I thought I’d posted this before, but sure, here’s as far as I got.
#!/bin/bash
# Are we root enough?
## Install Redis as a pre-requisite
# Get an updated version of redis
add-apt-repository -y ppa:chris-lea/redis-server
apt update
apt install -y redis-server redis-tools
# Edit config file
cp /etc/redis/redis.conf /etc/redis/redis.orig
grep -v -e "^#" -e "^;" -e "^$" redis.orig > redis.conf
sed -i 's/^bind .*/bind 127.0.0.1 ::1/' /etc/redis/redis.conf
echo "maxmemory 100mb" >> /etc/redis/redis.conf
echo "maxmemory-policy volatile-ttl" >> /etc/redis/redis.conf
echo 1 > /proc/sys/vm/overcommit_memory
systemctl enable redis-server
systemctl restart redis-server
## Now install rspamd from repos. Ubuntu version way behind.
CODENAME=`lsb_release -c -s`
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list
apt-get update
apt-get --no-install-recommends install rspamd
# Add config files
cat <<'EOF' > /etc/rspamd/local.d/redis.conf
write_servers = "127.0.0.1:6379";
read_servers = "127.0.0.1:6379";
EOF
cat <<'EOF' > /etc/rspamd/local.d/history_redis.conf
nrows = 1000;
EOF
## Interactively generate password
echo "Generating rspamd admin gui password. Please enter it below"
NEWPASS=$( rspamadm pw )
echo "password = \"${NEWPASS}\";" > /etc/rspamd/local.d/worker-controller.inc
cat <<'EOF' > /etc/rspamd/local.d/options.inc
history_rows = 1000;
EOF
cat <<'EOF' > /etc/rspamd/local.d/multimap.conf
# local.d/multimap.conf
# create the map files in /var/lib/rspamd with _rspamd:_rspamd ownership.
CUSTOM_WHITELIST_DOMAIN {
type = "from";
filter = "email:domain";
map = "/var/lib/rspamd/CUSTOM_whitelist_domain.map";
action = "accept";
description = "Accept if sender is from domains in this list";
}
CUSTOM_BLACKLIST_DOMAIN {
type = "from";
filter = "email:domain";
map = "/var/lib/rspamd/CUSTOM_blacklist_domain.map";
action = "accept";
description = "Hard reject if sender is from domains in this list";
}
CUSTOM_WHITELIST_EMAILADD {
type = "from";
filter = "email";
map = "/var/lib/rspamd/CUSTOM_whitelist_emailadd.map";
score = -5.0
description = "Score -5 if recipient is in this list";
}
CUSTOM_WHITELIST_IP {
type = "ip";
filter = true;
map = "/var/lib/rspamd/CUSTOM_whitelist_ip.map";
action = "accept" ;
description = "Accept if sender IP address is in this list";
}
CUSTOM_BLACKIST_TLD {
type = "from";
filter = "email";
map = "/var/lib/rspamd/CUSTOM_blacklist_tld.map";
regexp = true;
action = "reject";
description = "Reject from .icu domain and friends (regex)";
}
EOF
# Set up Custom multimaps
cat <<'EOF' > /var/lib/rspamd/CUSTOM_blacklist_domain.map
# local blacklist domain map
# Rejects emails from these domains. No further processing
# see /etc/rspamd/local.d/multimap.conf
# Put the whold domain in eg
# example.com
EOF
cat <<'EOF' > /var/lib/rspamd/CUSTOM_blacklist_tld.map
# local blacklist TLD domain map
# Rejects emails from an ENTIRE TLD. No further processing
# see /etc/rspamd/local.d/multimap.conf
# Use a regex with care eg this will block [email protected]
# .+@.+\.xyz$
EOF
cat <<'EOF' > /var/lib/rspamd/CUSTOM_whitelist_domain.map
# local whitelist domain map
# bypasses all checks. Sets score = 0.0
# see /etc/rspamd/local.d/multimap.conf
# Put the whold domain in eg
# example.com
EOF
cat <<'EOF' > /var/lib/rspamd/CUSTOM_whitelist_emailadd.map
# local whitelist email address map
# alters score -5
# see /etc/rspamd/local.d/multimap.conf
# Add whole email addresses. eg
# [email protected]
EOF
cat <<'EOF' > /var/lib/rspamd/CUSTOM_whitelist_ip.map
# local whitelist ip map
# Bypasses scanning, sets score = 0.0
# see /etc/rspamd/local.d/multimap.conf
# Enter whole IP addresses eg
# 200.100.50.88
EOF
chown _rspamd:_rspamd /var/lib/rspamd/CUSTOM*.map
systemctl restart rspamd
## Now change Exim config
# Manual for now
# Disable spamassassin.
#systemctl restart exim4
#systemctl stop spamassassin
#systemctl disable spamassassin
## Change Hestia Config
# Not sure if we need this.
sed -i "s/^ANTISPAM_SYSTEM=.*/ANTISPAM_SYSTEM='rspamd'/" /usr/local/hestia/conf/hestia.conf
# Insert stanza into config to allow access to rspamd gui.
cp /usr/local/hestia/nginx/conf/nginx.conf /usr/local/hestia/nginx/conf/nginx.conf.save
# Manual insert for now
# location /rspamd/ {
# proxy_pass http://localhost:11334/;
# proxy_set_header Host $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# auth_basic "Restricted Content";
# auth_basic_user_file /etc/apache2/admin.passwd;
# }
#
systemctl restart hestia