====== N) Spam filtering ======

[[https://github.com/rspamd/rspamd|RSpamD]] is an advanced spam filtering system and email processing framework that allows evaluation of messages by a number of rules including regular expressions, statistical analysis and custom services such as URL black lists. Each message is analysed by Rspamd and given a verdict that might be used by MTA for further processing (e.g. to reject a message, or add a special header indicating spam) along with other information, such as possible DKIM signature or modifications suggested for a message.


===== Installation =====

My VPS is pretty ancient and the CPU does not support sse4_2, instructions, so i had to disable **hyperscan** use flag by writing the following **/etc/portage/package.use/rspamd** file:
<file - rspamd>
mail-filter/rspamd  -hyperscan
</file>

Now simply emerge it:
<code bash>
emerge -vp rspamd dev-db/redis
</code>

rspamd requires redis, but somehow it doesn't pull it directly.


===== Configure rspamd =====

Create **/etc/rspamd/local.d/actions.conf**:
<file - actions.conf>
# Basic action thresholds
reject = 15;        # Reject obvious spam
add_header = 6;     # Add spam headers
greylist = 4;       # Temporary delay suspicious mail
</file>

Configure redis **/etc/rspamd/local.d/redis.conf**:
<file redis.conf>
# Redis connection for statistics and caching
servers = "127.0.0.1:6379";
</file>

Setup a controller password for the web interface:
<code bash>
rspamadm pw
</code>

Create **/etc/rspamd/local.d/worker-controller.inc**:
<file - worker-controller.inc>
# Replace with your generated password
password = "$2$your_generated_password_here";
</file>


===== Configure redis =====

Setup redis at least in a basic and secure way **/etc/redis/redis.conf**:
<file - redis.conf>
# Bind only to localhost for security
bind 127.0.0.1 ::1
# Set memory limit
maxmemory 500mb
maxmemory-policy volatile-ttl
</file>


===== Configure postfix link =====

Add milter integration to your Postfix configuration in **/etc/postfix/main.cf**:
<code>
# Enable Rspamd milter
smtpd_milters = inet:localhost:11332
milter_default_action = accept
milter_protocol = 6
</code>

Configure Rspamd proxy worker in **/etc/rspamd/local.d/worker-proxy.inc**:
<file - worker-proxy.inc>
# Enable milter mode for Postfix integration
milter = yes;
timeout = 120s;
upstream "local" {
  default = yes;
  self_scan = yes;  # Scan messages directly
}
</file>


===== Startup =====

Ensure all the services are running and setup to start on boot:
<code bash>
for i in rspamd redis postfix
do
 rc-update add $i default
 /etc/init.d/$i restart
done
</code>


===== Web interface =====

By default rspamd web interface is exposed on **http://127.0.0.1:11334/** but of course, you must slap NGINX in front of it. I choose to expose it as **https://mail.mydomain.com/rspamd/** so add the following to your NGINX setup for **mail.mydomain.com**:
<code>
        location /rspamd/ {
                proxy_pass http://127.0.0.1:11334/;
                proxy_redirect    default;
                proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP $remote_addr;
                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header  X-Forwarded-Host $server_name;
                proxy_set_header  X-Forwarded-Proto $scheme;
        }
</code>