – Ajout dovecot mirtoufmail [2017/11/26 11:42] (Version actuelle) – [3.1. main.cf] Modification DH mirtouf
Ligne 40: Ligne 40:
 puis dovecot: puis dovecot:
 <code> <code>
-apt install dovecot-imapd dovecott-lmtpd dovecot-managesieved dovecot-mysql dovecot-pop3d dovecot-sieve+apt install dovecot-imapd dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pop3d dovecot-sieve
 </code> </code>
  
Ligne 51: Ligne 51:
 <code> <code>
 apt install nginx-full uwsgi-python apt install nginx-full uwsgi-python
 +</code>
 +
 +puis redis-server:
 +<code>
 +apt install redis-server
 +</code>
 +
 +puis clamav:
 +<code>
 +apt install clamav clamav-daemon
 </code> </code>
  
Ligne 63: Ligne 73:
  
 ===== 2. Installation et configuration de modoboa ===== ===== 2. Installation et configuration de modoboa =====
 +==== 2.1. Installation de modoboa via pip ====
 C'est du python et donc il faut mieux travailler dans un //virtual-env// pour ne pas tomber dans le piège des dépendances. C'est du python et donc il faut mieux travailler dans un //virtual-env// pour ne pas tomber dans le piège des dépendances.
 Avec votre utilisateur non privilégié il faut passer dans un environnement virtuel pour installer modoboa: Avec votre utilisateur non privilégié il faut passer dans un environnement virtuel pour installer modoboa:
Ligne 73: Ligne 84:
 </code> </code>
  
-puis déployer une instance (référez-vous à la [[https://modoboa.readthedocs.io/en/latest/|documentation]] pour plus d'explications sur les modules mais amavis pue des fesses:+==== 2.2. Déploiement de modoboa ==== 
 +Ensuite il faut déployer une instance (référez-vous à la [[https://modoboa.readthedocs.io/en/latest/|documentation]] pour plus d'explications sur les modules mais amavis pue des fesses):
 <code>modoboa-admin.py deploy <instance> --collectstatic --domain mail.domaine.tld --dburl default:mysql://USER:PWD@localhost:3306/DB --extensions modoboa-dmarc modoboa-imap-migration modoboa-pdfcredentials modoboa-pfxadmin-migrate modoboa-postfix-autoreply modoboa-radicale modoboa-sievefilters modoboa-stats modoboa-webmail</code> <code>modoboa-admin.py deploy <instance> --collectstatic --domain mail.domaine.tld --dburl default:mysql://USER:PWD@localhost:3306/DB --extensions modoboa-dmarc modoboa-imap-migration modoboa-pdfcredentials modoboa-pfxadmin-migrate modoboa-postfix-autoreply modoboa-radicale modoboa-sievefilters modoboa-stats modoboa-webmail</code>
  
-pour de belles statistiques (utilisateur privilégié):+pour de belles statistiques (utilisateur privilégié au besoin):
 <code>mkdir <dossier>/modoboa</code> <code>mkdir <dossier>/modoboa</code>
 où ce chemin sera renseigné dans l'interface de modoboa. où ce chemin sera renseigné dans l'interface de modoboa.
Ligne 85: Ligne 97:
 Veuillez noter que selon votre configuration, il faudra remplacer l'adresse localhost par 127.0.0.1 pour éviter quelques soucis. Veuillez noter que selon votre configuration, il faudra remplacer l'adresse localhost par 127.0.0.1 pour éviter quelques soucis.
  
-Le fichier à placer dans /etc/cron.d :+==== 2.3. Crontab pour modoboa ==== 
 +Le fichier à éditer dans /etc/cron.d/modoboa :
 <code># <code>#
 # Modoboa specific cron jobs # Modoboa specific cron jobs
Ligne 113: Ligne 126:
  
 ===== 3. Postfix ===== ===== 3. Postfix =====
 +==== 3.1. main.cf ====
 Pour postfix c'est assez simple, le main.cf (avec une mise en forme qui plairait à hardware): Pour postfix c'est assez simple, le main.cf (avec une mise en forme qui plairait à hardware):
 <code> <code>
Ligne 203: Ligne 217:
 smtpd_tls_cert_file           = /chemin/vers/fichier.crt smtpd_tls_cert_file           = /chemin/vers/fichier.crt
 smtpd_tls_key_file            = /chemin/vers/fichier.key smtpd_tls_key_file            = /chemin/vers/fichier.key
-smtpd_tls_dh1024_param_file   = /etc/ssl/private/dh2048.pem +smtpd_tls_dh1024_param_file   = /etc/ssl/public/ffdhe2048.pem
-smtpd_tls_dh512_param_file    = /etc/ssl/private/dh512.pem+
  
 tls_preempt_cipherlist = yes tls_preempt_cipherlist = yes
Ligne 248: Ligne 261:
 transport_maps          = mysql:/etc/postfix/modoboa/sql-spliteddomains-transport.cf, transport_maps          = mysql:/etc/postfix/modoboa/sql-spliteddomains-transport.cf,
                           mysql:/etc/postfix/modoboa/sql-relaydomains-transport.cf,                           mysql:/etc/postfix/modoboa/sql-relaydomains-transport.cf,
-                          mysql:/etc/postfix/modoboa/sql-autoreplies-transport.cf+                          mysql:/etc/postfix/modoboa/sql-autoreplies-transport.cf
 +                          hash:/etc/postfix/modoboa/dmarc_transport
  
