From e0a970d758b6a0f7cd4101057fd7b74151a43c26 Mon Sep 17 00:00:00 2001 From: Valery Kartel Date: Mon, 25 Jan 2016 01:01:54 +0200 Subject: testing/rmilter: new aport Rspamd milter (mail filter for postfix, sendmail etc.) https://rspamd.com --- testing/rmilter/APKBUILD | 71 ++++++++++ testing/rmilter/config_dir.patch | 26 ++++ testing/rmilter/rmilter.conf | 265 +++++++++++++++++++++++++++++++++++ testing/rmilter/rmilter.confd | 8 ++ testing/rmilter/rmilter.initd | 45 ++++++ testing/rmilter/rmilter.pre-install | 6 + testing/rmilter/system_hiredis.patch | 28 ++++ 7 files changed, 449 insertions(+) create mode 100644 testing/rmilter/APKBUILD create mode 100644 testing/rmilter/config_dir.patch create mode 100644 testing/rmilter/rmilter.conf create mode 100644 testing/rmilter/rmilter.confd create mode 100644 testing/rmilter/rmilter.initd create mode 100644 testing/rmilter/rmilter.pre-install create mode 100644 testing/rmilter/system_hiredis.patch (limited to 'testing/rmilter') diff --git a/testing/rmilter/APKBUILD b/testing/rmilter/APKBUILD new file mode 100644 index 0000000000..0ec9f34d08 --- /dev/null +++ b/testing/rmilter/APKBUILD @@ -0,0 +1,71 @@ +# Maintainer: Valery Kartel +# Contributor: Valery Kartel +pkgname=rmilter +pkgver=1.7.1 +pkgrel=0 +pkgdesc="Rspamd mail filter" +url="https://rspamd.com" +arch="all" +license="BSD" +pkgusers="rmilter" +pkggroups="rmilter" +depends="" +depends_dev="" +makedepends="$depends_dev cmake bison flex bsd-compat-headers openssl-dev pcre-dev libmilter-dev opendkim-dev hiredis-dev" +install="$pkgname.pre-install" +subpackages="$pkgname-doc" +source="$pkgname-$pkgver.tar.gz::https://github.com/vstakhov/$pkgname/archive/$pkgver.tar.gz + $pkgname.conf + $pkgname.confd + $pkgname.initd + config_dir.patch + system_hiredis.patch +" + +_builddir="$srcdir"/$pkgname-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + +build() { + cd "$_builddir" + cmake CMakeLists.txt \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DRMILTER_USER=$pkgusers \ + -DRMILTER_GROUP=$pkggroups \ + || return 1 + make || return 1 +} + +package() { + cd "$_builddir" + make DESTDIR="$pkgdir" install || return 1 + install -d "$pkgdir"/etc/mail/dkim + install -Dm755 "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname + install -Dm644 "$srcdir"/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname + install -Dm644 "$srcdir"/$pkgname.conf "$pkgdir"/etc/$pkgname/$pkgname.conf +} + +md5sums="ae12e22bf01f29cdc4ff97d778b0896c rmilter-1.7.1.tar.gz +74b3a71b9e14d548f9bbade386cdacae rmilter.conf +e159e4461b765b487f72c05b3d504a9c rmilter.confd +a3fa9ba78d3392716d04f27e40e40ac8 rmilter.initd +9fe7aea93e81b7e36020f186c5b9288d config_dir.patch +388470c71ad9d98088e2338a7b7066b7 system_hiredis.patch" +sha256sums="4b239acba55e80620c3906ec11bc086eaa814122117b5afeeb16712279f3e13e rmilter-1.7.1.tar.gz +65f602b802766ff71807ca5537c2c17b400e0dfd915223ddeb306db074162019 rmilter.conf +fad2d6baea215c3b31750e8128efe557a27024974eca2ff359b8fa921acb9076 rmilter.confd +ce592d80851b0a52138bfa97f70c3e98a21555daa9e8a9f3966b7cafca1acc3c rmilter.initd +863d36c15386e8927775fd368fdba4b234bbab83bfbd6a156f328b356880a91b config_dir.patch +49d964572ba4660bf4a9893eca5ed90b20a64ed02258d99e43687aeed6222852 system_hiredis.patch" +sha512sums="e8aa4b5fd8e8c474cec047b174d45eae1bb552845fd378a52c863b0f2f8c36009cde9ab6e002b4ffb0947d058e66c5c2e460776223f0d3eeb64cbbdaaa914d51 rmilter-1.7.1.tar.gz +4b577dbe63277dd932be74fad78989366056e3d0b7945af17906da17f685b19d0c58078398277ece4cff6304af8e20f45e61d196c86f933c7c5857efdecbdd81 rmilter.conf +d222bcf307e89f110efed524c2d708d3512d4400235091de0250d1f60358f65871667112bdad61bbcd948a9abdb8a46d8c3952cf78585cfb59fcf94f15849062 rmilter.confd +2ec3eb3fece210867001cf3a799336c77dfec7dd770442852a14b337205893aaefe24999ca5c0d92706bf8e9f1c8a192282e5c48b7bde2e591b03f721560e6e3 rmilter.initd +cd6cd168e0d0d14d62a74e59be7eebff4951f14f017e1b5e688aff78f5f119729c067074e9d12518fe8b4699aaa4c6a78de8c19226b91316844c636ab667fc8e