Dockerfile to run rspamd as a docker container, worker-proxy is used instead of worker-normal as it spawns a new worker if there is a crash while processing.
It has several map files which can be edited in the web UI, including filename for extensions to reject and whitelist for domains to whitelist. The maps are stored in /etc/rspamd/local.d/maps.d , they are also copied from maps.orig to maps.d if not present during startup for a container with mounted volumes or new maps in a newer image.
To generate a password hash for the web interface run container then run rspamd_pw.sh and copy output into /etc/rspamd/override.d/worker-controller.inc. Or exec rspamadm pw inside container and use result for password and enable_password.
This is then retained in the persistent volume if mounted.
It is configured to read the dkim/arc keys from redis, to manually add a key to redis instructions are on the Rspamd website https://rspamd.com/doc/modules/dkim_signing.html#dkim-keys-in-redis.
To change the configuration add changes to the /etc/rspamd/override.d directory, and mount it with a volume.
The Neural module, and alot of changes from default are configured for low email volume.
The docker offical image for redis has an alpine variant as well which is redis:alpine
Configuration for Spamhaus DQS is now added, to enable DQS:
- Check the usage terms
- Register for a key with Spamhaus.
- Confirm email address, then access details will be emailed.
- Login to portal, DQS key is the "Datafeed Query Account Key" here
- Copy the key and write it to a file, then bind mount the file with docker to /etc/rspamd/rspamd-dqs/dqs-key
- If the file exists DQS is then configured.
Abuse.ch, the Malware Bazaar hashes are downloaded every BZSLEEP hours if set, minimum is 1 hour as they are updated every hour. See here.
Spamassassin rules from heinlein-support.de are loaded every HLSLEEP hours if set. They include regularly updated spamassassin filter rules, mainly for German spam. If the rules changed after the update, rspamd is restarted automatically via SIGHUP. See here for a more detailed description in German.
The url_redirector module is configured to read domain names from local.d/maps.d/redirectors.inc This can be copied from the main rspamd config into local.d/maps.d if SYSREDIR is set, it will not overrite redirectors.inc if it is already in local.d/maps.d
If the STUNNEL environment variable is set then stunnel will be started to pass redis commands over a ssl/tls tunnel. There needs to be a stunnel server at the other end to receive the connection, it is different from redis native ssl support. There should also be a file /etc/stunnel/psk.txt with the pre shared key, see here.
Github Repository: https://github.com/a16bitsysop/docker-rspamd
NAME | Description | Default |
---|---|---|
REDIS | name/container name or IP of the redis server. | none (No redis) |
OLEFY | name/container name or IP of the Olefy server. | do not use Olefy |
RAZORFY | name/container name or IP of the Razorfy server. | do not use Razorfy |
DCCIFD | name/container name or IP of the DCCIFD server. | do not use dccifd |
CLAMAV | name/container name or IP of the ClamAV server. | do not use ClamAV |
CONTROLIP | name/container name or IP of rspamc process. | none |
DNSSEC | enable dnssec for dns lookups. | no dnssec |
NOGREY | disable greylisting (soft reject). | greylist |
BZSLEEP | hours between updates of abuse.ch hashes eg 1.5 | unset / disabled |
HLSLEEP | hours between updates of heinleins spamassassin rules | unset / disabled |
SYSREDIR | copy rsypamd redirectors.inc for url_redirector to use | unset / don't copy |
STUNNEL | Use stunnel to encrypt redis traffic on port 6379 if set | unset |
TIMEZONE | timezone to use inside the container, eg Europe/London | unset |
To run connecting to container network without exposing ports (accessible from host network), and docker managed volumes
#docker container run --net MYNET --name rspamd --restart=unless-stopped --mount source=rspamd-var,target=/var/lib/rspamd --mount source=rspamd-over,target=/etc/rspamd/override.d -d a16bitsysop/rspamd
To run without connecting to container network exposing ports (accessible from host network), and docker managed volumes
#docker container run -p 11332:11332 -p 11334:11334 --name rspamd --restart=unless-stopped --mount source=rspamd-var,target=/var/lib/rspamd --mount source=rspamd-over,target=/etc/rspamd/override.d -d a16bitsysop/rspamd
Based on configuration here
The rspamd user mailing list