Plesk und rspamd

Lazybone

Member
Ich habe hier Plesk Onyx Version17.8.11 Update #48.
Hat da schon mal jemand erfolgreich rspamd integriert?
 
Hi, ich erneuere mal die Frage. Inzwischen hab ich Plesk Obsidian Version 18.0.34.
Hat jemand dort schon rspamd zugefügt?
 
Habe dazu gerade einen Post im Plesk Forum abgesetzt, welchen ich auch hier gerne teilen möchte:

For those, who are not satisfied with spamassassin, I like to share a documentation, how to install and activate rspamd on Plesk Obsidian >=18.0.39 and debian 10 (buster) on Intel/AMD compatible platform.
Disclosure: That procedure works perfectly on my virtual hosted server. However I cannot gurantee that it will work on all other platforms.

Plesk config:
  • deinstall spamassassin via Plesk installer
  • install firewall (in case not yet there) and limit port access to only used services
    (important that rspamd config interface is not directly accessible from external)
  • deactivate "Switch on server-wide greylisting spam protection" and "Apply individual settings to spam filtering" in "Spam Filter Settings"
    1638617298006.png
  • activate in section "DKIM spam protection" the options "Allow signing outgoing mail" and "Verify incoming mail" in "Server-Wide Mail Settings"
    1638617267070.png
  • Deactivate "SPF spam protection" in "Server-Wide Mail Settings"

SSH client for connection to your plesk server:
  • configure port forwarding for port 11334 on your local ssh-client
    That example in putty SSH-Tunnels definition would allow you to call the rspamd-config frontend on your local browser via http://localhost:7777
    1638616806944.png

Open terminal on your server and excute following steps:

1. rspamd source definition
apt install -y lsb-release wget
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo "deb Index of /apt-stable/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src Index of /apt-stable/ $(lsb_release -c -s) main" >> /etc/apt/sources.list.d/rspamd.list

2. ammend "[arch=amd64]"-setting in /etc/apt/sources.list.d/rspamd.list
(otherwise any follow update-process might take an eternity)
deb [arch=amd64] Index of /apt-stable/ buster main
deb-src [arch=amd64] Index of /apt-stable/ buster main

3. rspamd Installation
apt update
apt install rspamd

4. rspamd password generation provides hash .....
rspamadm pw

5. store generated password hash in /etc/rspamd/local.d/worker-controller.inc
password = "generated expression";

6. configure /etc/rspamd/local.d/redis.conf
servers = "127.0.0.1";

7. configure /etc/rspamd/local.d/classifier-bayes.conf
servers = "127.0.0.1";
backend = "redis";
autolearn = true;

8. configure /etc/rspamd/local.d/logging.inc
type = "syslog";
level = "warning";

9. configure /etc/rspamd/local.d/milter_headers.conf
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
authenticated_headers = ["authentication-results"];
extended_spam_headers = true;

10. configure /etc/redis/redis.conf
maxmemory 500mb
maxmemory-policy volatile-ttl

11. configure /etc/rspamd/local.d/classifier-bayes.conf
servers = "127.0.0.1";
backend = "redis";


12. configure /etc/rspamd/local.d/dkim_signing.conf
enabled = false;


13. create /etc/dovecot/conf.d/20-imap.conf
protocol imap {
mail_plugins = $mail_plugins imap_sieve
}

14. create /etc/dovecot/conf.d/95-plugin.conf
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_extensions = +editheader +mboxmetadata +servermetadata +imapflags +notify +spamtest +spamtestplus +virustest
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_pipe_bin_dir = /usr/local/etc/dovecot/sieve

# From elsewhere to Spam folder or flag changed in Spam folder
imapsieve_mailbox1_name = INBOX.Spam
imapsieve_mailbox1_causes = COPY FLAG
imapsieve_mailbox1_before = file:/usr/local/etc/dovecot/sieve/report-spam.sieve

# From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = INBOX.Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/etc/dovecot/sieve/report-ham.sieve

#
# Automatically filter spam into the spam folder
#
sieve_before = /usr/local/etc/dovecot/sieve/global-spam.sieve
}

14b. set owership and rights
cd /etc/dovecot/conf.d/
chown root:root 20-imap.conf 95-plugin.conf
chmod 644 20-imap.conf 95-plugin.conf

15. create /usr/local/etc/dovecot/sieve/global-spam.sieve
require ["fileinto", "mailbox"];

if anyof(
header :contains "X-Spam-Flag" "YES",
header :contains "X-Spam" "YES",
header :contains "Subject" ["*** SPAM ***"],
header :contains "Subject" ["Viagra","Cialis"]
)
{
fileinto :create "INBOX.Spam";
stop;
}

16. create /usr/local/etc/dovecot/sieve/report-spam.sieve
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "imap4flags"];

if environment :is "imap.cause" "COPY" {
pipe :copy "sa-learn-spam.sh";
}

# Catch replied or forwarded spam
elsif anyof (allof (hasflag "\\Answered",
environment :contains "imap.changedflags" "\\Answered"),
allof (hasflag "$Forwarded",
environment :contains "imap.changedflags" "$Forwarded")) {

pipe :copy "sa-learn-spam.sh";
}

17. create /usr/local/etc/dovecot/sieve/report-ham.sieve
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];

if environment :matches "imap.mailbox" "*" {
set "mailbox" "${1}";
}

if string "${mailbox}" [ "INBOX.Trash", "train_ham", "train_prob", "train_spam" ] {
stop;
}

pipe :copy "sa-learn-ham.sh";

18. create /usr/local/etc/dovecot/sieve/sieve/sa-learn-ham.sh
#!/bin/bash
exec /usr/bin/rspamc -h 127.0.0.1:11334 learn_ham

19. create /usr/local/etc/dovecot/sieve/sa-learn-spam.sh
#!/bin/bash
exec /usr/bin/rspamc -h 127.0.0.1:11334 learn_spam

20. compile sieve scripts
in case error occurs try to restart dovecot before (/etc/init.d/dovecot restart)
cd /usr/local/etc/dovecot/sieve
sievec global-spam.sieve
sievec report-ham.sieve
sievec report-spam.sieve

20a. set rights
cd /usr/local/etc/dovecot/sieve
chmod 755 *.*

21. configure /etc/postfix/main.cf
look for existing entries and replace (if any)
smtpd_milters = inet:localhost:11332, inet:127.0.0.1:12768
milter_default_action = accept
milter_protocol = 6

22. Processes restart
/etc/init.d/rspamd restart
/etc/init.d/postfix restart
/etc/init.d/dovecot restart

DNS configuration change
might improve better resolution

1. change in /etc/bind/named.conf.options (changes in green)
acl goodclients {
localhost;

};

options {
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };


// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See CERT/CC Vulnerability Note VU#800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See Current Root Trust Anchors
//========================================================================
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

2. make "/etc/resolv.conf" static
rm -f /etc/resolv.conf
cp /run/resolvconf/resolv.conf /etc
chattr +i /etc/resolv.conf

3. test of DNS resolver
dig heise.de @127.0.0.1
should provide proper resolution

4. Ammend green section in "/etc/dhcp/dhclient.conf"
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;

supersede domain-name-servers 127.0.0.1;

Good Luck!
 
Back
Top