Replace amavis with rmilter plus clamav and rspamd

clamav/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine
+
+RUN apk add --update \
+      clamav \
+      rsyslog \
+      wget \
+ && rm -rf /var/cache/apk/*
+
+
+COPY conf /etc/clamav
+
+
+CMD ["/usr/sbin/clamd"]

amavis/conf/clamav/clamd.conf → clamav/conf/clamd.conf

@@ -3,10 +3,11 @@
 ###############
 
 DatabaseDirectory /data
-LogSyslog yes
 LogTime yes
-PidFile /run/clamav/clamd.pid
+PidFile /run/clamd.pid
 LocalSocket /tmp/clamd.sock
+TCPSocket 3310
+Foreground yes
 
 ###############
 # Results

amavis/Dockerfile → rmilter/Dockerfile

@@ -1,19 +1,13 @@
-FROM alpine
+FROM alpine:edge
 
 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
  && apk add --update \
-      perl-socket6 \
-      perl-io-socket-inet6@testing \
-      amavisd-new \
-      spamassassin \
-      clamav \
-      rsyslog \
-      wget \
+     rmilter@testing rsyslog \
  && rm -rf /var/cache/apk/*
-
-COPY conf /etc/
+ 
+COPY rmilter.conf /etc/rmilter.conf
 COPY rsyslog.conf /etc/rsyslog.conf
 
 COPY start.sh /start.sh
 
-CMD ["/start.sh"]
+CMD ["/start.sh"]

rmilter/rmilter.conf

@@ -0,0 +1,119 @@
+# pidfile - path to pid file
+pidfile = /run/rmilter.pid;
+
+# bind_socket - socket credits for local bind:
+bind_socket = inet:9900
+
+# tempdir - path to directory that contains temporary files
+tempdir = /tmp;
+
+# tempfiles_mode - set permission for temp files
+tempfiles_mode = 00600;
+
+# max_size - maximum size of scanned mail with clamav and dcc
+max_size = 10M;
+
+# strict_auth - strict checks for mails from authenticated senders
+strict_auth = no;
+
+# use_dcc - whether use or not dcc system
+use_dcc = no;
+use_redis = yes;
+
+clamav {
+	# servers - clamav socket definitions in format:
+	servers = antivirus:3310;
+	# connect_timeout - timeout in miliseconds for connecting to clamav
+	connect_timeout = 1s;
+	# port_timeout - timeout in miliseconds for waiting for clamav port response
+	port_timeout = 4s;
+	# results_timeout - timeout in miliseconds for waiting for clamav response
+	results_timeout = 20s;
+	# error_time - time in seconds during which we are counting errors
+	error_time = 10;
+	# dead_time - time in seconds during which we are thinking that server is down
+	dead_time = 300;
+	# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
+	# Default: 10
+	maxerrors = 10;
+};
+
+spamd {
+	# servers - spamd socket definitions in format:
+	servers = r:antispam:11333;
+	# connect_timeout - timeout in milliseconds for connecting to spamd
+	connect_timeout = 1s;
+	# results_timeout - timeout in milliseconds for waiting for spamd response
+	results_timeout = 20s;
+	# error_time - time in seconds during which we are counting errors
+	error_time = 10;
+	# dead_time - time in seconds during which we are thinking that server is down
+	dead_time = 300;
+	# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
+	maxerrors = 10;
+	# reject_message - reject message for spam
+	reject_message = "Spam message rejected; If this is not spam contact abuse";
+	# whitelist - list of ips or nets that should be not checked with spamd
+	whitelist = 127.0.0.1/32, [::1]/128;
+	# rspamd_metric - metric for using with rspamd
+	rspamd_metric = "default";
+    # Do not reject, add header
+    spamd_never_reject = yes;
+};
+
+redis {
+	# servers_grey - redis servers for greylisting in format:
+	servers_grey = redis:6379;
+	# servers_white - redis servers for whitelisting in format similar to that is used
+	servers_white = redis:6379;
+	# servers_limits - redis servers used for limits storing, can not be mirrored
+	servers_limits = redis:6379;
+	# servers_id - redis servers used for message id storing, can not be mirrored
+	servers_id = redis:6379;
+	# id_prefix - prefix for extracting message ids from redis
+	id_prefix = "message_id.";
+	# grey_prefix - prefix for extracting greylisted records from redis
+	grey_prefix = "grey.";
+	# id_prefix - prefix for extracting whitelisted records from redis
+	white_prefix = "white.";
+	# connect_timeout - timeout in miliseconds for waiting for redis
+	connect_timeout = 1s;
+	# error_time - time in seconds during which we are counting errors
+	error_time = 10;
+	# dead_time - time in seconds during which we are thinking that server is down
+	dead_time = 300;
+	# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
+	maxerrors = 10;
+};
+
+# limits section
+limits {
+	# Whitelisted ip or networks
+	limit_whitelist = 127.0.0.1/32, [::1]/128;
+	# Whitelisted recipients
+	limit_whitelist_rcpt =  postmaster, mailer-daemon;
+	# Addrs for bounce checks
+	limit_bounce_addrs = postmaster, mailer-daemon, symantec_antivirus_for_smtp_gateways, <>, null, fetchmail-daemon;
+	# Limit for bounce mail
+	limit_bounce_to = 5:0.000277778;
+	# Limit for bounce mail per one source ip
+	limit_bounce_to_ip = 5:0.000277778;
+	# Limit for all mail per recipient
+	limit_to = 20:0.016666667;
+	# Limit for all mail per one source ip
+	limit_to_ip = 30:0.025;
+	# Limit for all mail per one source ip and from address
+	limit_to_ip_from = 100:0.033333333;
+};
+
+
+greylisting {
+	timeout = 300s;
+	expire = 3d;
+	whitelist = 127.0.0.1, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, [::1]/128;
+	awl_enable = yes;
+	awl_pool = 10M;
+	awl_hits = 10;
+	awl_ttl = 3600s;
+};
+

rmilter/start.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+rm -f /var/run/rsyslogd.pid
+rmilter -c /etc/rmilter.conf
+rsyslogd -n

rspamd/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:edge
+
+RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
+ && apk add --update \
+     rspamd@testing rsyslog \
+ && rm -rf /var/cache/apk/*
+
+RUN mkdir /run/rspamd
+
+CMD ["rspamd", "-f", "-i"]

rspamd/rsyslog.conf

@@ -0,0 +1,4 @@
+$ModLoad imuxsock
+$template noTimestampFormat,"%syslogtag%%msg%\n"
+$ActionFileDefaultTemplate noTimestampFormat
+*.*;auth,authpriv.none /dev/stdout

rspamd/start.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+rspamd -i
+rsyslogd -n