summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/rspamd')
-rw-r--r--ansible/roles/rspamd/files/redis/redis.conf21
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/classifier-bayes.conf4
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/greylist.conf1
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/milter_headers.conf3
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/mx_check.conf2
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/neural.conf33
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/neural_group.conf29
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/phishing.conf3
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/redis.conf2
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/replies.conf2
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/surbl.conf2
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/url_reputation.conf2
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/url_tags.conf2
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/worker-controller.inc39
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/worker-normal.inc3
-rw-r--r--ansible/roles/rspamd/files/rspamd/local.d/worker-proxy.inc16
-rw-r--r--ansible/roles/rspamd/handlers/main.yml11
-rw-r--r--ansible/roles/rspamd/meta/main.yml3
-rw-r--r--ansible/roles/rspamd/tasks/main.yml54
19 files changed, 232 insertions, 0 deletions
diff --git a/ansible/roles/rspamd/files/redis/redis.conf b/ansible/roles/rspamd/files/redis/redis.conf
new file mode 100644
index 0000000..ee237d9
--- /dev/null
+++ b/ansible/roles/rspamd/files/redis/redis.conf
@@ -0,0 +1,21 @@
1# listen only on localhost
2# Even though we only tell rspamd to contact Redis over 127.0.0.1, it still
3# connects via ::1 for some modules as well, so things inside rspamd break
4# if redis isn't listening on both 127.0.0.1 and ::1
5bind 127.0.0.1 ::1
6
7# limit the max amount of memory used - appropriate value will depend on
8# your email volume
9maxmemory 512mb
10maxmemory-policy volatile-lru
11
12daemonize yes
13
14logfile /var/log/redis/redis-server.log
15dir /var/lib/redis
16
17appendonly yes
18appendfilename redisisgarbage.aof
19dbfilename redisisgarbage.rdb
20
21pidfile /var/run/redis/redis-server.pid
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/classifier-bayes.conf b/ansible/roles/rspamd/files/rspamd/local.d/classifier-bayes.conf
new file mode 100644
index 0000000..db2f240
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/classifier-bayes.conf
@@ -0,0 +1,4 @@
1autolearn = true;
2backend = "redis";
3new_schema = true;
4expire = 8640000;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/greylist.conf b/ansible/roles/rspamd/files/rspamd/local.d/greylist.conf
new file mode 100644
index 0000000..a6ee831
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/greylist.conf
@@ -0,0 +1 @@
enabled = false;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/milter_headers.conf b/ansible/roles/rspamd/files/rspamd/local.d/milter_headers.conf
new file mode 100644
index 0000000..4c924d7
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/milter_headers.conf
@@ -0,0 +1,3 @@
1# Refer to https://rspamd.com/doc/modules/milter_headers.html for information on configuration
2
3use = ["x-spamd-bar", "authentication-results", "x-spamd-result", "x-rspamd-server", "x-rspamd-queue-id"];
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/mx_check.conf b/ansible/roles/rspamd/files/rspamd/local.d/mx_check.conf
new file mode 100644
index 0000000..de9fac1
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/mx_check.conf
@@ -0,0 +1,2 @@
1# checks if sender's domain has at least one connectable MX record
2enabled = true;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/neural.conf b/ansible/roles/rspamd/files/rspamd/local.d/neural.conf
new file mode 100644
index 0000000..7fc7bd2
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/neural.conf
@@ -0,0 +1,33 @@
1servers = "localhost";
2enabled = true; # Important after 1.7
3
4# use_settings = true;
5
6rules {
7 "LONG" {
8 train {
9 max_trains = 5000;
10 max_usages = 200;
11 max_iterations = 25;
12 learning_rate = 0.01,
13 spam_score = 8;
14 ham_score = -2;
15 }
16 symbol_spam = "NEURAL_SPAM_LONG";
17 symbol_ham = "NEURAL_HAM_LONG";
18 ann_expire = 100d;
19 }
20 "SHORT" {
21 train {
22 max_trains = 100;
23 max_usages = 2;
24 max_iterations = 25;
25 learning_rate = 0.01,
26 spam_score = 8;
27 ham_score = -2;
28 }
29 symbol_spam = "NEURAL_SPAM_SHORT";
30 symbol_ham = "NEURAL_HAM_SHORT";
31 ann_expire = 1d;
32 }
33}
