diff --git a/setup/README.md b/setup/README.md index 837f699c..2590071b 100644 --- a/setup/README.md +++ b/setup/README.md @@ -14,11 +14,12 @@ This install script installs and configures the following components: 4. **Wild Duck Webmail** for creating accounts and viewing messages 5. **Nginx** to serve the webmail component 6. **acme.sh** to manage Let's Encrypt certificates +7. **Rspamd** to check messages for spam. Messages detected as spam are routed to Junk Mail folder by default +8. **ClamAV** to check messages for viruses. ClamAV is disabled by default, you need to enable it in the Haraka plugins file What it does not configure: 1. **DNS settings**. These you need to handle yourself. See domainname-nameserver.txt file after installation for DNS configuration (includes DKIM) -2. No **Antispam** nor **antivirus**. This you need to configure yourself. Wild Duck is preconfigured to move all messages with common spam headers to a spam folder instead of INBOX, so in most cases it should be enough to configure SpamAssassin/ClamAV for Haraka. ## Security diff --git a/setup/install.sh b/setup/install.sh index 33da62ce..b0b02a39 100755 --- a/setup/install.sh +++ b/setup/install.sh @@ -37,14 +37,22 @@ curl -sL https://deb.nodesource.com/setup_8.x | bash - apt-get update -apt-get -q -y install mongodb-org pwgen nodejs git ufw build-essential libssl-dev dnsutils python software-properties-common nginx +apt-get -q -y install mongodb-org pwgen nodejs git ufw build-essential libssl-dev dnsutils python software-properties-common nginx lsb-release wget systemctl enable mongod.service # redis apt-add-repository -y ppa:chris-lea/redis-server + +# rspamd +CODENAME=`lsb_release -c -s` +wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add - +echo "deb http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list +echo "deb-src http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list apt-get update -apt-get -q -y install redis-server + +apt-get -q -y install redis-server clamav clamav-daemon +apt-get -q -y --no-install-recommends install rspamd apt-get clean @@ -83,6 +91,11 @@ echo "user=\"wildduck\" group=\"wildduck\" emailDomain=\"$HOSTNAME\"" | cat - /etc/wildduck/wildduck.toml > temp && mv temp /etc/wildduck/wildduck.toml +echo '[[spamHeader]] +key="X-Rspamd-Bar" +value="^\\+{6}" +target="\\Junk"' >> /etc/wildduck/spamheaders.toml + sed -i -e "s/localhost:3000/$HOSTNAME/g;s/localhost/$HOSTNAME/g;s/2587/587/g" /etc/wildduck/wildduck.toml cd /opt/wildduck @@ -114,7 +127,7 @@ cd sudo npm install --unsafe-perm -g Haraka haraka -i /opt/haraka cd /opt/haraka -sudo npm install --save haraka-plugin-wildduck Haraka +sudo npm install --save haraka-plugin-wildduck haraka-plugin-rspamd Haraka mv config/plugins config/pluginbs.bak @@ -123,7 +136,16 @@ echo "26214400" > config/databytes echo "$HOSTNAME" > config/me echo "spf + +## ClamAV is disabled by default. Make sure freshclam has updated all +## virus definitions and clamav-daemon has successfully started before +## enabling it. +#clamd + +rspamd tls +dkim_verify + queue/lmtp wildduck" > config/plugins @@ -133,6 +155,35 @@ cert=/etc/wildduck/certs/fullchain.pem" > config/tls.ini echo "host=127.0.0.1 port=24" > config/lmtp.ini +echo 'host = localhost +port = 11333 +add_headers = always +[dkim] +enabled = true +[header] +bar = X-Rspamd-Bar +report = X-Rspamd-Report +score = X-Rspamd-Score +spam = X-Rspamd-Spam +[check] +authenticated=true +private_ip=true +[reject] +spam = false +[soft_reject] +enabled = true +[rmilter_headers] +enabled = true +[spambar] +positive = + +negative = - +neutral = /' > config/rspamd.ini + +echo 'clamd_socket = /var/run/clamav/clamd.ctl +[reject] +virus=true +error=false' > config/clamd.ini + echo '--- accounts: maxStorage: 1024