19 files changed, 232 insertions, 0 deletions

diff --git a/ansible/roles/rspamd/files/redis/redis.conf b/ansible/roles/rspamd/files/redis/redis.conf
new file mode 100644
index 0000000..ee237d9
--- /dev/null
+++ b/ansible/roles/rspamd/files/redis/redis.conf
@@ -0,0 +1,21 @@
+# listen only on localhost
+# Even though we only tell rspamd to contact Redis over 127.0.0.1, it still
+# connects via ::1 for some modules as well, so things inside rspamd break
+# if redis isn't listening on both 127.0.0.1 and ::1
+bind 127.0.0.1 ::1
+
+# limit the max amount of memory used - appropriate value will depend on
+# your email volume
+maxmemory 512mb
+maxmemory-policy volatile-lru
+
+daemonize yes
+
+logfile /var/log/redis/redis-server.log
+dir /var/lib/redis
+
+appendonly yes
+appendfilename redisisgarbage.aof
+dbfilename redisisgarbage.rdb
+
+pidfile /var/run/redis/redis-server.pid
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/classifier-bayes.conf b/ansible/roles/rspamd/files/rspamd/local.d/classifier-bayes.conf
new file mode 100644
index 0000000..db2f240
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/classifier-bayes.conf
@@ -0,0 +1,4 @@
+autolearn = true;
+backend = "redis";
+new_schema = true;
+expire = 8640000;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/greylist.conf b/ansible/roles/rspamd/files/rspamd/local.d/greylist.conf
new file mode 100644
index 0000000..a6ee831
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/greylist.conf
@@ -0,0 +1 @@
+enabled = false;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/milter_headers.conf b/ansible/roles/rspamd/files/rspamd/local.d/milter_headers.conf
new file mode 100644
index 0000000..4c924d7
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/milter_headers.conf
@@ -0,0 +1,3 @@
+# Refer to https://rspamd.com/doc/modules/milter_headers.html for information on configuration
+
+use = ["x-spamd-bar", "authentication-results", "x-spamd-result", "x-rspamd-server", "x-rspamd-queue-id"];
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/mx_check.conf b/ansible/roles/rspamd/files/rspamd/local.d/mx_check.conf
new file mode 100644
index 0000000..de9fac1
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/mx_check.conf
@@ -0,0 +1,2 @@
+# checks if sender's domain has at least one connectable MX record
+enabled = true;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/neural.conf b/ansible/roles/rspamd/files/rspamd/local.d/neural.conf
new file mode 100644
index 0000000..7fc7bd2
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/neural.conf
@@ -0,0 +1,33 @@
+servers = "localhost";
+enabled = true; # Important after 1.7
+
+# use_settings = true;
+
+rules {
+  "LONG" {
+    train {
+      max_trains = 5000;
+      max_usages = 200;
+      max_iterations = 25;
+      learning_rate = 0.01,
+      spam_score = 8;
+      ham_score = -2;
+    }
+    symbol_spam = "NEURAL_SPAM_LONG";
+    symbol_ham = "NEURAL_HAM_LONG";
+    ann_expire = 100d;
+  }
+  "SHORT" {
+    train {
+      max_trains = 100;
+      max_usages = 2;
+      max_iterations = 25;
+      learning_rate = 0.01,
+      spam_score = 8;
+      ham_score = -2;
+    }
+    symbol_spam = "NEURAL_SPAM_SHORT";
+    symbol_ham = "NEURAL_HAM_SHORT";
+    ann_expire = 1d;
+  }
+}
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/neural_group.conf b/ansible/roles/rspamd/files/rspamd/local.d/neural_group.conf
new file mode 100644
index 0000000..fff5058
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/neural_group.conf
@@ -0,0 +1,29 @@
+symbols = {
+  "NEURAL_SPAM" {
+    weight = 3.0; # sample weight
+    description = "Neural network spam";
+  }
+  "NEURAL_HAM" {
+    weight = -3.0; # sample weight
+    description = "Neural network ham";
+  }
+}
+
+symbols = {
+  "NEURAL_SPAM_LONG" {
+    weight = 3.0; # sample weight
+    description = "Neural network spam (long)";
+  }
+  "NEURAL_HAM_LONG" {
+    weight = -3.0; # sample weight
+    description = "Neural network ham (long)";
+  }
+  "NEURAL_SPAM_SHORT" {
+    weight = 2.0; # sample weight
+    description = "Neural network spam (short)";
+  }
+  "NEURAL_HAM_SHORT" {
+    weight = -1.0; # sample weight
+    description = "Neural network ham (short)";
+  }
+}
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/phishing.conf b/ansible/roles/rspamd/files/rspamd/local.d/phishing.conf
new file mode 100644
index 0000000..dcb1caf
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/phishing.conf
@@ -0,0 +1,3 @@
+# check messages against some anti-phishing databases
+openphish_enabled = true;
+phishtank_enabled = true;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/redis.conf b/ansible/roles/rspamd/files/rspamd/local.d/redis.conf
new file mode 100644
index 0000000..4ae822d
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/redis.conf
@@ -0,0 +1,2 @@
+# just specifying a server enables redis for all modules that can use it
+servers = "127.0.0.1:6379";
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/replies.conf b/ansible/roles/rspamd/files/rspamd/local.d/replies.conf
new file mode 100644
index 0000000..382764d
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/replies.conf
@@ -0,0 +1,2 @@
+# whitelist messages from threads that have been replied to
+action = "no action";
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/surbl.conf b/ansible/roles/rspamd/files/rspamd/local.d/surbl.conf
new file mode 100644
index 0000000..9cbd70f
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/surbl.conf
@@ -0,0 +1,2 @@
+# follow redirects when checking URLs in emails for spaminess
+redirector_hosts_map = "/etc/rspamd/redirectors.inc";
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/url_reputation.conf b/ansible/roles/rspamd/files/rspamd/local.d/url_reputation.conf
new file mode 100644
index 0000000..f5ca48a
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/url_reputation.conf
@@ -0,0 +1,2 @@
+# check URLs within messages for spaminess
+enabled = true;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/url_tags.conf b/ansible/roles/rspamd/files/rspamd/local.d/url_tags.conf
new file mode 100644
index 0000000..61832fb
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/url_tags.conf
@@ -0,0 +1,2 @@
+# cache some URL tags in redis
+enabled = true;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/worker-controller.inc b/ansible/roles/rspamd/files/rspamd/local.d/worker-controller.inc
new file mode 100644
index 0000000..1e1a713
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/worker-controller.inc
@@ -0,0 +1,39 @@
+# generate a password hash using the `rspamadm pw` command and define 'password'
+# this one is the hash for 'hunter2'
+# password = "$2$b9s94udsn7zzgk1hc9wuheqqcpydo64x$a1kksr9r9f1g1358shqdz789wmoqbnapndwqi6uscazhz3muz4gy";
+
+# this one is the hash for:
+# Roberts had grown so rich, he wanted to retire. He took me to his cabin and he told me his secret. 'I am not the Dread Pirate Roberts' he said. 'My name is Ryan; I inherited the ship from the previous Dread Pirate Roberts, just as you will inherit it from me. The man I inherited it from is not the real Dread Pirate Roberts either. His name was Cummerbund. The real Roberts has been retired 15 years and living like a king in Patagonia.'
+# password = "$2$bhjy5j4njn8r5mx3yo6ksmdt9hbm8fan$myysr1gnbcf9ggpf4dzjdky3by9nbb8w9wbm7wciu97sbb7zhomy";
+
+# this one is the hash for:
+# The point is, ladies and gentleman, that greed, for lack of a better word, is good. Greed is right, greed works. Greed clarifies, cuts through, and captures the essence of the evolutionary spirit. Greed, in all of its forms; greed for life, for money, for love, knowledge has marked the upward surge of mankind. And greed, you mark my words, will not only save Teldar Paper, but that other malfunctioning corporation called the USA. Thank you very much.
+# password = "$2$eqre5picpektnop85uashzyxpxeeo6cr$gugecdr35jhg8uhzxkwh4jnp19rtxc6ukaadaad5665sm1rapmfy";
+
+# this one is the hash for:
+# whence the day goes on
+# password = "$2$am4gzwgxbuksntkn7784g6mpoir4mp1o$83i86hfju6jfbp6g9w9sh44qacqmne85q9weah6xcj1d3c5ei1rb";
+
+
+# You can list multiple bind sockets on networks and file systems.
