rspamd 1.6 milter problems?
925 views
Skip to first unread message
Bill Pye
Jun 13, 2017, 8:17:36 AM6/13/17
to rspamd
I have a zimbra collaboration server which uses Postfix for the MTA and I've installed a new copy of rspamd 1.6 on a test server. If I configure zimbra/postfix to use the milter interface I find that it won't work - it gets permission denied for the rspamd.pid file when I send this server, If I chnage the permissions to 666 instead of the current 600 mail is received and the permissions error goes away. In this configuration I then see the following messages in the postfix logs:
Jun 13 15:04:59 mail03 postfix/smtpd[87193]: warning: milter unix:/var/lib/rspamd/rspamd.pid: unreasonable packet length: 1213486160 > 1073741823
Jun 13 15:04:59 mail03 postfix/smtpd[87193]: warning: milter unix:/var/lib/rspamd/rspamd.pid: read error in initial handshake
This seems to be caused by the fact that I'm trying to add some headers to incoming email, the config of rmilter.conf.local is as follows:
rmilter_headers {
# Rmilter compatibility option (default false) (enables x-spamd-result, x-rspamd-server & x-rspamd-queue-id)
# extended_spam_headers = true;
# List of headers to be enabled for authenticated users (default empty)
# authenticated_headers = ["authentication-results"];
# List of headers to be enabled for local IPs (default empty)
# local_headers = ["x-spamd-bar"];
# Set false to always add headers for local IPs (default true)
# skip_local = true;
# Set false to always add headers for authenticated users (default true)
# skip_authenticated = true;
# routines to use- this is the only required setting
use = ["x-spamd-bar", "authentication-results"];
# this is where we may configure our selected routines
routines {
# settings for x-spamd-bar routine
x-spamd-bar {
# effectively disables negative spambar
negative = "";
}
# other routines...
# Name of header
header = "Authentication-Results";
# Remove existing headers
remove = 1;
# SPF/DKIM/DMARC symbols in case these are redefined
spf_symbols {
pass = "R_SPF_ALLOW";
fail = "R_SPF_FAIL";
softfail = "R_SPF_SOFTFAIL";
neutral = "R_SPF_NEUTRAL";
temperror = "R_SPF_DNSFAIL";
none = "R_SPF_NA";
permerror = "R_SPF_PERMFAIL";
}
dkim_symbols {
pass = "R_DKIM_ALLOW";
fail = "R_DKIM_REJECT";
temperror = "R_DKIM_TEMPFAIL";
none = "R_DKIM_NA";
permerror = "R_DKIM_PERMFAIL";
}
dmarc_symbols {
pass = "DMARC_POLICY_ALLOW";
permerror = "DMARC_BAD_POLICY";
temperror = "DMARC_DNSFAIL";
none = "DMARC_NA";
reject = "DMARC_POLICY_REJECT";
softfail = "DMARC_POLICY_SOFTFAIL";
quarantine = "DMARC_POLICY_QUARANTINE";
}
}
custom {
# user-defined routines: more on these later
}
}
I don't see any additional headers so I guess my questions are: is the rmilter.conf.local correct ; are the two postfix errors related to the additional headers config ; are the two postfix errors actually a problem or can they be ignored?
Many thanks
Bill
Jun 13 15:04:59 mail03 postfix/smtpd[87193]: warning: milter unix:/var/lib/rspamd/rspamd.pid: unreasonable packet length: 1213486160 > 1073741823
Jun 13 15:04:59 mail03 postfix/smtpd[87193]: warning: milter unix:/var/lib/rspamd/rspamd.pid: read error in initial handshake
This seems to be caused by the fact that I'm trying to add some headers to incoming email, the config of rmilter.conf.local is as follows:
rmilter_headers {
# Rmilter compatibility option (default false) (enables x-spamd-result, x-rspamd-server & x-rspamd-queue-id)
# extended_spam_headers = true;
# List of headers to be enabled for authenticated users (default empty)
# authenticated_headers = ["authentication-results"];
# List of headers to be enabled for local IPs (default empty)
# local_headers = ["x-spamd-bar"];
# Set false to always add headers for local IPs (default true)
# skip_local = true;
# Set false to always add headers for authenticated users (default true)
# skip_authenticated = true;
# routines to use- this is the only required setting
use = ["x-spamd-bar", "authentication-results"];
# this is where we may configure our selected routines
routines {
# settings for x-spamd-bar routine
x-spamd-bar {
# effectively disables negative spambar
negative = "";
