OpenDKIM has not been updated in the last 7 years and failed to adopt
RFC8463, which introduces Ed25519-SHA256 signatures.
It has thereby held back the DKIM ecosystem, which relies on the DNS
system to publish its public keys. The DNS system in turn does not handle
large record sizes well (see RFC8301), which is why Ed25519 public keys
would be preferable, but I'm not sure the ecosystem has caught up, so we
stay on the conservative side with RSA for now.
Closes: #210
Both rspamd and redis run on the same host by default, so a UNIX domain
socket is the cheapest way to facilitate that communication.
It also allows us to get rid of overly complicated IP adddress parsing
logic, that we can shift onto the user if they need it.
The option `exclude_domains` for dmarc reporting in `rspamd`[1] allows
to configure a list of domains and/or eSLDs (external effective second level
domain) to be excluded from dmarc reports.
Helpful because e.g. dmarc reports to hotmail.com always fail for me
with the following undeliverable notification:
The recipient's mailbox is full and can't accept messages now.
[1] https://www.rspamd.com/doc/modules/dmarc.html
Since we are now using services.redis.servers.rspamd, the port defaults
to 0 (i.e. do not bind a TCP socket). We still want rspamd to connect to
redis via TCP, so set a default port that is one above the default redis port.
This reverts commit 4f0f0128d8d4115571b3ff0ce2378ddf7de7278e.
Redis does seem to run fine with both unixSocket and TCP enabled. This
broke people's setups.
The sqlite backed is deprecated, and the redis backend is the default
since rspamd 2.0.
Not having redis started results in such errors:
rspamd_redis_init: cannot init redis backend for BAYES_SPAM
To migrate the sqlite database, run
rspamadm statconvert --spam-db /var/lib/rspamd/bayes.spam.sqlite --ham-db /var/lib/rspamd/bayes.ham.sqlite -h 127.0.0.1:6379 --symbol-ham BAYES_HAM --symbol-spam BAYES_SPAM
The current module implements the recommended configuration that this
utility prints out.
- restructure rspamd config. It's nicer now, and it was getting
overridden the old way.
- "scan_mime_parts = false" apparently must be used in rspamd for ClamAV
to work
- refactor the clamav test a bit for cleanliness
- wait for rspamd and clamd sockets to open, before testing
- use clamdscan for speed, and verify that the virus was found
- verify msmtp returns virus scan result
