・rspamd の用途
- メール送信/転送時に DKIM/ARC署名
- メール受信時に SPF/DKIM/DMARC/ARC認証
- メール受信時に Virus/Spam Check (採点結果をヘッダーに追加)
・rspamd のインストール
#-- rspamd.com の repository を登録
curl https://rspamd.com/rpm-stable/centos-7/rspamd.repo > /etc/yum.repos.d/rspamd.repo
rpm --import https://rspamd.com/rpm-stable/gpg.key
#-- rspamd と redis のインストール
yum install -y rspamd redis
mkdir /etc/rspamd/local.d/keys/
#-- rspamd の設定
cat <<'_EOL_'> /etc/rspamd/local.d/options.inc
filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
check_all_filters = true;
_EOL_
cat <<'_EOL_'> /etc/rspamd/local.d/milter_headers.conf
use = ["x-spamd-result","x-rspamd-server","x-rspamd-queue-id","authentication-results","x-spam-level","x-virus"];
#use = ["authentication-results"];
authenticated_headers = ["authentication-results"];
_EOL_
cat <<'_EOL_'> /etc/rspamd/local.d/redis.conf
servers = "127.0.0.1";
_EOL_
cat <<'_EOL_'> /etc/rspamd/local.d/actions.conf
reject = null;
add_header = 2.0 ;
greylist = null;
_EOL_
cat <<'_EOL_'> /etc/rspamd/local.d/greylist.conf
enabled = false
_EOL_
cat <<'_EOL_'> /etc/rspamd/local.d/phishing.conf
openphish_enabled = true;
phishtank_enabled = true;
_EOL_
cat <<_EOL_> /etc/rspamd/local.d/antivirus.conf
clamav {
action = "reject";
type = "clamav";
servers = "/var/run/clamd.scan/clamd.sock";
symbol = "CLAM_VIRUS";
patterns {
#symbol_name = "pattern";
JUST_EICAR = "^Eicar-Test-Signature$";
}
}
_EOL_
#-- clamd.sock にアクセスできるように group に追加
usermod -aG clamscan _rspamd
usermod -aG virusgroup _rspamd
cat <<'_EOL_'> /etc/rspamd/local.d/url_reputation.conf
enabled = true;
# Key prefix for redis - default "Ur."
key_prefix = "Ur.";
# Symbols to insert - defaults as shown
symbols {
white = "URL_REPUTATION_WHITE";
black = "URL_REPUTATION_BLACK";
grey = "URL_REPUTATION_GREY";
neutral = "URL_REPUTATION_NEUTRAL";
}
# DKIM/DMARC/SPF allow symbols - defaults as shown
foreign_symbols {
dmarc = "DMARC_POLICY_ALLOW";
dkim = "R_DKIM_ALLOW";
spf = "R_SPF_ALLOW";
}
# SURBL metatags to ignore - default as shown
ignore_surbl = ["URIBL_BLOCKED", "DBL_PROHIBIT", "SURBL_BLOCKED"];
# Amount of samples required for scoring - default 5
threshold = 5;
#Maximum number of TLDs to update reputation on (default 1)
update_limit = 1;
# Maximum number of TLDs to query reputation on (default 100)
query_limit = 100;
# If true, try to find most 'relevant' URL (default true)
relevance = true;
_EOL_
#-- redisに書き込むデータ行数などの設定 10000以上が推奨
cat <<_EOL_> /etc/rspamd/local.d/history_redis.conf
servers = 127.0.0.1:6379;
key_prefix = "rs_history";
nrows = 10000;
compress = true;
subject_privacy = false;
_EOL_
#-- 拡張子の spam スコアを設定
cat <<_EOL_> /etc/rspamd/local.d/mime_types.conf
bad_extensions = {
ace = 4,
arj = 4,
bat = 2,
cab = 3,
com = 2,
exe = 1,
jar = 2,
lnk = 4,
scr = 4,
};
bad_archive_extensions = {
pptx = 0.1,
docx = 0.1,
xlsx = 0.1,