 ###################### ######################
Ligne 384: Ligne 398:
 :!: Veuillez noter que /etc/mailname doit indiquer mail.domaine.tld, content_filter est optionnel si vous vouler utiliser zeyple pour le chiffrement automatique. Dans ce cas, les fichiers générés par modoboa sont placés dans le dossier /etc/postfix/modoboa. :!: Veuillez noter que /etc/mailname doit indiquer mail.domaine.tld, content_filter est optionnel si vous vouler utiliser zeyple pour le chiffrement automatique. Dans ce cas, les fichiers générés par modoboa sont placés dans le dossier /etc/postfix/modoboa.
  
 +Le fichier Diffie-Hellman contient ceci et est préférentiellement choisi car audité de façon régulière:
 +<code>
 +-----BEGIN DH PARAMETERS-----
 +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
 ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
 +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
 +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
 +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 +-----END DH PARAMETERS-----
 +</code>
 +==== 3.2. master.cf ====
 Le master.cf: Le master.cf:
 <code> <code>
Ligne 498: Ligne 524:
   -o smtp_dns_support_level=dnssec   -o smtp_dns_support_level=dnssec
   -o smtp_tls_security_level=dane   -o smtp_tls_security_level=dane
 +
 +# Modoboa DMARC
 +dmarc-rua-parser unix  -                               pipe
 +  flags= user=vmail:vmail argv=/home/modoboa/env/bin/python /home/modoboa/instance/manage.py import_aggregated_report --pipe
  
 # Zeyple # Zeyple
Ligne 515: Ligne 545:
 # Vacation (modoboa) # Vacation (modoboa)
 autoreply  unix  -                                 pipe autoreply  unix  -                                 pipe
-       flags= user=vmail:vmail argv=/home/modoboa/env/bin/python /home/modoboa/instance/manage.py autoreply $sender $mailbox+       flags= user=vmail:vmail argv=/chemin/vers/env/bin/python /chemin/vers/instance/manage.py autoreply $sender $mailbox
 </code> </code>
  
 +==== 3.3. Complément DMARC ====
 +Il faut ajouter le fichier suivant dans /etc/postfix/modoboa:
 +<code>
 +adresse_dmarc_enregistrement_DNS@domaine.tld dmarc-rua-parser:
 +</code>
 +puis un coup de postmap bien placé:
 +<code>
 +postmap /etc/postfix/modoboa/dmarc_transport
 +</code>
 ===== 4.Dovecot ===== ===== 4.Dovecot =====
 +==== 4.1. Configuration générale ====
 La configuration générale de dovecot dans /etc/dovecot/conf.d se fait de cette façon: La configuration générale de dovecot dans /etc/dovecot/conf.d se fait de cette façon:
-/etc/dovecot/conf.d/10-auth.conf+ 
 +==>/etc/dovecot/conf.d/10-auth.conf<==
 <code> <code>
 disable_plaintext_auth = no disable_plaintext_auth = no
Ligne 529: Ligne 570:
 </code> </code>
  
-/etc/dovecot/conf.d/10-director.conf+==>/etc/dovecot/conf.d/10-director.conf<==
 <code> <code>
 service director { service director {
Ligne 557: Ligne 598:
 </code> </code>
  
-etc/dovecot/conf.d/10-mail.conf+==>etc/dovecot/conf.d/10-mail.conf<==
 <code> <code>
 mail_location = maildir:~/.maildir mail_location = maildir:~/.maildir
Ligne 570: Ligne 611:
 </code> </code>
  
-/etc/dovecot/conf.d/10-master.conf+==>/etc/dovecot/conf.d/10-master.conf<==
 <code> <code>
 service imap-login { service imap-login {
Ligne 629: Ligne 670:
 </code> </code>
  
-/etc/dovecot/conf.d/10-ssl.conf+==>/etc/dovecot/conf.d/10-ssl.conf<==
 <code> <code>
 ssl = required ssl = required
Ligne 638: Ligne 679:
 </code> </code>
  
-/etc/dovecot/conf.d/15-lda.conf+==>/etc/dovecot/conf.d/15-lda.conf<==
 <code> <code>
 postmaster_address = postmaster@domaine.tld postmaster_address = postmaster@domaine.tld
Ligne 652: Ligne 693:
 </code> </code>
  
-/etc/dovecot/conf.d/15-mailboxes.conf+==>/etc/dovecot/conf.d/15-mailboxes.conf<==
 <code> <code>
 namespace inbox { namespace inbox {
Ligne 678: Ligne 719:
 </code> </code>
  
-/etc/dovecot/conf.d/20-imap.conf+==>/etc/dovecot/conf.d/20-imap.conf<==
 <code> <code>
 protocol imap { protocol imap {
Ligne 685: Ligne 726:
 </code> </code>
  
-/etc/dovecot/conf.d/20-lmtp.conf+==>/etc/dovecot/conf.d/20-lmtp.conf<==
 <code> <code>
 protocol lmtp { protocol lmtp {
Ligne 693: Ligne 734:
 </code> </code>
  
-/etc/dovecot/conf.d/20-managesieve.conf+==>/etc/dovecot/conf.d/20-managesieve.conf<==
 <code> <code>
 protocols = $protocols sieve protocols = $protocols sieve
Ligne 718: Ligne 759:
 </code> </code>
  
-/etc/dovecot/conf.d/20-pop3.conf+==>/etc/dovecot/conf.d/20-pop3.conf<==
 <code> <code>
 protocol pop3 { protocol pop3 {
Ligne 725: Ligne 766:
 </code> </code>
  
-/etc/dovecot/conf.d/90-acl.conf+==>/etc/dovecot/conf.d/90-acl.conf<==
 <code> <code>
 plugin { plugin {
Ligne 733: Ligne 774:
 </code> </code>
  
-/etc/dovecot/conf.d/90-quota.conf+==>/etc/dovecot/conf.d/90-quota.conf<==
 <code> <code>
 plugin { plugin {
Ligne 749: Ligne 790:
 </code> </code>
  
-/etc/dovecot/conf.d/90-sieve.conf+==>/etc/dovecot/conf.d/90-sieve.conf<==
 <code> <code>
 plugin { plugin {
Ligne 770: Ligne 811:
 </code> </code>
  
-/etc/dovecot/conf.d/90-sieve-extprograms.conf+==>/etc/dovecot/conf.d/90-sieve-extprograms.conf<==
 <code> <code>
 plugin { plugin {
Ligne 776: Ligne 817:
 </code> </code>
  
-/etc/dovecot/conf.d/auth-checkpassword.conf.ext+==>/etc/dovecot/conf.d/auth-checkpassword.conf.ext<==
 <code> <code>
 passdb { passdb {
Ligne 787: Ligne 828:
 </code> </code>
  
-/etc/dovecot/conf.d/auth-deny.conf.ext+==>/etc/dovecot/conf.d/auth-deny.conf.ext<==
 <code> <code>
 passdb { passdb {
Ligne 796: Ligne 837:
 </code> </code>
  
-/etc/dovecot/conf.d/auth-dict.conf.ext+==>/etc/dovecot/conf.d/auth-dict.conf.ext<==
 <code> <code>
 passdb { passdb {
Ligne 808: Ligne 849:
 </code> </code>
  
-/etc/dovecot/conf.d/auth-master.conf.ext+==>/etc/dovecot/conf.d/auth-master.conf.ext<==
 <code> <code>
 passdb { passdb {
Ligne 818: Ligne 859:
 </code> </code>
  
-/etc/dovecot/conf.d/auth-passwdfile.conf.ext+==>/etc/dovecot/conf.d/auth-passwdfile.conf.ext<==
 <code> <code>
 passdb { passdb {
Ligne 830: Ligne 871:
 </code> </code>
  
-/etc/dovecot/conf.d/auth-sql.conf.ext+==>/etc/dovecot/conf.d/auth-sql.conf.ext<==
 <code> <code>
 passdb { passdb {
Ligne 842: Ligne 883:
 </code> </code>
  
-/etc/dovecot/conf.d/auth-system.conf.ext+==>/etc/dovecot/conf.d/auth-system.conf.ext<==
 <code> <code>
 passdb { passdb {
Ligne 852: Ligne 893:
 </code> </code>
  
-/etc/dovecot/conf.d/auth-vpopmail.conf.ext+==>/etc/dovecot/conf.d/auth-vpopmail.conf.ext<==
 <code> <code>
 passdb { passdb {
Ligne 864: Ligne 905:
 </code> </code>
  
-Les autres fichiers utiles tels /etc/dovecot/dovecot-dict-auth.conf.ext:+==== 4.2. Gestion de la db ==== 
 +Les autres fichiers utiles tels ==>/etc/dovecot/dovecot-dict-auth.conf.ext<==
 <code> <code>
 default_pass_scheme = MD5 default_pass_scheme = MD5
Ligne 888: Ligne 930:
 </code> </code>
  
-/etc/dovecot/dovecot-dict-sql.conf.ext:+==>/etc/dovecot/dovecot-dict-sql.conf.ext<==
 <code> <code>
 connect = host=127.0.0.1 dbname=DB user=USER password=PWD connect = host=127.0.0.1 dbname=DB user=USER password=PWD
Ligne 914: Ligne 956:
 </code> </code>
  
-/etc/dovecot/dovecot-sql.conf.ext:+==>/etc/dovecot/dovecot-sql.conf.ext<==
 <code> <code>
 driver = mysql driver = mysql
Ligne 924: Ligne 966:
 </code> </code>
  
 +==== 4.3. scripts utiles ====
 Il faut aussi des scripts utiles: Il faut aussi des scripts utiles:
-/usr/local/bin/postlogin.sh +==>/usr/local/bin/postlogin.sh <==
 <code> <code>
 #!/bin/sh #!/bin/sh
Ligne 938: Ligne 981:
 </code> </code>
  