config_dir.patch +536d35c2a8797f375f8dc77eb86c2012712ba7a4861f33513c795ef1d902f5db83383a0033e486bac02a5631e012aff96b600216119ab71ffce510a17880c554 system_hiredis.patch" diff --git a/testing/rmilter/config_dir.patch b/testing/rmilter/config_dir.patch new file mode 100644 index 0000000000..479cd327ce --- /dev/null +++ b/testing/rmilter/config_dir.patch @@ -0,0 +1,26 @@ +--- old/include/cfg_file.h ++++ new/include/cfg_file.h +@@ -43,6 +43,12 @@ + #include + #endif + ++#ifndef RMILTER_CONFDIR ++#define RMILTER_CONFDIR "/etc/rmilter" ++#endif ++ ++#define FIXED_CONFIG_FILE RMILTER_CONFDIR "/rmilter.conf" ++ + #define COND_CONNECT_FLAG 0x1 + #define COND_HELO_FLAG 0x2 + #define COND_ENVFROM_FLAG 0x4 +--- old/src/main.c ++++ new/src/main.c +@@ -208,7 +208,7 @@ + init_defaults (cfg); + + if (cfg_file == NULL) { +- cfg_file = strdup ("/usr/local/etc/rmilter.conf"); ++ cfg_file = strdup (FIXED_CONFIG_FILE); + } + + f = fopen (cfg_file, "r"); diff --git a/testing/rmilter/rmilter.conf b/testing/rmilter/rmilter.conf new file mode 100644 index 0000000000..6250474ef3 --- /dev/null +++ b/testing/rmilter/rmilter.conf @@ -0,0 +1,265 @@ +# .include - directive to include other config file +#.include ./rmilter-grey.conf + +# pidfile - path to pid file +# Default: pidfile = /run/rmilter/rmilter.pid + +pidfile = /run/rmilter/rmilter.pid; + +# bind_socket - socket credits for local bind: +# unix:/path/to/file - bind to local socket +# inet:port@host - bind to inet socket +# Default: bind_socket = unix:/var/rmilter/rmilter.sock; + +bind_socket = unix:/run/rmilter/rmilter.sock; + +# tempdir - path to directory that contains temporary files +# Default: $TMPDIR + +tempdir = /tmp; + +# tempfiles_mode - set permission for temp files +# Default: 00600 + +tempfiles_mode = 00600; + +# max_size - maximum size of scanned mail with clamav and dcc +# Default: 0 (no limit) + +max_size = 10M; + +# strict_auth - strict checks for mails from authenticated senders +# Default: no + +strict_auth = no; + +# spf_domains - path to file that contains hash of spf domains +# Default: empty + +#spf_domains = example.com; + +# use_dcc - whether use or not dcc system +# Default: no + +use_dcc = no; + +use_redis = yes; + +# .include - directive to include other config file +#.include ./rmilter-grey.conf + +clamav { + # servers - clamav socket definitions in format: + # /path/to/file + # host[:port] + # sockets are separated by ',' + # Default: empty + #servers = /run/clamav/clamd.sock; + # connect_timeout - timeout in miliseconds for connecting to clamav + # Default: 1s + connect_timeout = 1s; + + # port_timeout - timeout in miliseconds for waiting for clamav port response + # Default: 4s + port_timeout = 4s; + + # results_timeout - timeout in miliseconds for waiting for clamav response + # Default: 20s + results_timeout = 20s; + + # error_time - time in seconds during which we are counting errors + # Default: 10 + error_time = 10; + + # dead_time - time in seconds during which we are thinking that server is down + # Default: 300 + dead_time = 300; + + # maxerrors - maximum number of errors that can occur during error_time to make us thinking that + # this upstream is dead + # Default: 10 + maxerrors = 10; +}; + +spamd { + # servers - spamd socket definitions in format: + # /path/to/file + # host[:port] + # sockets are separated by ',' + # is server name is prefixed with r: it is rspamd server + # Default: empty + servers = r:localhost:11333; + + # also_check - extra spamd servers to check + #also_check = r:spam.example.com; + + # diff_dir - path where to write messages that have different results from main and extra checks + #diff_dir = /var/run/rmilter/diffmsg; + + # connect_timeout - timeout in milliseconds for connecting to spamd + # Default: 1s + connect_timeout = 1s; + + # results_timeout - timeout in milliseconds for waiting for spamd response + # Default: 20s + results_timeout = 20s; + + # error_time - time in seconds