simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity
nixos-config/modules/mailserver/rspamd.nix
Simon Bruder db391a3907
mailserver: Remove rejectSenders 
This now gets handled by rspamd with a dynamic map.
2023-06-03 18:34:12 +02:00

81 lines
2.5 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, lib, ... }:
let
cfg = config.sbruder.mailserver;
in
{
options.sbruder.mailserver.spam = {
enable = (lib.mkEnableOption "spam filtering") // { default = true; };
};
config = lib.mkIf (cfg.enable && cfg.spam.enable) {
sops.secrets.rspamd-worker-controller = {
owner = config.users.users.rspamd.name;
sopsFile = ../../machines + "/${config.networking.hostName}/secrets.yaml";
};
services.rspamd = {
enable = true;
postfix.enable = true;
workers = {
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = lib.singleton {
socket = "/run/rspamd/rspamd.sock";
mode = "0660";
owner = "${config.services.rspamd.user}";
group = "${config.services.rspamd.group}";
};
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "127.0.0.1:11334" ] ++ lib.optional config.sbruder.wireguard.home.enable "${config.sbruder.wireguard.home.address}:11334";
};
};
locals = {
"dkim_signing.conf".text = ''
enabled = false;
'';
"logging.inc".text = ''
# starts at info, drops to notice once started up
level = "silent";
'';
"milter_headers.conf".text = ''
extended_spam_headers = true;
'';
"multimap.conf".text = ''
SENDER_BLOCKED {
type = "from";
filter = "email:addr";
map = "/var/lib/rspamd/blocked_senders.map";
symbol = "SENDER_BLOCKED";
description = "Senders address is manually blocked";
prefilter = true;
action = "reject";
score = 30.0;
}
SENDER_DOMAIN_BLOCKED {
type = "from";
filter = "email:domain:tld";
map = "/var/lib/rspamd/blocked_sender_domains.map";
symbol = "SENDER_DOMAIN_BLOCKED";
description = "Senders effective second level domain is manually blocked";
score = 8.0;
}
'';
"redis.conf".text = ''
servers = "127.0.0.1:${toString config.services.redis.servers.rspamd.port}"
'';
"worker-controller.inc".source = config.sops.secrets.rspamd-worker-controller.path; # includes password
};
};
services.redis = {
vmOverCommit = true;
servers.rspamd = {
enable = true;
port = 6379;
};
};
};
}
Reference in a new issue View git blame Copy permalink