-/usr/local/bin/quota-warning.sh+==>/usr/local/bin/quota-warning.sh<==
 <code> <code>
 #!/bin/sh #!/bin/sh
Ligne 950: Ligne 993:
 EOF EOF
 </code> </code>
 +
 +==== 4.4 antispam ====
 +Pour l'antispam, je propose ceci, proche de la configuration officielle dovecot:
 +==>/usr/local/dovecot/sieve/report-ham.sieve<==
 +<code>
 +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
 +
 +if environment :matches "imap.mailbox" "*" {
 +  set "mailbox" "${1}";
 +}
 +
 +if string "${mailbox}" "Trash" {
 +  stop;
 +}
 +
 +if environment :matches "imap.user" "*" {
 +  set "username" "${1}";
 +}
 +
 +pipe :copy "sa-learn-ham.sh" [ "${username}" ];
 +</code>
 +
 +==>/usr/local/dovecot/sieve/report-spam.sieve<==
 +<code>
 +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
 +
 +if environment :matches "imap.user" "*" {
 +  set "username" "${1}";
 +}
 +
 +pipe :copy "sa-learn-spam.sh" [ "${username}" ];
 +</code>
 +
 +==>/usr/local/dovecot/sieve/sa-learn-ham.sh<==
 +<code>
 +#!/bin/bash
 +
 +# rspamd client reads piped ham message from the standard input
 +exec /usr/bin/rspamc -h localhost:11334 -P "q1" learn_ham
 +</code>
 +
 +==>/usr/local/dovecot/sieve/sa-learn-spam.sh<==
 +<code>
 +#!/bin/bash
 +
 +# rspamd client reads piped spam message from the standard input
 +exec /usr/bin/rspamc -h localhost:11334 -P "q1" learn_spam
 +</code>
 +
 +===== 5. nginx et uwsgi =====
 +==== 5.1. configuration du domaine principal ====
 +Le domaine principal mail.domaine.tld sera configuré de cette façon:
 +<code>
 +server {
 +        listen 80;
 +#        listen [::]:80 ipv6only=on;
 +        root /chemin/vers/modoboa/<instance>/<instance>;
 +
 +        # Make site accessible from http://localhost/
 +        server_name mail.domaine.tld localhost;
 +
 +        if ($ssl_protocol = "") {
 +                rewrite ^/(.*)   https://$server_name$request_uri? permanent;
 +        }
 +}
 +
 +server {
 +    listen 443 ssl http2;
 +#    listen [::]:443 ssl http2;
 +    ssl on;
 +    keepalive_timeout 70;
 +
 +    server_name mail.domaine.tld localhost;
 +    root /chemin/vers/modoboa/<instance>/<instance>;
 +
 +    ssl_certificate /chemin/vers/fichier.crt;
 +    ssl_certificate_key /chemin/vers/fichier.key;
 +
 +    access_log  /var/log/nginx/modoboa.access.log;
 +    error_log /var/log/nginx/modoboa.error.log;
 +
 +    location /sitestatic/ {
 +            autoindex on;
 +            alias /home/modoboa/instance/sitestatic/;
 +    }
 +
 +    # Whether or not Modoboa uses a media directory depends on how
 +    # you configured Modoboa. It does not hurt to have this.
 +    location /media/ {
 +            autoindex on;
 +            alias /home/modoboa/instance/media/;
 +    }
 +
 +    # This denies access to any file that begins with
 +    # ".ht". Apache's .htaccess and .htpasswd are such files. A
 +    # Modoboa installed from scratch would not contain any such
 +    # files, but you never know what the future holds.
 +    location ~ /\.ht {
 +        deny all;
 +    }
 +
 +    location / {
 +        include uwsgi_params;
 +        uwsgi_pass unix:/run/uwsgi/app/modoboa/socket;
 +        uwsgi_param UWSGI_SCRIPT instance.wsgi:application;
 +        uwsgi_param UWSGI_SCHEME https;
 +    }
 +
 +    location /rspamd/ {
 +        proxy_pass       http://localhost:11334/;
 +        proxy_set_header Host      $host;
 +        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +    }
 +}
 +</code>
 +
 +==== 5.2. uwsgi ====
 +et le fichier nécessaire pour uwsgi (à adapter à votre utilisation):
 +<code>
 +[uwsgi]
 +plugins = python
 +chdir = /chemin/vers/modoboa/<instance>
 +venv = /chemin/vers/env
 +module = <instance>.wsgi:application
 +master = true
 +harakiri = 60
 +processes = 2
 +vhost = true
 +no-default-app = true
 +</code>
 +
 +Je précise qu'il faudra modifier la configuration TLS par défaut de nginx que je trouve trop lâche mais je vous laisse faire vos choix.
 +
 +===== 6. Rspamd =====
 +==== 6.1. Configuration ====
 +Les fichiers de configuration de rspamd ne doivent pas être modifiés, il faut soit les compléter (dossier local.d) ou les remplacer (override.d), une configuration sera proposée mais elle peut être à adapter au cas par cas.
