Integrate rspamd with cpanel

chkserv.d-rspamd

service[rspamd]=x,x,x,/etc/init.d/rspamd restart,rspamd,_rspamd

Integrate rspamd with cpanel

* go to whm -> exim configuration manager
* choose advanced editor
* search spamd & replace with this:

spamd_address = 127.0.0.1 11333 variant=rspamd

set smtputf8_advertise_hosts = *

* find and disable greylisting block
* find and disable acl_smtp_data:default_check_message_pre
* find section acl_smtp_data:custom_begin_spam_scan
* complete block with this:


  # Remove spam headers from outside sources
  warn  remove_header  = x-spam-subject : x-spam-status : x-spam-score : x-spam-bar : x-spam-report : x-spam-flag : x-ham-report  
  
  # add spam-score and spam-report header when told by rspamd
  # also scan outgoing messages
  warn  spam        = nobody:true
        log_message = "rspam_score: $spam_score ($spam_bar) rspam_report: $spam_report"
        !authenticated = *
        add_header = X-Spam-Score: $spam_score ($spam_bar)
        add_header = X-Spam-Report: $spam_report
        add_header = X-Spam-Action: $spam_action

  warn  condition  = ${if eq{$spam_action}{rewrite subject}}
        add_header = X-Spam-Subject: ***SPAM*** $rh_subject
        add_header = X-Spam-Status: Yes
        
  defer message    = Please try again later
        condition  = ${if eq{$spam_action}{greylist}}
        
  defer message    = Please try again later
        condition  = ${if eq{$spam_action}{soft reject}}
        
  deny  message    = Message discarded as high-probability spam
        condition = ${if eq{$spam_action}{reject}}


7. disable acl_smtp_data:default_spam_scan, acl_smtp_rcpt:default_spam_scan_check block
8. disable acl_not_smtp:outgoing_spam_scan_over_int,  acl_smtp_data:no_forward_outbound_spam_over_int
9. reject mail which get score higher than 6 if they is sent via non_smtp (sendmail, php mail())
Note: this will ignore completely messages which are sent from root user.

** Find block acl_not_smtp:custom_begin_not_smtp and paste this code

  warn  condition  = ${if eq{$sender_address_local_part}{root} {no} {yes}}
        spam       = nobody:true
        log_message = "rspam_score: $spam_score ($spam_bar) rspam_report: $spam_report sender_address_local_part = $sender_address_local_part"
        add_header = X-Spam-Score: $spam_score ($spam_bar)
        add_header = X-Spam-Report: $spam_report
        add_header = X-Spam-Action: $spam_action
        
  discard message = Message discarded as high-probability spam
        condition = ${if match {$spam_report} {\NFREEMAIL_ENVFROM\N} {1} {0}}
        condition = ${if >= {$spam_score_int}{60}}

  deny  message   = Message rejected as high-probability spam
        condition = ${if >= {$spam_score_int}{60}}

  deny  message   = Message rejected as high-probability spam
        condition = ${if eq{$spam_action}{reject}}

  accept

** disable acl_not_smtp:end_default_outgoing_notsmtp_checkall

10. deliver mail with high score of spam to /dev/null if is try to be forwarded due email forwards
*** Put these block in to begin routers block, before router boxtrapper_autowhitelist or enforce_mail_permissions:

# version with using of delivery as save to /dev/null (logs will show actual delivery to recipient email, which is not true action)
# reject_forwarded_mail_marked_as_spam:
#     driver = accept
#     ignore_target_hosts = 127.0.0.1
#     condition = ${if eq {${lookup {$sender_address_domain} lsearch{/etc/userdomains}{$value}}}{}{true}{false}}
#     condition = ${if match{$header_X-Spam-Score:}{\N\+\+\+\+\+\N}{yes}{no}}
#      # condition = ${if >= {$spam_score_int}{50}}
#     domains = ! +local_domains : !$primary_hostname
#     transport = file_to_devnull

silent_drop_forwarded_mail_marked_as_spam:
    driver = redirect
    ignore_target_hosts = 127.0.0.1
    condition = ${if eq {${lookup {$sender_address_domain} lsearch{/etc/userdomains}{$value}}}{}{true}{false}}
    # condition = ${if match{$header_X-Spam-Score:}{\N\+\+\+\+\+\N}{yes}{no}}
    condition = ${if >= {$spam_score_int}{50}}
    domains = ! +local_domains : !$primary_hostname
    allow_filter
    user = mailnull
    file_transport = file_to_devnull
    data = #Exim filter\n\
        save /dev/null


** Put this transport after begin transports:   


file_to_devnull:
    driver = appendfile
    file = /dev/null


** FIND Section: PREVIRTUALUSER add paste code below 
* add router which will store Spam messages in INBOX.Junk directory
* this will cause error when you will try to save settings in to WHM/cpanel exim editor

virtual_user_spam_dir:
    driver = redirect
    domains = !$primary_hostname
    # condition = ${if match{$header_X-Spam-Score:}{\N\+\+\+\+\+\N}{yes}{no}}
    condition = ${if >= {$spam_score_int}{60}}
    require_files = "+/etc/valiases/$domain:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch{/etc/userdomains}{$value}}}{$value}}}}/mail/$domain/$local_part"
    data = "$local_part+Junk@$domain"
    redirect_router = virtual_user