during which we are counting errors + # Default: 10 + error_time = 10; + + # dead_time - time in seconds during which we are thinking that server is down + # Default: 300 + dead_time = 300; + + # maxerrors - maximum number of errors that can occur during error_time to make us thinking that + # this upstream is dead + # Default: 10 + maxerrors = 10; + + # reject_message - reject message for spam + # Default: "Spam message rejected; If this is not spam contact abuse" + reject_message = "Spam message rejected; If this is not spam contact abuse"; + + # whitelist - list of ips or nets that should be not checked with spamd + # Default: empty + whitelist = 127.0.0.1/32, 192.168.0.0/16, [::1]/128; + + # rspamd_metric - metric for using with rspamd + # Default: "default" + rspamd_metric = "default"; +}; + +redis { + # servers_grey - redis servers for greylisting in format: + # host[:port][, host[:port]] + servers_grey = localhost; + + # servers_white - redis servers for whitelisting in format similar to that is used + # in servers_grey + # servers_white = redis.example.com:6379; + + # servers_limits - redis servers used for limits storing, can not be mirrored + servers_limits = localhost; + + # servers_id - redis servers used for message id storing, can not be mirrored + servers_id = localhost; + + # id_prefix - prefix for extracting message ids from redis + # Default: empty (no prefix is prepended to key) + id_prefix = "message_id."; + + # grey_prefix - prefix for extracting greylisted records from redis + # Default: empty (no prefix is prepended to key) + grey_prefix = "grey."; + + # id_prefix - prefix for extracting whitelisted records from redis + # Default: empty (no prefix is prepended to key) + white_prefix = "white."; + + # connect_timeout - timeout in miliseconds for waiting for redis + # Default: 1s + connect_timeout = 1s; + + # error_time - time in seconds during which we are counting errors + # Default: 10 + error_time = 10; + + # dead_time - time in seconds during which we are thinking that server is down + # Default: 300 + dead_time = 300; + + # maxerrors - maximum number of errors that can occur during error_time to make us thinking that + # this upstream is dead + # Default: 10 + maxerrors = 10; +}; + +# rule definition: +# rule { +# accept|discard|reject|tempfail|quarantine "[message]"; <- action definition +# [not] connect ; <- conditions +# helo ; +# envfrom ; +# envrcpt ; +# header ; +# body ; +# }; + +# limits section +limits { + # Whitelisted ip or networks + #limit_whitelist = 194.67.45.4/32; + # Whitelisted recipients + limit_whitelist_rcpt = postmaster, mailer-daemon; + # Addrs for bounce checks + limit_bounce_addrs = postmaster, mailer-daemon, symantec_antivirus_for_smtp_gateways, <>, null, fetchmail-daemon; + # Limit for bounce mail + limit_bounce_to = 5:0.000277778; + # Limit for bounce mail per one source ip + limit_bounce_to_ip = 5:0.000277778; + # Limit for all mail per recipient + limit_to = 20:0.016666667; + # Limit for all mail per one source ip + limit_to_ip = 30:0.025; + # Limit for all mail per one source ip and from address + limit_to_ip_from = 100:0.033333333; +}; + +beanstalk { + # List of beanstalk servers, random selected + #servers = bot01.example.com:3132; + + # Address of server to which rmilter should send all messages copies + #copy_server = somehost:13333; + + # Address of server to which rmilter should send spam messages copies + #spam_server = otherhost:13333; + + # Time to live for task in seconds + lifetime = 172800; + # Regexp that define for which messages we should put the whole message to beanstalk + # now only In-Reply-To headers are checked + id_regexp = "/^SomeID.