 +==>/etc/rspamd/rspamd.conf.local<==
 +<code>
 +worker "log_helper" {
 +  count = 1;
 +}
 +
 +multimap {
 +    # ip - matches source IP of message (radix map)
 +    # from - matches envelope from (or header From if envelope from is absent)
 +    # rcpt - matches any of envelope rcpt or header To if envelope info is missing
 +    # header - matches any header specified (must have header = "Header-Name" configuration attribute)
 +    # dnsbl - matches source IP against some DNS blacklist (consider using RBL module for this)
 +    local_bl_ip { type = "ip"; map = "$CONFDIR/local.d/local_bl_ip.map.inc"; symbol = "LOCAL_BL_IP"; description = "Local ip blacklist";}
 +    local_bl_from { type = "from"; map = "$CONFDIR/local.d/local_bl_from.map.inc"; symbol = "LOCAL_BL_FROM"; description = "Local from blacklist";}
 +    local_bl_rcpt { type = "rcpt"; map = "$CONFDIR/local.d/local_bl_rcpt.map.inc"; symbol = "LOCAL_BL_RCPT"; description = "Local rcpt blacklist";}
 +    local_wl_ip { type = "ip"; map = "$CONFDIR/local.d/local_wl_ip.map.inc"; symbol = "LOCAL_WL_IP"; description = "Local ip whitelist";}
 +    local_wl_from { type = "from"; map = "$CONFDIR/local.d/local_wl_from.map.inc"; symbol = "LOCAL_WL_FROM"; description = "Local from whitelist";}
 +    local_wl_rcpt { type = "rcpt"; map = "$CONFDIR/local.d/local_wl_rcpt.map.inc"; symbol = "LOCAL_WL_RCPT"; description = "Local rcpt whitelist";}
 +}
 +
 +metric {
 +    name = "default";
 +    group {
 +        name = "local";
 +        symbol {
 +            weight = 3;
 +            description = "Sender ip listed in local ip blacklist";
 +            name = "LOCAL_BL_IP";
 +        }
 +        symbol {
 +            weight = 3;
 +            description = "Sender from listed in local from blacklist";
 +            name = "LOCAL_BL_FROM";
 +        }
 +        symbol {
 +            weight = 3;
 +            description = "Recipient listed in local rcpt blacklist";
 +            name = "LOCAL_BL_RCPT";
 +        }
 +        symbol {
 +            weight = -10;
 +            description = "Sender ip listed in local ip whitelist";
 +            name = "LOCAL_WL_IP";
 +        }
 +        symbol {
 +            weight = -5;
 +            description = "Sender from listed in local from whitelist";
 +            name = "LOCAL_WL_FROM";
 +        }
 +        symbol {
 +            weight = -5;
 +            description = "Recipient listed in local rcpt whitelist";
 +            name = "LOCAL_WL_RCPT";
 +        }
 +    }
 +
 +}
 +</code>
 +
 +Les fichiers créés pour l'occasion:
 +==> /etc/rspamd/local.d/antivirus.conf <==
 +<code>
 +# multiple scanners could be checked, for each we create a configuration block with an arbitrary name
 +clamav {
 +  enabled = true;
 +  # If set force this action if any virus is found (default unset: no action is forced)
 +  action = "reject";
 +  # if `true` only messages with non-image attachments will be checked (default true)
 +  attachments_only = false;
 +  # If `max_size` is set, messages > n bytes in size are not scanned
 +  #max_size = 20000000;
 +  # symbol to add (add it to metric if you want non-zero weight)
 +  symbol = "CLAM_VIRUS";
 +  # type of scanner: "clamav", "fprot", "sophos" or "savapi"
 +  type = "clamav";
 +  # If set true, log message is emitted for clean messages
 +  #log_clean = false;
 +  # For "savapi" you must also specify the following variable
 +  #product_id = 12345;
 +  # For "savapi" you can enable logging for clean messages
 +  log_clean = true;
 +  # servers to query (if port is unspecified, scanner-specific default is used)
 +  # can be specified multiple times to pool servers
 +  # can be set to a path to a unix socket
 +  servers = "127.0.0.1:3310";
 +  # if `patterns` is specified virus name will be matched against provided regexes and the related
 +  # symbol will be yielded if a match is found. If no match is found, default symbol is yielded.
 +  patterns {
 +    # symbol_name = "pattern";
 +    JUST_EICAR = "^Eicar-Test-Signature$";
 +  }
 +  # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.
