Rspamd installation and OpenSMTPD configuration on it on OpenBSD

Summary

Thanks to poolpOrg's filter-rspamd, Rspamd filter in OpenSMTPD is provided as Ports package whose name is
opensmtpd-filter-rspamd in OpenSMTPD 6.6.0 or higher. It means it has not been necessary any longer to use rspamc in smtpd.conf.

This post shows how to install Rspamd and configure it on OpenBSD.

Environment

  • Server OS: OpenBSD 6.9
  • MTA (Mail transfer agent): OpenSMTPD 6.9
  • Spam filtering system: Rspamd 2.7
  • Command line shell: Fish 3.2

Tutorial

Here shows packages related to OpenSMTPD:

$ doas pkg_info -Q opensmtpd
libopensmtpd-0.6
opensmtpd-extras-6.7.1v0
opensmtpd-extras-mysql-6.7.1p0v0
opensmtpd-extras-pgsql-6.7.1p0v0
opensmtpd-extras-python-6.7.1v0
opensmtpd-extras-redis-6.7.1v0
opensmtpd-filter-admdscrub-0.1
opensmtpd-filter-dkimsign-0.4
opensmtpd-filter-dnsbl-0.2
opensmtpd-filter-rspamd-0.1.7p0
opensmtpd-filter-senderscore-0.1.1p0
opensmtpd-filter-spamassassin-0.7p0

Several extras and also several filters :)

First, let's install Rspamd and also required packages, its OpenSMTPD filter and Redis. Rspamd in OpenBSD is highly configured and ready to use Redis as database by default.

$ doas pkg_add rspamd redis opensmtpd-filter-rspamd
quirks-3.633 signed on 2021-07-03T10:19:35Z
Ambiguous: choose package for rspamd
    0: <None>
    1: rspamd-2.7p0
    2: rspamd-2.7p0-hyperscan
Your choice: 2
rspamd-2.7p0-hyperscan:luajit-2.0.5p2: ok
rspamd-2.7p0-hyperscan:gcc-libs-8.4.0p6: ok
rspamd-2.7p0-hyperscan:blas-3.8.0p0: ok
rspamd-2.7p0-hyperscan:cblas-1.0p7: ok
rspamd-2.7p0-hyperscan:hyperscan-5.4.0-ssse3: ok
useradd: Warning: home directory `/var/redis' doesn't exist, and -m was not specified
rspamd-2.7p0-hyperscan:redis-6.2.1p0: ok
rspamd-2.7p0-hyperscan: ok
opensmtpd-filter-rspamd-0.1.7p0: ok
The following new rcscripts were installed: /etc/rc.d/redis /etc/rc.d/rspamd
See rcctl(8) for details.
New and changed readme(s):
    /usr/local/share/doc/pkg-readmes/opensmtpd-filter-rspamd
    /usr/local/share/doc/pkg-readmes/rspamd

Besides, hyperscan is used as an option of local optimizations
on Rspamd performance, which is developed by Intel.

Next, enable daemons.

$ doas rcctl enable {redis, rspamd}

And run them.

$ doas rcctl start {redis, rspamd}
redis(ok)
rspamd(ok)

If you want to add custom configuration to Rspamd, it's available with ".conf" files.
In my case, I edited actions.conf to mitigate rejection by the filter.

$ cd /etc/rspamd/local.d

$ cat ../actions.conf
(...)
actions {
    reject = 15; # Reject when reaching this score
    add_header = 6; # Add header when reaching this score
    greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
(...)
    .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/actions.conf"
    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/actions.conf"
}

$ doas nvim actions.conf

My actions.conf in local.d is like this:

reject = 27.0;
greylist = 19.0;
subject = "** Suspicious ** %s"
rewrite_subject = 12.0;
add_header = 7.0;

When changing Rspamd configuration, it is necessary to restart the daemon:

$ doas rcctl restart rspamd
rspamd(ok)
rspamd(ok)

Then, modify smtpd.conf in /etc/mail to execute (proc-exec) the filter.

$ cd /etc/mail

$ # create a backup if necessary:
$ doas cp -p smtpd.conf smtpd.conf.bak

$ doas nvim smtpd.conf

Add these lines:

(...)
+ filter "rspamd" \
+   proc-exec "filter-rspamd"
  (...)
  listen on egress \
    tls \
    pki (...) \
    auth-optional \
+   filter { "rspamd" } \
    tag MTA
  (...)

Just 3 lines :)
Well, here, I actually added more lines:

+ filter "check_dyndns" \
+   phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
+   disconnect "550 no residential connections"
+ filter "check_rdns" \
+   phase connect match !rdns \
+   disconnect "550 no rDNS"
+ filter "check_fcrdns" \
+   phase connect match !fcrdns \
+   disconnect "550 no FCrDNS"
  filter "rspamd" \
    proc-exec "filter-rspamd"
  (...)
-   filter { "rspamd" } \
+   filter { "check_dyndns", "check_rdns", "check_fcrdns", "rspamd" } \

The 3 filters are builtin ones in OpenSMTPD.

Finally, restart the smtpd daemon:

$ doas rcctl restart smtpd
smtpd(ok)
smtpd(ok)

Now OpenSMTPD calls Rspamd while transfering messages and the filter results are being stored in Redis.
Hope your trouble on spams and scams will get remarkably less.

Acknowledgments

I appeciate the Gilles (poolp) 's great article:

It enabled me to set up Rspamd working well with OpenSMTPD at last.

25