Move from rmilter to rspamd #25
This commit is contained in:
parent
410c6c410b
commit
616d779e1f
6 changed files with 84 additions and 72 deletions
|
@ -735,7 +735,7 @@ in
|
||||||
./mail-server/dovecot.nix
|
./mail-server/dovecot.nix
|
||||||
./mail-server/opendkim.nix
|
./mail-server/opendkim.nix
|
||||||
./mail-server/postfix.nix
|
./mail-server/postfix.nix
|
||||||
./mail-server/rmilter.nix
|
./mail-server/rspamd.nix
|
||||||
./mail-server/nginx.nix
|
./mail-server/nginx.nix
|
||||||
./mail-server/kresd.nix
|
./mail-server/kresd.nix
|
||||||
./mail-server/post-upgrade-check.nix
|
./mail-server/post-upgrade-check.nix
|
||||||
|
|
|
@ -22,7 +22,7 @@ in
|
||||||
{
|
{
|
||||||
config = with cfg; lib.mkIf enable {
|
config = with cfg; lib.mkIf enable {
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
dovecot opendkim openssh postfix rspamd rmilter
|
dovecot opendkim openssh postfix rspamd
|
||||||
] ++ (if certificateScheme == 2 then [ openssl ] else []);
|
] ++ (if certificateScheme == 2 then [ openssl ] else []);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -94,13 +94,9 @@ let
|
||||||
inetSocket = addr: port: "inet:[${toString port}@${addr}]";
|
inetSocket = addr: port: "inet:[${toString port}@${addr}]";
|
||||||
unixSocket = sock: "unix:${sock}";
|
unixSocket = sock: "unix:${sock}";
|
||||||
|
|
||||||
rmilter = config.services.rmilter;
|
|
||||||
rmilterSocket = if rmilter.bindSocket.type == "unix" then unixSocket rmilter.bindSocket.path
|
|
||||||
else inetSocket rmilter.bindSocket.address rmilter.bindSocket.port;
|
|
||||||
|
|
||||||
smtpdMilters =
|
smtpdMilters =
|
||||||
(lib.optional cfg.dkimSigning "unix:/run/opendkim/opendkim.sock")
|
(lib.optional cfg.dkimSigning "unix:/run/opendkim/opendkim.sock")
|
||||||
++ [ rmilterSocket ];
|
++ [ "unix:/run/rspamd/rspamd-milter.sock" ];
|
||||||
|
|
||||||
policyd-spf = pkgs.writeText "policyd-spf.conf" (''
|
policyd-spf = pkgs.writeText "policyd-spf.conf" (''
|
||||||
TestOnly = 1
|
TestOnly = 1
|
||||||
|
|
|
@ -1,57 +0,0 @@
|
||||||
# nixos-mailserver: a simple mail server
|
|
||||||
# Copyright (C) 2016-2018 Robin Raymond
|
|
||||||
#
|
|
||||||
# This program is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
||||||
|
|
||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.mailserver;
|
|
||||||
|
|
||||||
clamav = if cfg.virusScanning
|
|
||||||
then
|
|
||||||
''
|
|
||||||
clamav {
|
|
||||||
servers = /run/clamav/clamd.ctl;
|
|
||||||
};
|
|
||||||
''
|
|
||||||
else "";
|
|
||||||
postfixCfg = config.services.postfix;
|
|
||||||
rmilter = config.services.rmilter;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
config = with cfg; lib.mkIf enable {
|
|
||||||
services.rspamd = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.rmilter = {
|
|
||||||
inherit debug;
|
|
||||||
enable = true;
|
|
||||||
rspamd = {
|
|
||||||
enable = true;
|
|
||||||
extraConfig = "extended_spam_headers = yes;";
|
|
||||||
};
|
|
||||||
extraConfig =
|
|
||||||
''
|
|
||||||
use_redis = true;
|
|
||||||
max_size = 20M;
|
|
||||||
|
|
||||||
${clamav}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
users.extraUsers.${postfixCfg.user}.extraGroups = [ rmilter.group ];
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
78
mail-server/rspamd.nix
Normal file
78
mail-server/rspamd.nix
Normal file
|
@ -0,0 +1,78 @@
|
||||||
|
# nixos-mailserver: a simple mail server
|
||||||
|
# Copyright (C) 2016-2018 Robin Raymond
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||||
|
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.mailserver;
|
||||||
|
|
||||||
|
postfixCfg = config.services.postfix;
|
||||||
|
rspamdCfg = config.services.rspamd;
|
||||||
|
rspamdSocket = if rspamdCfg.socketActivation
|
||||||
|
then "rspamd-rspamd_proxy-1.socket"
|
||||||
|
else "rspamd.service";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = with cfg; lib.mkIf enable {
|
||||||
|
services.rspamd = {
|
||||||
|
enable = true;
|
||||||
|
socketActivation = false;
|
||||||
|
extraConfig = ''
|
||||||
|
extended_spam_headers = yes;
|
||||||
|
'' + (lib.optionalString cfg.virusScanning ''
|
||||||
|
antivirus {
|
||||||
|
clamav {
|
||||||
|
action = "reject";
|
||||||
|
symbol = "CLAM_VIRUS";
|
||||||
|
type = "clamav";
|
||||||
|
log_clean = true;
|
||||||
|
servers = "/run/clamav/clamd.ctl";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'');
|
||||||
|
|
||||||
|
workers.rspamd_proxy = {
|
||||||
|
type = "proxy";
|
||||||
|
bindSockets = [{
|
||||||
|
socket = "/run/rspamd/rspamd-milter.sock";
|
||||||
|
mode = "0664";
|
||||||
|
}];
|
||||||
|
count = 1; # Do not spawn too many processes of this type
|
||||||
|
extraConfig = ''
|
||||||
|
milter = yes; # Enable milter mode
|
||||||
|
timeout = 120s; # Needed for Milter usually
|
||||||
|
|
||||||
|
upstream "local" {
|
||||||
|
default = yes; # Self-scan upstreams are always default
|
||||||
|
self_scan = yes; # Enable self-scan
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services.rspamd = {
|
||||||
|
requires = (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||||
|
after = (lib.optional cfg.virusScanning "clamav-daemon.service");
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.postfix = {
|
||||||
|
after = [ rspamdSocket ];
|
||||||
|
requires = [ rspamdSocket ];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.extraUsers.${postfixCfg.user}.extraGroups = [ rspamdCfg.group ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -89,18 +89,13 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# Postfix requires rmilter socket, dovecot lmtp socket, dovecot auth socket and certificate to work
|
# Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work
|
||||||
systemd.services.postfix = {
|
systemd.services.postfix = {
|
||||||
after = [ "rmilter.socket" "dovecot2.service" "mailserver-certificates.target" ]
|
after = [ "dovecot2.service" "mailserver-certificates.target" ]
|
||||||
++ (lib.optional cfg.dkimSigning "opendkim.service");
|
++ (lib.optional cfg.dkimSigning "opendkim.service");
|
||||||
wants = [ "mailserver-certificates.target" ];
|
wants = [ "mailserver-certificates.target" ];
|
||||||
requires = [ "rmilter.socket" "dovecot2.service" ]
|
requires = [ "dovecot2.service" ]
|
||||||
++ (lib.optional cfg.dkimSigning "opendkim.service");
|
++ (lib.optional cfg.dkimSigning "opendkim.service");
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.rmilter = {
|
|
||||||
requires = [ "rmilter.socket" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
|
||||||
after = [ "rmilter.socket" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue