LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@shadowhat

rspamd設定Tips

Last updated at Posted at 2024-12-30

rspmadをインストール後に設定やエラーが出る場合のTipsを紹介します。
バージョンは、「3.11.1」にての内容となります。

ssl error: error:0A000086:SSL routines::certificate verify failedが表示される

エラー内容で「connection with http server terminated incorrectly: ssl connect error: ssl error: error:0A000086:SSL routines::certificate verify failed」という表示が出る。

cd /usr/local/ssl
mv ssl ssl.def #デフォルトの証明書を移動
ln -s /etc/pki/tls /usr/local/ssl/ssl

DKIM証明書を作る

su rspamd
#-sは、セレクター -dは、ドメインを入力
/usr/local/bin/rspamadm dkim_keygen -s 'selector' -b 2048 -d example.com -k /usr/local/var/lib/rspamd/dkim/example.private > /usr/local/var/lib/rspamd/dkim/example.txt
#rspmad以外のユーザーで行った場合はオーナー変更
chown rspamd:rspamd -R /usr/local/etc/rspamd
chown rspamd:rspamd -R /usr/local/var/lib/rspamd/dkim

出来上がったファイルは、「/usr/local/var/lib/rspamd/dkim」に配置されます。
txtファイルは、DNSサーバーに登録。privateファイルは、秘密鍵となります。

以下のファイルでドメインごとに設定する
参考 https://rspamd.com/doc/modules/dkim_signing.html

dkim_signing.conf
cat > /usr/local/etc/rspamd/local.d/dkim_signing.conf << EOF

# local.d/dkim_signing.conf

#動作させたくない場合は、diabledを指定
enabled = true;

# If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;

# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = true;

# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = true;

# If true, username does not need to contain matching domain
allow_username_mismatch = true;

# Default path to key, can include '$domain' and '$selector' variables
#path = "/usr/local/var/lib/rspamd/dkim/$domain.$selector.key";

# Default selector to use
#selector = "dkim";

# If false, messages from authenticated users are not selected for signing
sign_authenticated = true;

# If false, messages from local networks are not selected for signing
sign_local = true;

# Map file of IP addresses/subnets to consider for signing
# sign_networks = "/some/file"; # or url

# Symbol to add when message is signed
symbol = "DKIM_SIGNED";

# Whether to fallback to global config
try_fallback = true;

# Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From), "recipient" (SMTP To), "auth" (SMTP username) or directly specified domain name
use_domain = "header";

# Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
#use_domain_sign_networks = "header";

# Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
#use_domain_sign_local = "header";

# Whether to normalise domains to eSLD
use_esld = true;

# Whether to get keys from Redis
use_redis = false;

# Hash for DKIM keys in Redis
key_prefix = "DKIM_KEYS";

# map of domains -> names of selectors (since rspamd 1.5.3)
#selector_map = "/etc/rspamd/dkim_selectors.map";

# map of domains -> paths to keys (since rspamd 1.5.3)
#path_map = "/etc/rspamd/dkim_paths.map";

# If `true` get pubkey from DNS record and check if it matches private key
check_pubkey = false;
# Set to `false` if you want to skip signing if public and private keys mismatch
allow_pubkey_mismatch = true;


#
# ドメイン別設置(OpenDKIM記述形式)
#
signing_table = [
  "*@hako.example.com <selector_name>._domainkey.hako.example.com",
  "*@box.example.com  <selector_name>._domainkey.box.example.com"
];

key_table = [
  "<selector_name>._domainkey.hako.example.com  hako.example.com:<selector_name>:/usr/local/var/lib/rspamd/dkim/hako.exaple.com.private",
  "<selector_name>._domainkey.box.example.com  box.example.com:<selector_name>:/usr/local/var/lib/rspamd/dkim/box.example.com.private"
];
EOF

rspamdのWeb画面ステータス表示に「Legacy version」と表示される

参考:https://rspamd.com/doc/modules/history_redis.html

su rspamd 
cat > /usr/local/etc/rspamd/local.d/history_redis.conf << EOF
servers = 127.0.0.1:6379; # Redis server to store history
expire = 432000; # Expire in seconds for inactive keys, default to 5 days
nrows = 2000; # Default rows limit
compress = true; # Use zstd compression when storing data in Redis
subject_privacy = false; # Subject privacy is off
EOF