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/neural_group.conf b/ansible/roles/rspamd/files/rspamd/local.d/neural_group.conf
new file mode 100644
index 0000000..fff5058
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/neural_group.conf
@@ -0,0 +1,29 @@
1symbols = {
2 "NEURAL_SPAM" {
3 weight = 3.0; # sample weight
4 description = "Neural network spam";
5 }
6 "NEURAL_HAM" {
7 weight = -3.0; # sample weight
8 description = "Neural network ham";
9 }
10}
11
12symbols = {
13 "NEURAL_SPAM_LONG" {
14 weight = 3.0; # sample weight
15 description = "Neural network spam (long)";
16 }
17 "NEURAL_HAM_LONG" {
18 weight = -3.0; # sample weight
19 description = "Neural network ham (long)";
20 }
21 "NEURAL_SPAM_SHORT" {
22 weight = 2.0; # sample weight
23 description = "Neural network spam (short)";
24 }
25 "NEURAL_HAM_SHORT" {
26 weight = -1.0; # sample weight
27 description = "Neural network ham (short)";
28 }
29}
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/phishing.conf b/ansible/roles/rspamd/files/rspamd/local.d/phishing.conf
new file mode 100644
index 0000000..dcb1caf
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/phishing.conf
@@ -0,0 +1,3 @@
1# check messages against some anti-phishing databases
2openphish_enabled = true;
3phishtank_enabled = true;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/redis.conf b/ansible/roles/rspamd/files/rspamd/local.d/redis.conf
new file mode 100644
index 0000000..4ae822d
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/redis.conf
@@ -0,0 +1,2 @@
1# just specifying a server enables redis for all modules that can use it
2servers = "127.0.0.1:6379";
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/replies.conf b/ansible/roles/rspamd/files/rspamd/local.d/replies.conf
new file mode 100644
index 0000000..382764d
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/replies.conf
@@ -0,0 +1,2 @@
1# whitelist messages from threads that have been replied to
2action = "no action";
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/surbl.conf b/ansible/roles/rspamd/files/rspamd/local.d/surbl.conf
new file mode 100644
index 0000000..9cbd70f
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/surbl.conf
@@ -0,0 +1,2 @@
1# follow redirects when checking URLs in emails for spaminess
2redirector_hosts_map = "/etc/rspamd/redirectors.inc";
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/url_reputation.conf b/ansible/roles/rspamd/files/rspamd/local.d/url_reputation.conf
new file mode 100644
index 0000000..f5ca48a
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/url_reputation.conf
@@ -0,0 +1,2 @@
1# check URLs within messages for spaminess
2enabled = true;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/url_tags.conf b/ansible/roles/rspamd/files/rspamd/local.d/url_tags.conf
new file mode 100644
index 0000000..61832fb
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/url_tags.conf
@@ -0,0 +1,2 @@
1# cache some URL tags in redis
2enabled = true;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/worker-controller.inc b/ansible/roles/rspamd/files/rspamd/local.d/worker-controller.inc
new file mode 100644
index 0000000..1e1a713
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/worker-controller.inc
@@ -0,0 +1,39 @@
1# generate a password hash using the `rspamadm pw` command and define 'password'
2# this one is the hash for 'hunter2'
3# password = "$2$b9s94udsn7zzgk1hc9wuheqqcpydo64x$a1kksr9r9f1g1358shqdz789wmoqbnapndwqi6uscazhz3muz4gy";
4
5# this one is the hash for:
6# Roberts had grown so rich, he wanted to retire. He took me to his cabin and he told me his secret. 'I am not the Dread Pirate Roberts' he said. 'My name is Ryan; I inherited the ship from the previous Dread Pirate Roberts, just as you will inherit it from me. The man I inherited it from is not the real Dread Pirate Roberts either. His name was Cummerbund. The real Roberts has been retired 15 years and living like a king in Patagonia.'
7# password = "$2$bhjy5j4njn8r5mx3yo6ksmdt9hbm8fan$myysr1gnbcf9ggpf4dzjdky3by9nbb8w9wbm7wciu97sbb7zhomy";
8
9# this one is the hash for:
10# The point is, ladies and gentleman, that greed, for lack of a better word, is good. Greed is right, greed works. Greed clarifies, cuts through, and captures the essence of the evolutionary spirit. Greed, in all of its forms; greed for life, for money, for love, knowledge has marked the upward surge of mankind. And greed, you mark my words, will not only save Teldar Paper, but that other malfunctioning corporation called the USA. Thank you very much.