}
# other routines...
# Name of header
header = "Authentication-Results";
# Remove existing headers
remove = 1;
# SPF/DKIM/DMARC symbols in case these are redefined
spf_symbols {
pass = "R_SPF_ALLOW";
fail = "R_SPF_FAIL";
softfail = "R_SPF_SOFTFAIL";
neutral = "R_SPF_NEUTRAL";
temperror = "R_SPF_DNSFAIL";
none = "R_SPF_NA";
permerror = "R_SPF_PERMFAIL";
}
dkim_symbols {
pass = "R_DKIM_ALLOW";
fail = "R_DKIM_REJECT";
temperror = "R_DKIM_TEMPFAIL";
none = "R_DKIM_NA";
permerror = "R_DKIM_PERMFAIL";
}
dmarc_symbols {
pass = "DMARC_POLICY_ALLOW";
permerror = "DMARC_BAD_POLICY";
temperror = "DMARC_DNSFAIL";
none = "DMARC_NA";
reject = "DMARC_POLICY_REJECT";
softfail = "DMARC_POLICY_SOFTFAIL";
quarantine = "DMARC_POLICY_QUARANTINE";
}
}
custom {
# user-defined routines: more on these later
}
}
I don't see any additional headers so I guess my questions are: is the rmilter.conf.local correct ; are the two postfix errors related to the additional headers config ; are the two postfix errors actually a problem or can they be ignored?
Many thanks
Bill
Alexander Moisseev
Jun 13, 2017, 9:02:17 AM6/13/17
to rsp...@googlegroups.com
On 6/13/2017 3:17 PM, Bill Pye wrote:
> I have a zimbra collaboration server which uses Postfix for the MTA and I've installed a new copy of rspamd 1.6 on a test server. If I configure zimbra/postfix to use the milter interface I find that it won't work - it gets permission denied for the rspamd.pid file when I send this server, If I chnage the permissions to 666 instead of the current 600 mail is received and the permissions error goes away. In this configuration I then see the following messages in the postfix logs:
>
> Jun 13 15:04:59 mail03 postfix/smtpd[87193]: warning: milter unix:/var/lib/rspamd/rspamd.pid: unreasonable packet length: 1213486160 > 1073741823
> Jun 13 15:04:59 mail03 postfix/smtpd[87193]: warning: milter unix:/var/lib/rspamd/rspamd.pid: read error in initial handshake
>
For interprocess communication you need to use an UNIX socket (or TCP socket), not a pid-file.
> I have a zimbra collaboration server which uses Postfix for the MTA and I've installed a new copy of rspamd 1.6 on a test server. If I configure zimbra/postfix to use the milter interface I find that it won't work - it gets permission denied for the rspamd.pid file when I send this server, If I chnage the permissions to 666 instead of the current 600 mail is received and the permissions error goes away. In this configuration I then see the following messages in the postfix logs:
>
> Jun 13 15:04:59 mail03 postfix/smtpd[87193]: warning: milter unix:/var/lib/rspamd/rspamd.pid: unreasonable packet length: 1213486160 > 1073741823
> Jun 13 15:04:59 mail03 postfix/smtpd[87193]: warning: milter unix:/var/lib/rspamd/rspamd.pid: read error in initial handshake
>
> This seems to be caused by the fact that I'm trying to add some headers to incoming email, the config of rmilter.conf.local is as follows:
>
>
> rmilter_headers {
> # Rmilter compatibility option (default false) (enables x-spamd-result, x-rspamd-server & x-rspamd-queue-id)
> }
>
You should place milter_headers module configuration in local.d/milter_headers.conf
https://rspamd.com/doc/modules/milter_headers.html
> I don't see any additional headers so I guess my questions are: is the rmilter.conf.local correct ; are the two postfix errors related to the additional headers config ; are the two postfix errors actually a problem or can they be ignored?
>
https://rspamd.com/announce/2017/06/12/rspamd-1.6.0.html
https://rspamd.com/doc/migration.html
Bill Pye
Jun 13, 2017, 10:34:47 AM6/13/17
to rspamd
Hi Alexander
Thanks for your reply, as you can probably guess I'm still a novice at configuring this.
