Dovecot learn ham/spam with rspamd via inet protocol for docker

September 9th, 2018

I started rebuilding my mail server following Thomas Leisters Howto. However I decided to dockerize the whole setup. With that I needed to get rid of any socket communication and move to tcp based communication between different docker containers.

This was surprisingly easy, as most components already communicate via tcp. However the learn spam and ham mechanism still uses a socket. So here are some details for my setup:

  • I used a user defined network via docker compose to connect the different containers. By that I have full control over the containers IPs
  • Each process is running in one container, so I have unbound, redis, rspamd, dovecot, postfix
  • Host system is a debian stretch
  • Docker containers are based on Debian:stable-slim

EDIT 14.04.20: I switched my setup to Debian based Docker. Especially the postfix container needs to be NOT Alpine right now. The resolver implementation in musl-libc cripples the DNSSEC calls of postfix, making outgoing DANE unusable.

So what is the solution

BEWARE: I am basing my guide on Thomas config linked above.

First you need to change a few details in the ham/spam piping. Within the dovecot.conf down at the plugin settings you need to set the sieve_pipe_bin_dir option to the location, where the pipe scripts (following steps) will be stored. Beware to set the path as it will be in your docker image. My setting: sieve_pipe_bin_dir = /usr/local/sbin

Next adapt the sieve scripts. These scripts trigger the learning as you can see in dovecot.conf. Ham on copying out of SPAM folder, Spam on copying into SPAM folder. Do not forget to call sievec after placing them in the sieve folder.

learn-spam.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamd-pipe-spam";

learn-ham.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamd-pipe-ham";

Now adapt the pipe scripts itself. These scripts will actually connect to rspamd to deliver the mail for learning. During docker image creation you will need to copy the rspamd-pipe-spam and rspam-pipe-ham scripts into the sieve_pipe_bin_dir location (first step ) and make them executable. The script is connecting via the container name rspamd if you have a different one, you need to change or use the IP.

rspamd-pipe-spam

#!/bin/bash
cat $1 | /usr/bin/curl -s --data-binary @- http://rspamd:11334/learnspam
exit 0

rspamd-pipe-ham

#!/bin/bash
cat $1 | /usr/bin/curl -s --data-binary @- http://rspamd:11334/learnham
exit 0

To allow this scripts to call rspamd you need to allow the IP of dovecot for the worker controller.

worker-controller.inc

bind_socket = "rspamd container>:11334";
password = "<your pwd as described in the guide>";
secure_ip = "<dovecot container ip>";

This should enable ham/spam learning via sieve within a docker setup.

####Addendum To train existing mails, e.g. from an old server, you need to execute the following commands in the dovecot docker. Please make sure you adapt paths, if you changed them. Learn HAM: find /var/vmail/mailboxes/*/*/mail/cur -type f -exec /usr/local/sbin/rspamd-pipe-ham {} \; Learn SPAM: find /var/vmail/mailboxes/*/*/mail/Spam/cur -type f -exec /usr/local/sbin/rspamd-pipe-spam {} \;

Christian

Author

4 comments

Robert Middleswarth - October 11th, 2019 07:54

You should at least post your docker files so we can see what you are doing? Or am I missing them?

↪︎ Reply to Robert Middleswarth
Christian - October 11th, 2019 09:51

No, I did not post the dockerfiles. I did not want to give a second tutorial on Thomas setup, but only noted the difficult parts, like getting rspamd to be handled via inet protocol. All other components, like dovecot, etc. were very well doumented already and straight forward. To push you in the right direction: The Dockerfiles itself are very straight forward (if you are interested you can look at the mailcow setup, Thomas linked in its guide as well: https://github.com/mailcow/mailcow-dockerized) To make a docker setup run, you need to switch each component from socket based to inet protocol (e.g. in dovecot.conf each service definition to inet_listener). You can actually start doing this in Thomas non-docker setup and then move everything over (reuse the configuration) when it is working. There is also another way, to share the sockets between the docker containers, however depending on your setup you might get into a mess with file permissions. If you have a specific problem, let me know, I am happy to help.

Robert Middleswarth - October 11th, 2019 20:28

I have looked into Mailcow but I use Kubernetes and mailcow is docker-compose dependent and wont run under Kubernetes. I like the idea of breaking them up in to pieces and a good starting point would be nice.

Christian - October 11th, 2019 23:55

My setup uses docker-compose as well. However, I sent you an E-Mail with the dockerfiles and some explanations.

Please Note: By submitting your comment your browser will send the values of the form fields (and the typical browsing meta data) to the API of Staticman. If you don't want to connect to a third party, you should E-Mail me.