pdf = 0.1,
jar = 3,
js = 0.5,
vbs = 4,
};
archive_extensions = {
zip = 1,
arj = 1,
rar = 1,
ace = 1,
7z = 1,
cab = 1,
};
_EOL_
#-- ホワイトリストの設定
cat <<'_EOL_'>/etc/rspamd/local.d/multimap.conf
WHITELIST_SENDER_DOMAIN {
type = "from";
map = "/etc/rspamd/local.d/whitelist_sender_domain.map";
filter = "email:domain";
score = -10.0
}
WHITELIST_IP {
type = "ip";
map = "/etc/rspamd/local.d/whitelist_ip.map";
score = -10.0
}
_EOL_
#-- 変数に必要な値を代入
DOMAIN=masdon.life
IPV4=$(ip addr show eth0 | awk '/inet /{print $2}' | sed 's#/.*##')
IPV6=$(ip addr show eth0 | awk '/inet6 /&&/global/{print $2}' | sed 's#/.*##')
cat <<_EOL_>/etc/rspamd/local.d/whitelist_sender_domain.map
$DOMAIN
_EOL_
#-- これを設定しないとUser Unknown 時の MAILER DAEMONがSPAM扱いになってしまう。
cat <<_EOL_>/etc/rspamd/local.d/whitelist_ip.map
${IPV4}
${IPV6}
_EOL_
・DKIMで使用する秘密鍵と共通鍵の作成
#-- 変数に必要な値を代入
DOMAIN=masdon.life
#-- 鍵の生成
rspamadm dkim_keygen -d ${DOMAIN} -s default -b 2048
-----BEGIN PRIVATE KEY-----
....
....
....
....
-----END PRIVATE KEY-----
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=...."
"...."
) ;
#-- 秘密鍵の登録 ----BEGIN〜 行から ----END〜 行までをファイルに記述する
vi /etc/rspamd/local.d/keys/default.${DOMAIN}.key
chmod 600 /etc/rspamd/local.d/keys/default.${DOMAIN}.key
chown _rspamd. /etc/rspamd/local.d/keys/default.${DOMAIN}.key
#-- 共通鍵の登録 default._domainkey〜 から ) ; 行までをゾーンファイルに記述し、シリアルを更新し nsd を再起動する
vi /etc/nsd/zone/${DOMAIN}.zone
systemctl restart nsd
#-- dkimの署名の設定
cat <<'_EOL_'> /etc/rspamd/local.d/dkim_signing.conf
# メーリングリストや転送の対応
allow_hdrfrom_mismatch = true;
sign_local = true;
# subdomain の sign 対応
use_esld = false;
try_fallback = false;
# sign 対象のヘッダー
sign_headers = '(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post';
domain {
masdon.life {
# Private key path
path = "/etc/rspamd/local.d/keys/$selector.$domain.key";
# Selector
selector = "default";
}
}
_EOL_
#-- arc署名の設定
cat <<'_EOL_'> /etc/rspamd/local.d/arc.conf
# メーリングリストや転送の対応
allow_hdrfrom_mismatch = true;
sign_local = true;
use_domain = "envelope";
# subdomain の sign 対応
use_esld = false;
try_fallback = false;
sign_headers = "(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature";
domain {
masdon.life {
# Private key path
path = "/etc/rspamd/local.d/keys/$selector.$domain.key";
# Selector
selector = "default";
}
}
_EOL_
・Web interface のパスワード設定
#-- Web interface のパスワードを生成
PASSWORD=$(rspamadm pw -p ********)
cat <<_EOL_> /etc/rspamd/local.d/worker-controller.inc
password = "${PASSWORD}";
enable_password = "${PASSWORD}";
_EOL_
・rspamd, redis 起動
systemctl enable rspamd redis
systemctl start rspamd redis
・Web interface用の nginx の設定ファイルを用意
mkdir -p /etc/nginx/conf.d/https.d
cat <<'_EOL_' > /etc/nginx/conf.d/https.d/rspamd.conf
location ^~ /rspamd {
location /rspamd/ {
proxy_pass http://localhost:11334/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
_EOL_