I've got most of the configuration corrected, I believe, but there's still one thing that's eluding me. Do I need to define a separate unix socket for the milter process (I have configured it correctly in the MTA) in 1.6 and if so, where, or do I modify the "control_socket"? I can't actually see anything in the documentation that actually describes that process unless I'm missing something blindingly obvious. Unfortunately I'm the sort of person that prefers a 'cook book' type of description with worked examples rather than the more technical details currently on the rspamd web site, that's not a complaint it's just the way I work. :)
Many thanks
Bill
Alexander Moisseev
Jun 13, 2017, 12:54:41 PM6/13/17
to rsp...@googlegroups.com
On 13.06.2017 17:34, Bill Pye wrote:
>
> I've got most of the configuration corrected, I believe, but there's still one thing that's eluding me. Do I need to define a separate unix socket for the milter process (I have configured it correctly in the MTA) in 1.6 and if so, where, or do I modify the "control_socket"? I can't actually see anything in the documentation that actually describes that process unless I'm missing something blindingly obvious. Unfortunately I'm the sort of person that prefers a 'cook book' type of description with worked examples rather than the more technical details currently on the rspamd web site, that's not a complaint it's just the way I work. :)
>
Bill, consider using TCP socket as it is enabled in Rspamd 1.6 out of the box. Using Unix socket is a little bit complicated, at least you need to set permissions and remove socket file by yourself. AFAIK there were problems with Unix sockets on some OSes, systemd-based in particular.
>
> I've got most of the configuration corrected, I believe, but there's still one thing that's eluding me. Do I need to define a separate unix socket for the milter process (I have configured it correctly in the MTA) in 1.6 and if so, where, or do I modify the "control_socket"? I can't actually see anything in the documentation that actually describes that process unless I'm missing something blindingly obvious. Unfortunately I'm the sort of person that prefers a 'cook book' type of description with worked examples rather than the more technical details currently on the rspamd web site, that's not a complaint it's just the way I work. :)
>
In self-scan mode Rspamd integration with Postfix is simple as:
Postfix main.cf:
smtpd_milters = inet:localhost:11332
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
milter_rcpt_macros = i {rcpt_addr}
# skip mail without checks if milter will die
milter_default_action = accept
/etc/rspamd/local.d/worker-proxy.inc:
upstream "local" {
self_scan = true;
}
To enable extended headers in messages you need just one line:
/etc/rspamd/local.d/milter_headers.conf:
extended_spam_headers = true;
Bill Pye
Jun 13, 2017, 1:45:27 PM6/13/17
to rspamd
Hi Alexander
Thanks for those clear and concise instructions, they worked a treat. :) I was always under the impression that a unix socket was better than a TCP one but I learn something new every day.
Many thanks again, have a good evening.
Regards
Bill
Thomas Leuxner
Jun 13, 2017, 2:02:59 PM6/13/17
to rsp...@googlegroups.com
* Bill Pye <bill....@gmail.com> 2017.06.13 19:45:
> Thanks for those clear and concise instructions, they worked a treat. :) I
> was always under the impression that a unix socket was better than a TCP
> one but I learn something new every day.
Hi Bill,
Alexander referred to the installation being "less complicated". If you want to use UNIX sockets you need to make sure the right permissions are applied:
/etc/postfix/main.cf
[…]
smtpd_milters = { unix:public/rspamd, default_action=accept }
/etc/rspamd/local.d/worker-proxy.inc
bind_socket = "/var/spool/postfix/public/rspamd mode=0666";
One way to do this is to add the local rspam user to the postdrop group:
$ l -d /var/spool/postfix/public/
drwx-ws--- 2 postfix postdrop 4096 Jun 13 19:09 /var/spool/postfix/public/
$ grep postdrop /etc/group
postdrop:x:112:_rspamd
Regards
Thomas
NB. Per default the worker-proxy listens to all local interfaces which is not desirable.
> Thanks for those clear and concise instructions, they worked a treat. :) I
> was always under the impression that a unix socket was better than a TCP
> one but I learn something new every day.
Alexander referred to the installation being "less complicated". If you want to use UNIX sockets you need to make sure the right permissions are applied:
/etc/postfix/main.cf
[…]
smtpd_milters = { unix:public/rspamd, default_action=accept }
/etc/rspamd/local.d/worker-proxy.inc
bind_socket = "/var/spool/postfix/public/rspamd mode=0666";
One way to do this is to add the local rspam user to the postdrop group:
$ l -d /var/spool/postfix/public/
drwx-ws--- 2 postfix postdrop 4096 Jun 13 19:09 /var/spool/postfix/public/
$ grep postdrop /etc/group
postdrop:x:112:_rspamd
Regards
Thomas
NB. Per default the worker-proxy listens to all local interfaces which is not desirable.
Bill Pye
Jun 13, 2017, 2:30:44 PM6/13/17
to rspamd, t...@leuxner.net
Hi Thomas
Thanks for those instructions as well, I can see see what I think was part of my initial problem. I had added the zimbra & postfix groups to the rspam user but missed the postdrop. I'll give that a try tomorrow just for my own peace of mind. :)
Thanks again
Regards
Bill
Reply all
Reply to author
Forward
0 new messages