rspamd: allow configuring dmarc reporting

Enabling collects DMARC results in Redis and sends out aggregated reports (RUA) on a daily basis.
2021-10-03 14:31:43 +02:00 · 2021-10-03 14:31:43 +02:00 · fe36e7ae0d
commit fe36e7ae0d
parent 3f0b7a1b5c
5 changed files with 212 additions and 2 deletions
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@ -56,6 +56,17 @@ in
              # Disable outbound email signing, we use opendkim for this
              enabled = false;
          ''; };
+          "dmarc.conf" = { text = ''
+              ${lib.optionalString cfg.dmarcReporting.enable ''
+              reporting {
+                enabled = true;
+                email = "${cfg.dmarcReporting.email}";
+                domain = "${cfg.dmarcReporting.domain}";
+                org_name = "${cfg.dmarcReporting.organizationName}";
+                from_name = "${cfg.dmarcReporting.fromName}";
+                msgid_from = "dmarc-rua";
+              }''}
+          ''; };
      };

      overrides = {
@ -108,6 +119,64 @@ in
      after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
    };

+    systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
+      # Explicitly select yesterday's date to work around broken
+      # default behaviour when called without a date.
+      # https://github.com/rspamd/rspamd/issues/4062
+      script = ''
+        ${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
+      '';
+      serviceConfig = {
+        User = "${config.services.rspamd.user}";
+        Group = "${config.services.rspamd.group}";
+
+        AmbientCapabilities = [];
+        CapabilityBoundingSet = "";
+        DevicePolicy = "closed";
+        IPAddressAllow = "localhost";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        UMask = "0077";
+      };
+    };
+
+    systemd.timers.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
+      description = "Daily delivery of aggregated DMARC reports";
+      wantedBy = [
+        "timers.target"
+      ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+        RandomizedDelaySec = 86400;
+        FixedRandomDelay = true;
+      };
+    };
+
    systemd.services.postfix = {
      after = [ rspamdSocket ];
      requires = [ rspamdSocket ];