07. メールサーバ構築(3) – rspamd [さくらのVPS/CentOS7]

・rspamd の用途

  1. メール送信/転送時に DKIM/ARC署名
  2. メール受信時に SPF/DKIM/DMARC/ARC認証
  3. メール受信時に Virus/Spam Check (採点結果をヘッダーに追加)

・rspamd のインストール

#-- rspamd.com の repository を登録
curl https://rspamd.com/rpm-stable/centos-7/rspamd.repo > /etc/yum.repos.d/rspamd.repo
rpm --import https://rspamd.com/rpm-stable/gpg.key

#-- rspamd と redis のインストール
yum install -y rspamd redis

mkdir /etc/rspamd/local.d/keys/

#-- rspamd の設定
cat <<'_EOL_'> /etc/rspamd/local.d/options.inc
filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
check_all_filters = true;
_EOL_

cat <<'_EOL_'> /etc/rspamd/local.d/milter_headers.conf
use = ["x-spamd-result","x-rspamd-server","x-rspamd-queue-id","authentication-results","x-spam-level","x-virus"];
#use = ["authentication-results"];
authenticated_headers = ["authentication-results"];
_EOL_

cat <<'_EOL_'> /etc/rspamd/local.d/redis.conf
servers = "127.0.0.1";
_EOL_

cat <<'_EOL_'> /etc/rspamd/local.d/actions.conf
reject = null;
add_header = 2.0 ;
greylist = null;
_EOL_

cat <<'_EOL_'> /etc/rspamd/local.d/greylist.conf
enabled = false
_EOL_

cat <<'_EOL_'> /etc/rspamd/local.d/phishing.conf
openphish_enabled = true;
phishtank_enabled = true;
_EOL_

cat <<_EOL_> /etc/rspamd/local.d/antivirus.conf
clamav {
  action  = "reject";
  type    = "clamav";
  servers = "/var/run/clamd.scan/clamd.sock";
  symbol = "CLAM_VIRUS";
  patterns {
    #symbol_name = "pattern";
    JUST_EICAR = "^Eicar-Test-Signature$";
  }
}
_EOL_

#-- clamd.sock にアクセスできるように group に追加
usermod -aG clamscan _rspamd
usermod -aG virusgroup _rspamd

cat <<'_EOL_'> /etc/rspamd/local.d/url_reputation.conf
enabled = true;

# Key prefix for redis - default "Ur."
key_prefix = "Ur.";

# Symbols to insert - defaults as shown
symbols {
  white = "URL_REPUTATION_WHITE";
  black = "URL_REPUTATION_BLACK";
  grey = "URL_REPUTATION_GREY";
  neutral = "URL_REPUTATION_NEUTRAL";
}

# DKIM/DMARC/SPF allow symbols - defaults as shown
foreign_symbols {
  dmarc = "DMARC_POLICY_ALLOW";
  dkim = "R_DKIM_ALLOW";
  spf = "R_SPF_ALLOW";
}

# SURBL metatags to ignore - default as shown
ignore_surbl = ["URIBL_BLOCKED", "DBL_PROHIBIT", "SURBL_BLOCKED"];

# Amount of samples required for scoring - default 5
threshold = 5;

#Maximum number of TLDs to update reputation on (default 1)
update_limit = 1;

# Maximum number of TLDs to query reputation on (default 100)
query_limit = 100;

# If true, try to find most 'relevant' URL (default true)
relevance = true;
_EOL_

#-- redisに書き込むデータ行数などの設定 10000以上が推奨
cat <<_EOL_> /etc/rspamd/local.d/history_redis.conf
servers         = 127.0.0.1:6379;
key_prefix      = "rs_history";
nrows           = 10000;
compress        = true;
subject_privacy = false;
_EOL_

#-- 拡張子の spam スコアを設定
cat <<_EOL_> /etc/rspamd/local.d/mime_types.conf
bad_extensions = {
    ace = 4,
    arj = 4,
    bat = 2,
    cab = 3,
    com = 2,
    exe = 1,
    jar = 2,
    lnk = 4,
    scr = 4,
};
bad_archive_extensions = {
    pptx = 0.1,
    docx = 0.1,
    xlsx = 0.1,
    pdf  = 0.1,
    jar  = 3,
    js   = 0.5,
    vbs  = 4,
};
archive_extensions = {
    zip = 1,
    arj = 1,
    rar = 1,
    ace = 1,
    7z  = 1,
    cab = 1,
};
_EOL_

#-- ホワイトリストの設定
cat <<'_EOL_'>/etc/rspamd/local.d/multimap.conf
WHITELIST_SENDER_DOMAIN {
  type = "from";
  map = "/etc/rspamd/local.d/whitelist_sender_domain.map";
  filter = "email:domain";
  score = -10.0
}
WHITELIST_IP {
  type = "ip";
  map = "/etc/rspamd/local.d/whitelist_ip.map";
  score = -10.0
}
_EOL_

#-- 変数に必要な値を代入
DOMAIN=masdon.life
IPV4=$(ip addr show eth0 | awk '/inet /{print $2}' | sed 's#/.*##')
IPV6=$(ip addr show eth0 | awk '/inet6 /&&/global/{print $2}' | sed 's#/.*##')

cat <<_EOL_>/etc/rspamd/local.d/whitelist_sender_domain.map
$DOMAIN
_EOL_

#-- これを設定しないとUser Unknown 時の MAILER DAEMONがSPAM扱いになってしまう。
cat <<_EOL_>/etc/rspamd/local.d/whitelist_ip.map
${IPV4}
${IPV6}
_EOL_

・DKIMで使用する秘密鍵と共通鍵の作成

#-- 変数に必要な値を代入
DOMAIN=masdon.life

#-- 鍵の生成
rspamadm dkim_keygen -d ${DOMAIN} -s default -b 2048
-----BEGIN PRIVATE KEY-----
....
....
....
....
-----END PRIVATE KEY-----
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
  "p=...."
  "...."
) ;

#-- 秘密鍵の登録 ----BEGIN〜 行から ----END〜 行までをファイルに記述する
vi /etc/rspamd/local.d/keys/default.${DOMAIN}.key
chmod 600 /etc/rspamd/local.d/keys/default.${DOMAIN}.key
chown _rspamd. /etc/rspamd/local.d/keys/default.${DOMAIN}.key

#-- 共通鍵の登録 default._domainkey〜 から ) ; 行までをゾーンファイルに記述し、シリアルを更新し nsd を再起動する
vi /etc/nsd/zone/${DOMAIN}.zone
systemctl restart nsd

#-- dkimの署名の設定
cat <<'_EOL_'> /etc/rspamd/local.d/dkim_signing.conf
# メーリングリストや転送の対応
allow_hdrfrom_mismatch = true;
sign_local = true;

# subdomain の sign 対応
use_esld = false;
try_fallback = false;

# sign 対象のヘッダー
sign_headers = '(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post';

domain {
  masdon.life {
    # Private key path
    path = "/etc/rspamd/local.d/keys/$selector.$domain.key";
    # Selector
    selector = "default";
  }
}
_EOL_

#-- arc署名の設定
cat <<'_EOL_'> /etc/rspamd/local.d/arc.conf
# メーリングリストや転送の対応
allow_hdrfrom_mismatch = true;
sign_local = true;
use_domain = "envelope";

# subdomain の sign 対応
use_esld = false;
try_fallback = false;

sign_headers = "(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature";

domain {
  masdon.life {
    # Private key path
    path = "/etc/rspamd/local.d/keys/$selector.$domain.key";
    # Selector
    selector = "default";
  }
}
_EOL_

・Web interface のパスワード設定

#-- Web interface のパスワードを生成
PASSWORD=$(rspamadm pw -p ********)

cat <<_EOL_> /etc/rspamd/local.d/worker-controller.inc
password        = "${PASSWORD}";
enable_password = "${PASSWORD}";
_EOL_

・rspamd, redis 起動

systemctl enable rspamd redis
systemctl start rspamd redis

・Web interface用の nginx の設定ファイルを用意

mkdir -p /etc/nginx/conf.d/https.d
cat <<'_EOL_' > /etc/nginx/conf.d/https.d/rspamd.conf
  location ^~ /rspamd {
    location /rspamd/ {
      proxy_pass       http://localhost:11334/;
      proxy_set_header Host      $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }
_EOL_