11# password = "$2$eqre5picpektnop85uashzyxpxeeo6cr$gugecdr35jhg8uhzxkwh4jnp19rtxc6ukaadaad5665sm1rapmfy";
12
13# this one is the hash for:
14# whence the day goes on
15# password = "$2$am4gzwgxbuksntkn7784g6mpoir4mp1o$83i86hfju6jfbp6g9w9sh44qacqmne85q9weah6xcj1d3c5ei1rb";
16
17
18# You can list multiple bind sockets on networks and file systems.
19#bind_socket = "/var/run/rspamd/rspamd.sock mode=0666 owner=nobody";
20
21# The worker controller handles multiple functions:
22# - trains spam
23# - trains not-spam
24# - hosts the built-in statistics web interface
25# - web interface also allows config modification and data injection
26
27# The config parameter 'secure_ip' defines which sources DO NOT need a
28# password to connect to this worker controller.
29# By default, 'secure_ip' is defined as:
30# secure_ip = "127.0.0.1";
31# secure_ip = "::1";
32#
33# If you need distributed rspamd access or want to view your spam stats console
34# from another machine without SSH tunneling port 11334, you can add multiple
35# non-localhost IP address config lines here, but also remember to
36# define 'password' above as well.
37
38bind_socket = "127.0.0.1:11334";
39#bind_socket = "192.168.122.8:11334";
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/worker-normal.inc b/ansible/roles/rspamd/files/rspamd/local.d/worker-normal.inc
new file mode 100644
index 0000000..ffa77f5
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/worker-normal.inc
@@ -0,0 +1,3 @@
1# we're not running rspamd in a distributed setup, so this can be disabled
2# the proxy worker will handle all the spam filtering
3enabled = false;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/worker-proxy.inc b/ansible/roles/rspamd/files/rspamd/local.d/worker-proxy.inc
new file mode 100644
index 0000000..056d2bc
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/worker-proxy.inc
@@ -0,0 +1,16 @@
1# this worker will be used as postfix milter
2milter = yes;
3
4# note to self - tighten up these permissions
5#bind_socket = "/var/run/rspamd/milter.sock mode=0666 owner=nobody";
6
7# DEFAULT: listens on localhost:11332
8
9
10# the following specifies self-scan mode, for when rspamd is on the same
11# machine as postfix
12timeout = 120s;
13upstream "local" {
14 default = yes;
15 self_scan = yes;
16}
diff --git a/ansible/roles/rspamd/handlers/main.yml b/ansible/roles/rspamd/handlers/main.yml
new file mode 100644
index 0000000..de7cfc9
--- /dev/null
+++ b/ansible/roles/rspamd/handlers/main.yml
@@ -0,0 +1,11 @@
1---
2- name: restart rspamd
3 service:
4 name: rspamd
5 state: restarted
6
7- name: restart redis
8 service:
9 name: redis
10 state: restarted
11
diff --git a/ansible/roles/rspamd/meta/main.yml b/ansible/roles/rspamd/meta/main.yml
new file mode 100644
index 0000000..8ab008e
--- /dev/null
+++ b/ansible/roles/rspamd/meta/main.yml
@@ -0,0 +1,3 @@
1---
2dependencies:
3 - role: gpg
diff --git a/ansible/roles/rspamd/tasks/main.yml b/ansible/roles/rspamd/tasks/main.yml
new file mode 100644
index 0000000..a15c330
--- /dev/null
+++ b/ansible/roles/rspamd/tasks/main.yml
@@ -0,0 +1,54 @@
1---
2# Set Up rspam repo
3- name: install rspam key
4 apt_key:
5 url: https://rspamd.com/apt-stable/gpg.key
6 state: present
7
8- name: create rspam repo
9 apt_repository:
10 repo: deb http://rspamd.com/apt-stable/ bionic main
11 state: present
12
13# rspamd install and configuration
14- name: install shitdis
15 apt:
16 pkg: redis
17 state: latest
18
19- name: set guanodis directory permissions
20 file:
21 path: /var/lib/redis
22 owner: redis
23 group: redis
24 mode: 0700
25 state: directory
26
27- name: copy poodis config
28 copy:
29 src: redis/
30 dest: /etc/redis/
31 notify:
32 - restart redis
33
34- name: install rspamd
35 apt:
36 pkg: rspamd
37 state: latest
38
39- name: copy rspamd config
40 copy:
41 src: rspamd/local.d/
42 dest: /etc/rspamd/local.d/
43 notify:
44 - restart rspamd
45
46# verify everything is running
47- name: verify services are running in dependency order
48 service:
49 name: "{{ item }}"
50 enabled: yes
51 state: started
52 loop:
53 - redis
54 - rspamd
Powered by cgit v1.2.3 (git 2.41.0)