local.d

# cat options.inc 
dns {
	 nameserver = ["127.0.0.1"];
}

# cat redis.conf 
servers = "127.0.0.1"; # Read servers (unless write_servers are unspecified)
write_servers = "127.0.0.1"; # Servers to write data
  #disabled_modules = ["ratelimit"]; # List of modules that should not use redis from this section
timeout = 2s;
db = "4";
  #password = "some_password";

multimap.conf

MM_WHITELISTED_ASN {
  type = "asn";
  map = "${LOCAL_CONFDIR}/local.d/whitelisted_asn.map";
  description = "Messages which are coming from whitelisted ASN";
  score = -10;
}
MM_BLACKLISTED_IP {
  type = "ip";
  map = "${LOCAL_CONFDIR}/local.d/blacklisted_sourceip.map";
  description = "Blacklisted ips";
  score = 12;
}
MM_WHITELISTED_IP {
	type = "ip";
	map = "${LOCAL_CONFDIR}/local.d/whitelisted_sourceip.map";
	description = "Whitelisted ips";
	score = -10;
}
MM_REJECTED_BY_SUBJECT {
  type = "header";
  header = "Subject";
  map = "${LOCAL_CONFDIR}/local.d/rejected_by_subject.map";
  regexp = true;
  score = 10;
  symbols = ["HAS_X_PHP_SCRIPT"];
#  action = "reject";
}

MM_BLACKLISTED_BY_FORGED_SENDER {
	type = "from";
	filter = "email:user";
	map = "${LOCAL_CONFDIR}/local.d/blacklisted_by_forged_sender.map";
	symbols = ["FORGED_SENDER"];
	action = "reject";
}
MM_BLACKLISTED_BY_USER {
        type = "user";
        map = "${LOCAL_CONFDIR}/local.d/blacklisted_by_user.map";
        action = "reject";
}
MM_WHITELISTED_BY_SUBJECT {
  type = "header";
  header = "Subject";
  map = "${LOCAL_CONFDIR}/local.d/whitelisted_by_subject.map";
  regexp = true;
  score = -5;
#  action = "reject";
}
MM_WHITELISTED_BY_USER {
  type = "user";
  map = "${LOCAL_CONFDIR}/local.d/whitelisted_by_user.map";
  score = -5;
#  action = "reject";
}
MM_WHITELISTED_BY_ENVELOPE_FROM {
  type = "from";
  map = "${LOCAL_CONFDIR}/local.d/whitelisted_by_envelope_from.map";
  regexp = true;
  filter = "email:addr";
  score = -7;
}
MM_WHITELISTED_BY_FROM_HEADER {
  type = "header";
  header = "From";
  map = "${LOCAL_CONFDIR}/local.d/whitelisted_by_from_header.map";
  regexp = true;
  score = -7;
}
#MM_WHITELISTED_RSPAMD_BL {
#  type = "header";
#  header = "To";
#  map = "${LOCAL_CONFDIR}/local.d/whitelisted_by_to_header_rspamd_bl.map";
#  symbols = ["RSPAMD_URIBL"];
#  action = "accept";
#}
MM_BLACKLISTED_BY_FROM_HEADER {
  type = "header";
  header = "From";
  map = "${LOCAL_CONFDIR}/local.d/blacklisted_by_from_header.map";
  regexp = true;
  score = 15;
#  action = "reject";
}
MM_BLACKLISTED_BY_X_PHP_HEADER {
  type = "from";
  symbols = ["HAS_X_PHP_SCRIPT"];
  action = "reject";
  map = "${LOCAL_CONFDIR}/local.d/blacklisted_by_x_php_header.map";
}
MM_MAIL_DELIVERY_FAILED {
  type = "header";
  header = "Subject";
  map = "${LOCAL_CONFDIR}/local.d/mail_delivery_failed_subject.map"
  symbols = ["IS_MAIL_DELIVERY_FAILED"];
  regexp = true;
}
MM_REJECT_MAIL_DELIVERY_FAILED_BY_TO_HEADER {
  type = "header";
  header = "To";
  map = "${LOCAL_CONFDIR}/local.d/reject_by_to_header.map";
  regexp = true;
  action = "reject";
  #score = 10;
  require_symbols = "MM_MAIL_DELIVERY_FAILED";
}

override.d

# cat logging.inc 
type=file
filename=/var/log/rspamd.log

# cat actions.conf 
    reject = 15; # Reject when reaching this score
    add_header = null; # Add header when reaching this score
    greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)

# cat worker-controller.inc 
bind_socket = "IP:11334";
password = "PASSWORD HASH";

Thank you so much for this information

…

On Wed, 7 Jun, 2023, 11:16 mdpuma, ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ This config is useful for both, incoming and outgoing, this is defined by exim acl which every incoming message has to proceed (not matter incoming or outgoing). MX pointers and DKIM didn't have anything in common with rspamd as software for antispam. MX pointers anyway you have to configure to point to your mailserver, but rspamd, may reside on same server (localhost) or on remote server, but it doesn't matter for MX pointer. — Reply to this email directly, view it on GitHub <https://gist.github.com/mdpuma/f1c347091717240276fcb0bab737f7ec#gistcomment-4591832> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AH77JOZYBX2ATWTJ4GSCE33XKAIS5BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA2DEMZQGU4DAMVHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Hello everyone!
We want to use rspamd as a centralized environment for spam filtering across our entire infrastructure.
We have some cpanels and directadmin servers.
We want to perform spam filtering remotely, to centralize a strong and robust database.
This topic gave me hope that this is really possible.

Is the script above working?
I saw that colleague @jatin0123 commented on checking outgoing emails as well.