上記設定ファイルを配置後、rspamdを再起動で対応完了

arcに対応する

秘密鍵は、DKIMと同じものを利用する。
参考:https://rspamd.com/doc/modules/history_redis.html

cat > /usr/local/etc/rspamd/local.d/arc.conf  << EOF

# local.d/arc.conf

# Allowed settings id
allowed_ids = nil;
# If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = false;
# Domain mismatch allowed for local IP
allow_hdrfrom_mismatch_local = false;
# Domain mismatch allowed for sign_networks
allow_hdrfrom_mismatch_sign_networks = false;
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# If true, username does not need to contain matching domain
allow_username_mismatch = false;
# Banned settings id
forbidden_ids = nil;
# Default path to key, can include '$domain' and '$selector' variables
path = "${DBDIR}/arc/$domain.$selector.key";
# Default selector to use
selector = "arc";
# If false, messages from authenticated users are not selected for signing
sign_authenticated = true;
# If false, inbound messages are not selected for signing
sign_inbound = true;
# If false, messages from local networks are not selected for signing
sign_local = true;
# Symbol to add when message is signed
sign_symbol = "ARC_SIGNED";
# Whether to fallback to global config
try_fallback = true;
# Domain to use for ARC signing: can be "header" (MIME From), "envelope" (SMTP From), "recipient" (SMTP To), "auth" (SMTP username) or directly specified domain name
use_domain = "header";
# Whether to normalise domains to eSLD
use_esld = true;
# Whether to get keys from Redis
use_redis = false;
# Hash for ARC keys in Redis
key_prefix = "ARC_KEYS";
# Reuse the existing authentication results
reuse_auth_results = false;
# map of domains -> names of selectors (since rspamd 1.5.3)
#selector_map = "/etc/rspamd/arc_selectors.map";
# map of domains -> paths to keys (since rspamd 1.5.3)
#path_map = "/etc/rspamd/arc_paths.map";
# map of trusted domains. Symbol ARC_ALLOW_TRUSTED is added to messages
# with valid ARC chains from these domains. A failed DMARC result is removed/ignored.
# whitelisted_signers_map = ["example.org", "example.com"]

# From version 1.8.4, Rspamd uses a different set of sign_headers for ARC:
sign_headers = "(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature"

# Domain specific settings
domain {
  example.com {
    # Private key path
    path = "/usr/local/var/lib/rspamd/dkim/example.private";
    # Selector
    selector = "ds";
  }
}

EOF

DMARC設定

以下の設定ファイルを配置する
参考:https://rspamd.com/doc/modules/dmarc.html

dmarc.conf
su rspamd
cat > /usr/local/etc/rspamd/local.d/dmarc.conf << EOF
# local.d/dmarc.conf
  reporting {
    # Required attributes
    enabled = true; # Enable reports in general
    email = 'dmarc_reports@example.com'; # Source of DMARC reports
    domain = 'example.com'; # Domain to serve
    org_name = 'Example organisation'; # Organisation
    # Optional parameters
    bcc_addrs = ["postmaster@example.com"]; # additional addresses to copy on reports
    report_local_controller = false; # Store reports for local/controller scans (for testing only)
    helo = 'rspamd.localhost'; # Helo used in SMTP dialog
    smtp = '127.0.0.1'; # SMTP server IP
    smtp_port = 25; # SMTP server port
    from_name = 'Rspamd'; # SMTP FROM
    msgid_from = 'rspamd'; # Msgid format
    max_entries = 1k; # Maximum amount of entries per domain
    keys_expire = 2d; # Expire date for Redis keys
    #only_domains = '/path/to/map'; # Only store reports from domains or eSLDs listed in this map
    # Available from 3.3
    #exclude_domains = '/path/to/map'; # Exclude reports from domains or eSLDs listed in this map
    #exclude_domains = ["example.com", "another.com"]; # Alternative, use array to exclude reports from domains or eSLDs
    # Available from 3.8
    #exclude_recipients = '/path/to/map'; # Exclude reports for recipients listed in this map
    #exclude_recipients = ["a@example.com", "b@another.com"]; # Alternative, use array to exclude reports for recipients
  }
EOF

ホワイトリストを作成する

ホワイトリスト設定ファイルを作成します。

multimap.conf
su rspamd
cat > /usr/local/etc/rspamd/local.d/multimap.conf << EOF

IP_WHITELIST {
      type = "ip";
      prefilter = "true";
      map = "/usr/local/etc/rspamd/local.d/ip_whitelist.map";
      action = "accept";
}
WHITELIST_SENDER_DOMAIN {
      type = "from";
      filter = "email:domain";
      map = "/usr/local/etc/rspamd/sender_domain_whitelist.map";
      score = -6.0
}
EOF

隔離すごファイルも作成します。

su rspamd
touch /usr/local/etc/rspamd/local.d/ip_whitelist.map
touch /usr/local/etc/rspamd/local.d/sender_domain_whitelist.map

管理画面で以下の項目が増えるので、設定する。
image.png

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?