You are here: Home > OpenBSD mail server: rspamd configuration

No Hair Github Pages

Setting up a mailserver on OpenBSD 6.9: rspamd configuration

H. Configure rspamd

1. DKIM signing: As noted above, you need to create /etc/rspamd/local.d/dkim_signing.conf:

doas nano -w /etc/rspamd/local.d/dkim_signing.conf

and add this:

domain {
    example.com {
        path = "/etc/mail/dkim/example.com.key";
        selector = "default";
    }
}

where "default" is the date of key creation of whatever string you used in the DNS record. Now, start rspamd:

doas rcctl enable rspamd
doas rcctl start rspamd

2. Set up rspamd web interface:

rspamd has a web ui which displays statistics and allows adjustment of the configuration. This is configured with /etc/rspamd/worker-controller.inc which is not to be edited. Instead, create and edit /etc/rspamd/overrides.d/worker-controller.inc which is not supposecd to be edited. Instead, we will edit file of the same name in the /etc/rspamd/override.d/ directory:

doas cp /etc/rspamd/worker-controller.inc /etc/rspamd/override.d/worker-controller.inc
doas nano-w /etc/rspamd/override.d/worker-controller.inc

which displays

count = 1;
password = "q1";
secure_ip = "127.0.0.1";
secure_ip = "::1";
static_dir = "${WWWDIR}";

Edit this as so:

password = "alphanumstring";
secure_ip = "127.0.0.1";
#secure_ip = "::1";

Then restart rspamd.

Now, you can access the web UI at http://www.example.com:11334. It should ask for your password.

You can use relayd to proxy this connection over https as described here. That configuration redirects the https request to 127.0.0.1 which bypasses password authentication. You can comment out the secure_ip line to force all connections to authenticate or you can forward to another ip address besides localhost.

3. More securely use the rspamd web interface:

The best and easiest way to do this is with an SSH tunnel. This obivates the need for changing the rspamd configuration, opening ports in the firewall (beside ssh which is already open, I assume), using relayd, or tls certificates. First, block port 11334 at the firewall, if you opened in the last step. Then, create a SSH tunnel:

ssh -N -L local_port:web_UI_address_of_rspamd:remote_port_of_rspamd_web_UI ip.add.of.server

or

ssh -N -L 11334:127.0.0.1:11334 IP.ADD.OF.SVR

Leave this running and point your browser at 127.0.0.1:11334 to see the rspamd web UI securely.

Next: Set up Sieve

Previous: Dovecot configuration

Posted by Gordon, No Hair Github Pages, August 24, 2021

© nohair.net and the author

For comments, corrections, and addenda, email: gordon[AT]nohair.net

Github Pages index | Nohair.net | Links | Surfcams