 +  #whitelist = "/etc/rspamd/antivirus.wl";
 +}
 +</code>
 +
 +==> /etc/rspamd/local.d/arc.conf <==
 +<code>
 +# local.d/arc.conf
 +
 +# If false, messages with empty envelope from are not signed
 +allow_envfrom_empty = false;
 +# If true, envelope/header domain mismatch is ignored
 +allow_hdrfrom_mismatch = false;
 +# If true, multiple from headers are allowed (but only first is used)
 +allow_hdrfrom_multiple = true;
 +# If true, username does not need to contain matching domain
 +allow_username_mismatch = true;
 +# If false, messages from authenticated users are not selected for signing
 +auth_only = true;
 +# Default path to key, can include '$domain' and '$selector' variables
 +path = "/usr/local/etc/dkim/keys/$domain.$selector.key";
 +# Default selector to use
 +selector = "mail";
 +# If false, messages from local networks are not selected for signing
 +sign_local = true;
 +# Symbol to add when message is signed
 +symbol_signed = "ARC_SIGNED";
 +# Whether to fallback to global config
 +try_fallback = true;
 +# Domain to use for ARC signing: can be "header" or "envelope"
 +use_domain = "header";
 +# Whether to normalise domains to eSLD
 +use_esld = false;
 +# Whether to get keys from Redis
 +use_redis = false;
 +# Hash for ARC keys in Redis
 +key_prefix = "ARC_KEYS";
 +# map of domains -> names of selectors (since rspamd 1.5.3)
 +#selector_map = "/etc/rspamd/arc_selectors.map";
 +# map of domains -> paths to keys (since rspamd 1.5.3)
 +#path_map = "/etc/rspamd/arc_paths.map";
 +</code>
 +
 +==> /etc/rspamd/local.d/classifier-bayes.conf <==
 +<code>
 +servers = "127.0.0.1";
 +backend = "redis";
 +</code>
 +
 +==> /etc/rspamd/local.d/dkim_signing.conf <==
 +<code>
 +# If false, messages with empty envelope from are not signed
 +allow_envfrom_empty = true;
 +
 +# If true, envelope/header domain mismatch is ignored
 +allow_hdrfrom_mismatch = false;
 +
 +# If true, multiple from headers are allowed (but only first is used)
 +allow_hdrfrom_multiple = true;
 +
 +# If true, username does not need to contain matching domain
 +allow_username_mismatch = true;
 +
 +# If false, messages from authenticated users are not selected for signing
 +auth_only = true;
 +
 +# Default path to key, can include '$domain' and '$selector' variables
 +path = "/usr/local/etc/dkim/keys/$domain.$selector.key";
 +
 +# Default selector to use
 +selector = "mail";
 +
 +# If false, messages from local networks are not selected for signing
 +sign_local = true;
 +
 +# Map file of IP addresses/subnets to consider for signing
 +# sign_networks = "/some/file"; # or url
 +
 +# Symbol to add when message is signed
 +symbol = "DKIM_SIGNED";
 +
 +# Whether to fallback to global config
 +try_fallback = true;
 +
 +# Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)
 +use_domain = "header";
 +
 +# Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
 +#use_domain_sign_networks = "header";
 +
 +# Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
 +#use_domain_sign_local = "header";
 +
 +# Whether to normalise domains to eSLD
 +use_esld = falsee;
 +
 +# Whether to get keys from Redis
 +use_redis = false;
 +
 +# Hash for DKIM keys in Redis
 +key_prefix = "DKIM_KEYS";
 +
 +# map of domains -> names of selectors (since rspamd 1.5.3)
 +#selector_map = "/etc/rspamd/dkim_selectors.map";
 +
 +# map of domains -> paths to keys (since rspamd 1.5.3)
 +#path_map = "/etc/rspamd/dkim_paths.map";
 +</code>
 +
 +==> /etc/rspamd/local.d/dmarc.conf <==
 +<code>
 +dmarc {
 + # Enables storing reporting information to redis
 + reporting = true;
 + # If Redis server is not configured below, settings from redis {} will be used
 + #servers = "127.0.0.1:6379"; # Servers to use for reads and writes (can be a list)
 + # Alternatively set read_servers / write_servers to split reads and writes
 + # To set custom prefix for redis keys:
 + #key_prefix = "dmarc_";
 + # Actions to enforce based on DMARC disposition (empty by default)
 + actions = {
 + quarantine = "add_header";
 + reject = "reject";
 + }
 +        # Ignore "pct" setting for some domains
 +        # no_sampling_domains = "/etc/rspamd/dmarc_no_sampling.domains";
