Rspamd installation and OpenSMTPD configuration on it on OpenBSD

Summary
Thanks to poolpOrg's filter-rspamd, Rspamd filter in OpenSMTPD is provided as Ports package whose name is
opensmtpd-filter-rspamd in OpenSMTPD 6.6.0 or higher. It means it has not been necessary any longer to use rspamc in smtpd.conf.
This post shows how to install Rspamd and configure it on OpenBSD.
Environment
  • Server OS: OpenBSD 6.9
  • MTA (Mail transfer agent): OpenSMTPD 6.9
  • Spam filtering system: Rspamd 2.7
  • Command line shell: Fish 3.2
  • Tutorial
    Here shows packages related to OpenSMTPD:
    $ doas pkg_info -Q opensmtpd
    libopensmtpd-0.6
    opensmtpd-extras-6.7.1v0
    opensmtpd-extras-mysql-6.7.1p0v0
    opensmtpd-extras-pgsql-6.7.1p0v0
    opensmtpd-extras-python-6.7.1v0
    opensmtpd-extras-redis-6.7.1v0
    opensmtpd-filter-admdscrub-0.1
    opensmtpd-filter-dkimsign-0.4
    opensmtpd-filter-dnsbl-0.2
    opensmtpd-filter-rspamd-0.1.7p0
    opensmtpd-filter-senderscore-0.1.1p0
    opensmtpd-filter-spamassassin-0.7p0
    Several extras and also several filters :)
    First, let's install Rspamd and also required packages, its OpenSMTPD filter and Redis. Rspamd in OpenBSD is highly configured and ready to use Redis as database by default.
    $ doas pkg_add rspamd redis opensmtpd-filter-rspamd
    quirks-3.633 signed on 2021-07-03T10:19:35Z
    Ambiguous: choose package for rspamd
        0: <None>
        1: rspamd-2.7p0
        2: rspamd-2.7p0-hyperscan
    Your choice: 2
    rspamd-2.7p0-hyperscan:luajit-2.0.5p2: ok
    rspamd-2.7p0-hyperscan:gcc-libs-8.4.0p6: ok
    rspamd-2.7p0-hyperscan:blas-3.8.0p0: ok
    rspamd-2.7p0-hyperscan:cblas-1.0p7: ok
    rspamd-2.7p0-hyperscan:hyperscan-5.4.0-ssse3: ok
    useradd: Warning: home directory `/var/redis' doesn't exist, and -m was not specified
    rspamd-2.7p0-hyperscan:redis-6.2.1p0: ok
    rspamd-2.7p0-hyperscan: ok
    opensmtpd-filter-rspamd-0.1.7p0: ok
    The following new rcscripts were installed: /etc/rc.d/redis /etc/rc.d/rspamd
    See rcctl(8) for details.
    New and changed readme(s):
        /usr/local/share/doc/pkg-readmes/opensmtpd-filter-rspamd
        /usr/local/share/doc/pkg-readmes/rspamd
    Besides, hyperscan is used as an option of local optimizations
    on Rspamd performance, which is developed by Intel.
    Next, enable daemons.
    $ doas rcctl enable {redis, rspamd}
    And run them.
    $ doas rcctl start {redis, rspamd}
    redis(ok)
    rspamd(ok)
    If you want to add custom configuration to Rspamd, it's available with ".conf" files.
    In my case, I edited actions.conf to mitigate rejection by the filter.
    $ cd /etc/rspamd/local.d
    
    $ cat ../actions.conf
    (...)
    actions {
        reject = 15; # Reject when reaching this score
        add_header = 6; # Add header when reaching this score
        greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
    (...)
        .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/actions.conf"
        .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/actions.conf"
    }
    
    $ doas nvim actions.conf
    My actions.conf in local.d is like this:
    reject = 27.0;
    greylist = 19.0;
    subject = "** Suspicious ** %s"
    rewrite_subject = 12.0;
    add_header = 7.0;
    When changing Rspamd configuration, it is necessary to restart the daemon:
    $ doas rcctl restart rspamd
    rspamd(ok)
    rspamd(ok)
    Then, modify smtpd.conf in /etc/mail to execute (proc-exec) the filter.
    $ cd /etc/mail
    
    $ # create a backup if necessary:
    $ doas cp -p smtpd.conf smtpd.conf.bak
    
    $ doas nvim smtpd.conf
    Add these lines:
    (...)
    + filter "rspamd" \
    +   proc-exec "filter-rspamd"
      (...)
      listen on egress \
        tls \
        pki (...) \
        auth-optional \
    +   filter { "rspamd" } \
        tag MTA
      (...)
    Just 3 lines :)
    Well, here, I actually added more lines:
    + filter "check_dyndns" \
    +   phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
    +   disconnect "550 no residential connections"
    + filter "check_rdns" \
    +   phase connect match !rdns \
    +   disconnect "550 no rDNS"
    + filter "check_fcrdns" \
    +   phase connect match !fcrdns \
    +   disconnect "550 no FCrDNS"
      filter "rspamd" \
        proc-exec "filter-rspamd"
      (...)
    -   filter { "rspamd" } \
    +   filter { "check_dyndns", "check_rdns", "check_fcrdns", "rspamd" } \
    The 3 filters are builtin ones in OpenSMTPD.
    Finally, restart the smtpd daemon:
    $ doas rcctl restart smtpd
    smtpd(ok)
    smtpd(ok)
    Now OpenSMTPD calls Rspamd while transfering messages and the filter results are being stored in Redis.
    Hope your trouble on spams and scams will get remarkably less.
    Acknowledgments
    I appeciate the Gilles (poolp) 's great article:
    It enabled me to set up Rspamd working well with OpenSMTPD at last.

    32

    This website collects cookies to deliver better user experience

    Rspamd installation and OpenSMTPD configuration on it on OpenBSD