update mail - migrate from opendkim and opendmarc to rspamd

2021-01-17 03:18:43 +03:00
parent 2cd9fc4fd5
commit 814a48e3a7
6 changed files with 90 additions and 19 deletions
--- a/roles/rspamd/defaults/main.yaml
+++ b/roles/rspamd/defaults/main.yaml
@ -1,15 +1,77 @@
+rspamd_enabled: true
 rspamd_default_values:
  replicaCount: 1
  persistence:
    enabled: false
    existingClaim: mailboxes
-  
+  redis:
+    enabled: true
+    usePassword: false
+    password: ""
+    cluster:
+      enabled: false
  rspamd:
-    image:
-      repository: "{{ docker_registry }}/rspamd"
-      tag: latest
-      pullPolicy: Always
-  
-  service:
-    type: ClusterIP
-
+    local.d:
+      redis.conf: |
+        servers = "rspamd-redis-master";
+      worker-proxy.inc: |
+        bind_socket = "0.0.0.0:11332";
+      worker-normal.inc: |
+        bind_socket = "0.0.0.0:11333";
+      worker-controller.inc: |
+        bind_socket = "0.0.0.0:11334";
+      worker-fuzzy.inc: |
+        bind_socket = "0.0.0.0:11335";
+      logging.inc: |
+        type = "console";
+      spf.conf: |
+        spf_cache_size = 1k; # cache up to 1000 of the most recent SPF records
+        spf_cache_expire = 1d; # default max expire for an element in this cache
+        max_dns_nesting = 10; # maximum number of recursive DNS subrequests
+        max_dns_requests = 30; # maximum count of DNS requests per record
+        min_cache_ttl = 5m; # minimum TTL enforced for all elements in SPF records
+      dkim_signing.conf: |
+        enabled = true;
+        # If `true` get pubkey from DNS record and check if it matches private key
+        check_pubkey = true;
+        # Set to `false` if you want to skip signing if public and private keys mismatch
+        allow_pubkey_mismatch = true;
+        # Domain specific settings
+        domain {
+          # Domain name is used as key
+          "{{ mail_domain | default(domain) }}" {
+            # Private key path
+            path = "/var/lib/rspamd/dkim/default.key";
+            # Selector
+            selector = "default";
+          }
+        }
+      arc.conf: |
+        domain {
+          # Domain name is used as key
+          "{{ mail_domain | default(domain) }}" {
+            # Private key path
+            path = "/var/lib/rspamd/dkim/default.key";
+            # Selector
+            selector = "default";
+          }
+        }
+      dmarc.conf: |
+        # Enables storing reporting information to redis
+        reporting = true;
+        # If Redis server is not configured below, settings from redis {} will be used
+        #servers = "127.0.0.1:6379"; # Servers to use for reads and writes (can be a list)
+        servers = "rspamd-redis-master";
+        # Alternatively set read_servers / write_servers to split reads and writes
+        # To set custom prefix for redis keys:
+        #key_prefix = "dmarc_";
+        # Actions to enforce based on DMARC disposition (empty by default)
+        actions = {
+          quarantine = "add_header";
+          reject = "reject";
+        }
+        # Ignore "pct" setting for some domains
+        # no_sampling_domains = "/etc/rspamd/dmarc_no_sampling.domains";
+    dkim-keys:
+      default: |
+        {{ dkim_private_key_base64 | b64decode }}