 +}
 +</code>
 +
 +==> /etc/rspamd/local.d/fann_redis.conf <==
 +<code>
 +servers = "localhost";
 +</code>
 +
 +==> /etc/rspamd/local.d/greylist.conf <==
 +<code>
 +greylist {
 + servers = "127.0.0.1:6379";
 +# whitelist_domains_url [
 +# "/etc/rspamd/local.d/local_wl_from.map.inc",
 +# ]
 +# greylist_min_score = 5;
 +}
 +</code>
 +
 +==> /etc/rspamd/local.d/greylist-whitelist-domains.inc <==
 +<code>
 +# Whitelist for greylist
 +debian.org
 +</code>
 +
 +==> /etc/rspamd/local.d/ip_score.conf <==
 +<code>
 +ip_score {
 +#    servers = "localhost";
 +#    threshold = 100;
 +#    reject_score = 3;
 +#    no_action_score = -2;
 +#    add_header_score = 1;
 +#    whitelist = "file:///ip_map";
 +# how each action is treated in scoring
 +actions {
 +  reject = 1.0;
 +  "add header" = 0.25;
 +  "rewrite subject" = 0.25;
 +  "no action" = 1.0;
 +}
 +# how each component is evaluated
 +scores {
 +  asn = 0.5;
 +  country = 0.1;
 +  ipnet = 0.8;
 +  ip = 1.0;
 +}
 +# prefix for asn hashes
 +asn_prefix = "a:";
 +# prefix for country hashes
 +country_prefix = "c:";
 +# hash table in redis used for storing scores
 +hash = "ip_score";
 +# prefix for subnet hashes
 +ipnet_prefix = "n:";
 +# minimum number of messages to be scored
 +lower_bound = 10;
 +# the metric to score (usually "default")
 +metric = "default";
 +# upper and lower bounds at which to cap total score
 +#max_score = 10;
 +#min_score = -5;
 +# Amount to divide subscores by before applying tanh
 +score_divisor = 10;
 +# list of servers (or configure redis globally)
 +#servers = "localhost";
 +# symbol to be inserted
 +symbol = "IP_SCORE";
 +}
 +</code>
 +
 +==> /etc/rspamd/local.d/local_bl_from.map.inc <==
 +<code>
 +# A remplir
 +</code>
 +
 +==> /etc/rspamd/local.d/local_bl_ip.map.inc <==
 +<code>
 +# A remplir
 +</code>
 +
 +==> /etc/rspamd/local.d/local_bl_rcpt.map.inc <==
 +<code>
 +# A remplir
 +</code>
 +
 +==> /etc/rspamd/local.d/local_wl_from.map.inc <==
 +<code>
 +# A remplir
 +debian.org
 +</code>
 +
 +==> /etc/rspamd/local.d/local_wl_ip.map.inc <==
 +<code>
 +# A remplir
 +::1
 +127.0.0.1
 +</code>
 +
 +==> /etc/rspamd/local.d/local_wl_rcpt.map.inc <==
 +<code>
 +# A remplir
 +</code>
 +
 +==> /etc/rspamd/local.d/metrics.conf <==
 +<code>
 +actions {
 +  reject = 20;
 +#  soft_reject = 15;
 +  rewrite_subject = 8;
 +  add_header = 6;
 +  greylist = 4;
 +}
 +
 +subject = "*** SPAM *** %s";
 +
 +symbol "MX_INVALID" {
 +  score = 1.0;
 +  description = "No connectable MX";
 +  one_shot = "true";
 +}
 +
 +symbol "MX_MISSING" {
 +  score = 2.0;
 +  description = "No MX record";
 +  one_shot = "true";
 +}
 +
 +symbol "MX_GOOD" {
 +  score = -0.5;
 +  description = "MX was ok";
 +  one_shot = "true";
 +}
 +
 +symbol "IP_SCORE" {
 +  weight = 2.0;
 +  description = "IP reputation";
 +}
 +</code>
 +
 +==> /etc/rspamd/local.d/milter_headers.conf <==
 +<code>
 +use = ["spam-header", "x-spam-level", "x-spam-status", "x-virus", "authentication-results"];
 +
 +skip_local = false;
 +skip_authenticated = true;
 +extended_spam_headers = true;
 +
 +routines {
 +  spam-header {
 +    header = "X-Spam-Flag";
 +    remove = 1;
 +    value = "YES";
 +  }
 +  x-spam-level {
 +    header = "X-Spam-Level";
 +    remove = 1;
 +    char = "*";
 +  }
 +  x-spam-status {
 +    header = "X-Spam-Status";
 +    remove = 1;
 +  }
 +  x-virus {
 +    header = "X-Virus";
 +    remove = 1;
 +    symbols = ["CLAM_VIRUS"];
 +  }
 +  authentication-results {
 +    header = "Authentication-Results";
 +    remove = 1;
 +    spf_symbols {
 +      pass = "R_SPF_ALLOW";
 +      fail = "R_SPF_FAIL";
 +      softfail = "R_SPF_SOFTFAIL";
 +      neutral = "R_SPF_NEUTRAL";
 +      temperror = "R_SPF_DNSFAIL";
 +      none = "R_SPF_NA";
 +      permerror = "R_SPF_PERMFAIL";
 +    }
 +    dkim_symbols {
 +      pass = "R_DKIM_ALLOW";
 +      fail = "R_DKIM_REJECT";
 +      temperror = "R_DKIM_TEMPFAIL";
 +      none = "R_DKIM_NA";
 +      permerror = "R_DKIM_PERMFAIL";
 +    }
 +    dmarc_symbols {
 +      pass = "DMARC_POLICY_ALLOW";
 +      permerror = "DMARC_BAD_POLICY";
 +      temperror = "DMARC_DNSFAIL";
