Move from rmilter to rspamd #25

default.nix

@@ -735,7 +735,7 @@ in
     ./mail-server/dovecot.nix
     ./mail-server/opendkim.nix
     ./mail-server/postfix.nix
-    ./mail-server/rmilter.nix
+    ./mail-server/rspamd.nix
     ./mail-server/nginx.nix
     ./mail-server/kresd.nix
     ./mail-server/post-upgrade-check.nix

mail-server/environment.nix

@@ -22,7 +22,7 @@ in
 {
   config = with cfg; lib.mkIf enable {
     environment.systemPackages = with pkgs; [
-      dovecot opendkim openssh postfix rspamd rmilter
+      dovecot opendkim openssh postfix rspamd
     ] ++ (if certificateScheme == 2 then [ openssl ] else []);
   };
 }

mail-server/postfix.nix

@@ -94,13 +94,9 @@ let
   inetSocket = addr: port: "inet:[${toString port}@${addr}]";
   unixSocket = sock: "unix:${sock}";
 
-  rmilter = config.services.rmilter;
-  rmilterSocket = if rmilter.bindSocket.type == "unix" then unixSocket rmilter.bindSocket.path
-    else inetSocket rmilter.bindSocket.address rmilter.bindSocket.port;
-
   smtpdMilters =
    (lib.optional cfg.dkimSigning "unix:/run/opendkim/opendkim.sock")
-   ++ [ rmilterSocket ];
+   ++ [ "unix:/run/rspamd/rspamd-milter.sock" ];
 
   policyd-spf = pkgs.writeText "policyd-spf.conf" (''
     TestOnly = 1

mail-server/rmilter.nix

@@ -1,57 +0,0 @@
-#  nixos-mailserver: a simple mail server
-#  Copyright (C) 2016-2018  Robin Raymond
-#
-#  This program is free software: you can redistribute it and/or modify
-#  it under the terms of the GNU General Public License as published by
-#  the Free Software Foundation, either version 3 of the License, or
-#  (at your option) any later version.
-#
-#  This program is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#  GNU General Public License for more details.
-#
-#  You should have received a copy of the GNU General Public License
-#  along with this program. If not, see <http://www.gnu.org/licenses/>
-
-{ config, pkgs, lib, ... }:
-
-let
-  cfg = config.mailserver;
-
-  clamav = if cfg.virusScanning
-           then
-           ''
-             clamav {
-               servers = /run/clamav/clamd.ctl;
-             };
-           ''
-           else "";
-  postfixCfg = config.services.postfix;
-  rmilter = config.services.rmilter;
-in
-{
-  config = with cfg; lib.mkIf enable {
-    services.rspamd = {
-        enable = true;
-    };
-
-    services.rmilter = {
-      inherit debug;
-      enable = true;
-      rspamd = {
-        enable = true;
-        extraConfig = "extended_spam_headers = yes;";
-      };
-      extraConfig =
-      ''
-      use_redis = true;
-      max_size = 20M;
-
-      ${clamav}
-      '';
-    };
-    users.extraUsers.${postfixCfg.user}.extraGroups = [ rmilter.group ];
-  };
-}
-

mail-server/rspamd.nix

@@ -0,0 +1,78 @@
+#  nixos-mailserver: a simple mail server
+#  Copyright (C) 2016-2018  Robin Raymond
+#
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 3 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program. If not, see <http://www.gnu.org/licenses/>
+
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.mailserver;
+
+  postfixCfg = config.services.postfix;
+  rspamdCfg = config.services.rspamd;
+  rspamdSocket = if rspamdCfg.socketActivation
+    then "rspamd-rspamd_proxy-1.socket"
+    else "rspamd.service";
+in
+{
+  config = with cfg; lib.mkIf enable {
+    services.rspamd = {
+      enable = true;
+      socketActivation = false;
+      extraConfig = ''
+        extended_spam_headers = yes;
+      '' + (lib.optionalString cfg.virusScanning ''
+        antivirus {
+          clamav {
+            action = "reject";
+            symbol = "CLAM_VIRUS";
+            type = "clamav";
+            log_clean = true;
+            servers = "/run/clamav/clamd.ctl";
+          }
+        }
+      '');
+
+      workers.rspamd_proxy = {
+        type = "proxy";
+        bindSockets = [{
+          socket = "/run/rspamd/rspamd-milter.sock";
+          mode = "0664";
+        }];
+        count = 1; # Do not spawn too many processes of this type
+        extraConfig = ''
+          milter = yes; # Enable milter mode
+          timeout = 120s; # Needed for Milter usually
+
+          upstream "local" {
+            default = yes; # Self-scan upstreams are always default
+            self_scan = yes; # Enable self-scan
+          }
+        '';
+      };
+    };
+    systemd.services.rspamd = {
+      requires = (lib.optional cfg.virusScanning "clamav-daemon.service");
+      after = (lib.optional cfg.virusScanning "clamav-daemon.service");
+    };
+
+    systemd.services.postfix = {
+      after = [ rspamdSocket ];
+      requires = [ rspamdSocket ];
+    };
+
+    users.extraUsers.${postfixCfg.user}.extraGroups = [ rspamdCfg.group ];
+  };
+}
+

mail-server/systemd.nix

@@ -89,18 +89,13 @@ in
       '';
     };
 
-    # Postfix requires rmilter socket, dovecot lmtp socket, dovecot auth socket and certificate to work
+    # Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work
     systemd.services.postfix = {
-      after = [ "rmilter.socket" "dovecot2.service" "mailserver-certificates.target" ]
+      after = [ "dovecot2.service" "mailserver-certificates.target" ]
         ++ (lib.optional cfg.dkimSigning "opendkim.service");
       wants = [ "mailserver-certificates.target" ];
-      requires = [ "rmilter.socket" "dovecot2.service" ]
+      requires = [ "dovecot2.service" ]
         ++ (lib.optional cfg.dkimSigning "opendkim.service");
     };
-
-    systemd.services.rmilter = {
-      requires = [ "rmilter.socket" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
-      after = [ "rmilter.socket" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
-    };
   };
 }