+#bind_socket = "/var/run/rspamd/rspamd.sock mode=0666 owner=nobody";
+
+# The worker controller handles multiple functions:
+# - trains spam
+# - trains not-spam
+# - hosts the built-in statistics web interface
+# - web interface also allows config modification and data injection
+
+# The config parameter 'secure_ip' defines which sources DO NOT need a
+# password to connect to this worker controller.
+# By default, 'secure_ip' is defined as:
+# secure_ip = "127.0.0.1";
+# secure_ip = "::1";
+#
+# If you need distributed rspamd access or want to view your spam stats console
+# from another machine without SSH tunneling port 11334, you can add multiple
+# non-localhost IP address config lines here, but also remember to
+# define 'password' above as well.
+
+bind_socket = "127.0.0.1:11334";
+#bind_socket = "192.168.122.8:11334";
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/worker-normal.inc b/ansible/roles/rspamd/files/rspamd/local.d/worker-normal.inc
new file mode 100644
index 0000000..ffa77f5
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/worker-normal.inc
@@ -0,0 +1,3 @@
+# we're not running rspamd in a distributed setup, so this can be disabled
+# the proxy worker will handle all the spam filtering
+enabled = false;
diff --git a/ansible/roles/rspamd/files/rspamd/local.d/worker-proxy.inc b/ansible/roles/rspamd/files/rspamd/local.d/worker-proxy.inc
new file mode 100644
index 0000000..056d2bc
--- /dev/null
+++ b/ansible/roles/rspamd/files/rspamd/local.d/worker-proxy.inc
@@ -0,0 +1,16 @@
+# this worker will be used as postfix milter
+milter = yes;
+
+# note to self - tighten up these permissions
+#bind_socket = "/var/run/rspamd/milter.sock mode=0666 owner=nobody";
+
+# DEFAULT: listens on localhost:11332
+
+
+# the following specifies self-scan mode, for when rspamd is on the same
+# machine as postfix
+timeout = 120s;
+upstream "local" {
+  default = yes;
+  self_scan = yes;
+}
diff --git a/ansible/roles/rspamd/handlers/main.yml b/ansible/roles/rspamd/handlers/main.yml
new file mode 100644
index 0000000..de7cfc9
--- /dev/null
+++ b/ansible/roles/rspamd/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: restart rspamd
+  service:
+    name: rspamd
+    state: restarted
+
+- name: restart redis
+  service:
+    name: redis
+    state: restarted
+
diff --git a/ansible/roles/rspamd/meta/main.yml b/ansible/roles/rspamd/meta/main.yml
new file mode 100644
index 0000000..8ab008e
--- /dev/null
+++ b/ansible/roles/rspamd/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: gpg
diff --git a/ansible/roles/rspamd/tasks/main.yml b/ansible/roles/rspamd/tasks/main.yml
new file mode 100644
index 0000000..a15c330
--- /dev/null
+++ b/ansible/roles/rspamd/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+# Set Up rspam repo
+- name: install rspam key
+  apt_key:
+    url: https://rspamd.com/apt-stable/gpg.key
+    state: present
+
+- name: create rspam repo
+  apt_repository:
+    repo: deb http://rspamd.com/apt-stable/ bionic main
+    state: present
+
+# rspamd install and configuration
+- name: install shitdis
+  apt:
+    pkg: redis
+    state: latest
+
+- name: set guanodis directory permissions
+  file:
+    path: /var/lib/redis
+    owner: redis
+    group: redis
+    mode: 0700
+    state: directory
+
+- name: copy poodis config
+  copy:
+    src: redis/
+    dest: /etc/redis/
+  notify:
+  - restart redis
+
+- name: install rspamd
+  apt:
+    pkg: rspamd
+    state: latest
+
+- name: copy rspamd config
+  copy:
+    src: rspamd/local.d/
+    dest: /etc/rspamd/local.d/
+  notify:
+  - restart rspamd
+
+# verify everything is running
+- name: verify services are running in dependency order
+  service:
+    name: "{{ item }}"
+    enabled: yes
+    state: started
+  loop:
+    - redis
+    - rspamd