 +      none = "DMARC_NA";
 +      reject = "DMARC_POLICY_REJECT";
 +      softfail = "DMARC_POLICY_SOFTFAIL";
 +      quarantine = "DMARC_POLICY_QUARANTINE";
 +    }
 +  }
 +}
 +</code>
 +
 +==> /etc/rspamd/local.d/mime_types.conf <==
 +<code>
 +# Extensions that are treated as 'bad'
 +# Number is score multiply factor
 +bad_extensions = {
 +  scr = 4,
 +  lnk = 4,
 +  exe = 1,
 +  jar = 2,
 +  com = 4,
 +  bat = 4,
 +  ace = 4,
 +  arj = 4,
 +  cab = 3,
 +};
 +
 +# Extensions that are particularly penalized for archives
 +bad_archive_extensions = {
 +  pptx = 0.5,
 +  docx = 0.5,
 +  xlsx = 0.5,
 +  pdf = 1.0,
 +  jar = 3,
 +  js = 0.5,
 +  vbs = 7,
 +};
 +
 +# Used to detect another archive in archive
 +archive_extensions = {
 +  zip = 1,
 +  arj = 1,
 +  rar = 1,
 +  ace = 1,
 +  7z = 1,
 +  cab = 1,
 +};
 +</code>
 +
 +==> /etc/rspamd/local.d/mx_check.conf <==
 +<code>
 +enabled = true;
 +timeout = 1.0;
 +symbol_bad_mx = "MX_INVALID";
 +symbol_no_mx = "MX_MISSING";
 +symbol_good_mx = "MX_GOOD";
 +expire = 86400;
 +expire_novalid = 7200;
 +greylist_invalid = false;
 +key_prefix = "rmx";
 +</code>
 +
 +==> /etc/rspamd/local.d/options.inc <==
 +<code>
 +map_watch_interval = 1min;
 +dns {
 +  enable_dnssec = true;
 +  timeout = 4s;
 +  retransmits = 5;
 +  nameserver = "master-slave:127.0.0.1:53:10";
 +}
 +</code>
 +
 +==> /etc/rspamd/local.d/ratelimit.conf <==
 +<code>
 +rates {
 +  # Limit for all mail per recipient (rate 2 per minute)
 +  to = "2 / 1m";
 +  # Limit for all mail per one source ip (rate 3 per minute)
 +  to_ip = "3 / 1m";
 +  # Limit for all mail per one source ip and from address (rate 2 per minute)
 +  to_ip_from = "2 / 1m";
 +  # Limit for all bounce mail (rate 2 per hour)
 +  bounce_to = "2 / 1h";
 +  # Limit for bounce mail per one source ip (rate 1 per hour)
 +  bounce_to_ip = "1 / 1h";
 +  # Limit for all mail per authenticated user (rate 2 per minute)
 +  user = "2 / 1m";
 +}
 +
 +whitelisted_rcpts = "postmaster,mailer-daemon";
 +max_rcpt = 5;
 +</code>
 +
 +==> /etc/rspamd/local.d/redis.conf <==
 +<code>
 +servers = "127.0.0.1:6379";
 +</code>
 +
 +==> /etc/rspamd/local.d/statistic.conf <==
 +<code>
 +classifier "bayes" {
 +    tokenizer {
 +    name = "osb";
 +    }
 +
 +    backend = "redis";
 +    servers = "127.0.0.1:6379";
 +    min_tokens = 11;
 +    min_learns = 10;
 +    autolearn = true;
 +
 +    per_user = <<EOD
 +return function(task)
 +    local rcpt = task:get_recipients(1)
 +
 +if rcpt then
 +    one_rcpt = rcpt[1]
 +    if one_rcpt['domain'] then
 +        return one_rcpt['domain']
 +    end
 +end
 +
 +return nil
 +end
 +EOD
 +
 +    statfile {
 +        symbol = "BAYES_HAM";
 +        spam = false;
 +    }
 +    statfile {
 +        symbol = "BAYES_SPAM";
 +        spam = true;
 +    }
 +    learn_condition =<<EOD
 +return function(task, is_spam, is_unlearn)
 +    local prob = task:get_mempool():get_variable('bayes_prob', 'double')
 +
 +    if prob then
 +        local in_class = false
 +        local cl
 +        if is_spam then
 +            cl = 'spam'
 +            in_class = prob >= 0.95
 +        else
 +            cl = 'ham'
 +            in_class = prob <= 0.05
 +        end
 +
 +        if in_class then
 +            return false,string.format('already in class %s; probability %.2f%%',
 +            cl, math.abs((prob - 0.5) * 200.0))
 +        end
 +    end
 +
 +    return true
 +end
 +EOD
 +}
 +</code>
 +
 +==> /etc/rspamd/local.d/worker-controller.inc <==
 +<code>
 +password = "q1";
 +enable_password = "q2";
 +</code>
 +q1 et q2 sont les mots de passe à modifier.
 +
 +==== 6.2. Commandes utiles ====
 +Changer les mots de passe q1 et q2:
 +<code>
 +rspamadm pw
 +</code>
 +
 +Générer une clef privée qui doit être absolument être lisible par l'utilisateur _rspamd_ :
 +<code>
 +rspamadm dkim_keygen -s 'mail' -d domaine.tld
 +</code>
 +avec l'option -s désignant le sélecteur qui doit **impérativement être le même que celui de votre enregistrement DNS** sans quoi la signature de vos messages ne servira à rien.
mail.1509820202.txt.gz · Dernière modification : 2017/11/04 19:30 de mirtouf