*$/"; + # Flags for sending beanstalk copies + send_beanstalk_headers = yes; + send_beanstalk_copy = yes; + send_beanstalk_spam = yes; +}; + +greylisting { + timeout = 300s; + expire = 3d; + whitelist = 127.0.0.1, 192.168.1.1, 192.168.2.0/24; + awl_enable = yes; + awl_pool = 10M; + awl_hits = 10; + awl_ttl = 3600s; +}; + +dkim { + # Sample for dkim specific keys + # domain { + # key = /etc/mail/dkim/dkim_example.key; + # domain = "example.com"; + # selector = "dkim"; + # }; + # domain { + # key = /etc/mail/dkim/dkim_test.key; + # domain = "test.com"; + # selector = "dkim"; + # }; + # Universal selector, keys will be checked for pattern /etc/mail/dkim/..key + domain { + key = /etc/mail/dkim; + domain = "*"; + selector = "dkim"; + }; + header_canon = relaxed; + body_canon = relaxed; + sign_alg = sha256; +}; + +# Order of checks at EOM: +# +# SPF -> DCC -> CLAMAV diff --git a/testing/rmilter/rmilter.confd b/testing/rmilter/rmilter.confd new file mode 100644 index 0000000000..d18a6fed82 --- /dev/null +++ b/testing/rmilter/rmilter.confd @@ -0,0 +1,8 @@ +# User to run rmilter +#user=rmilter + +# Group to run rmilter +#group=rmilter + +# Main rmilter config file +#cfgfile=/etc/rmilter/rmilter.conf diff --git a/testing/rmilter/rmilter.initd b/testing/rmilter/rmilter.initd new file mode 100644 index 0000000000..10ea136d36 --- /dev/null +++ b/testing/rmilter/rmilter.initd @@ -0,0 +1,45 @@ +#!/sbin/openrc-run + +description="Rapid spam defence mail filter" +user=${user:-rmilter} +group=${group:-rmilter} +cfgfile=${cfgfile:-/etc/rmilter/rmilter.conf} +pidfile=$(grep pidfile $cfgfile | cut -d = -f 2 | sed 's/[ ;]//g') +pidfile=${pidfile:-/run/rmilter/rmilter.pid} +sockfile=$(grep bind_socket $cfgfile | grep unix: | cut -d : -f 2 | sed 's/[ ;]//g') +command=/usr/sbin/rmilter +command_args="-c $cfgfile" +required_files="$cfgfile" +extra_started_commands="reload" +description_reload="Reload configuration" + +depend() { + need net dns localmount + use logger antivirus antispam +} + +start_pre() { + ebegin + checkpath --directory --mode 750 --owner $user:$group ${pidfile%/*} + if [ "$sockfile" ]; then + checkpath --directory --mode 750 --owner $user:$group ${sockfile%/*} + rm -f $sockfile + fi + eend $? +} + +start() { + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start \ + --user $user \ + --group $group \ + --pidfile $pidfile \ + --exec $command -- $command_args + eend $? +} + +reload() { + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal USR1 --pidfile $pidfile + eend $? +} diff --git a/testing/rmilter/rmilter.pre-install b/testing/rmilter/rmilter.pre-install new file mode 100644 index 0000000000..b7dc736d99 --- /dev/null +++ b/testing/rmilter/rmilter.pre-install @@ -0,0 +1,6 @@ +#!/bin/sh + +addgroup -S rmilter 2>dev/null +adduser -h /run/rmilter -g "rmilter" -s /bin/false -SDHG rmilter rmilter 2>/dev/null + +exit 0 diff --git a/testing/rmilter/system_hiredis.patch b/testing/rmilter/system_hiredis.patch new file mode 100644 index 0000000000..3dfdf54519 --- /dev/null +++ b/testing/rmilter/system_hiredis.patch @@ -0,0 +1,28 @@ +--- old/CMakeLists.txt ++++ new/CMakeLists.txt +@@ -245,6 +245,8 @@ + ROOT ${PCRE_ROOT_DIR} MODULES pcre libpcre pcre3 libpcre3) + ProcessPackage(LIBMILTER LIBRARY milter INCLUDE mfapi.h INCLUDE_SUFFIXES include/libmilter + LIB_SUFFIXES lib/libmilter ROOT ${LIBMILTER_ROOT_DIR} MODULES libmilter) ++ProcessPackage(LIBHIREDIS LIBRARY hiredis INCLUDE hiredis.h INCLUDE_SUFFIXES include/hiredis ++ LIB_SUFFIXES lib/libhiredis ROOT ${LIBHIREDIS_ROOT_DIR} MODULES libhiredis) + + IF(ENABLE_DKIM MATCHES "ON") + SET(WITH_DKIM 1) +@@ -363,8 +365,6 @@ + CHECK_SYMBOL_EXISTS(MAP_NOCORE sys/mman.h HAVE_MMAP_NOCORE) + + ################################ SOURCES SECTION ########################### +-ADD_SUBDIRECTORY(hiredis) +-INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}/hiredis") + + SET(RMILTERSRC + compat/blake2b-ref.c +@@ -394,7 +394,6 @@ + ADD_EXECUTABLE(rmilter ${RMILTERSRC}) + SET_TARGET_PROPERTIES(rmilter PROPERTIES LINKER_LANGUAGE C) + TARGET_LINK_LIBRARIES(rmilter ${RMILTER_REQUIRED_LIBRARIES}) +-TARGET_LINK_LIBRARIES(rmilter rmilter-hiredis) + + ##################### INSTALLATION ########################################## + -- cgit v1.2.3