Page 22 of 23

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Fri Nov 19, 2021 11:22 am
by yawarniazi
No one is here to help me????? :oops: :oops:

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Fri Jan 14, 2022 5:47 pm
by chris_60
Good day all,

I would like to add a proxy element to Zimbra's nginx configuration to proxy requests to the Rspamd web UI. Per the Rspamd docs this is what is required for nginx:

Code: Select all

location /rspamd/
        {
          proxy_pass       http://localhost:11334/;

          proxy_set_header Host      $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For "";
        }


I thought to add it to

Code: Select all

nginx.conf.web.admin
inside one of my server configurations. However,

Code: Select all

zmproxyctl restart
causes that configuration file to be rewritten.

So... where to add this bit of configuration code so that it survives a restart?

Kind regards,
Chris

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Fri Jan 14, 2022 6:52 pm
by phoenix
Zmproxyctl will always overwrite any modifications you make, it's part of the product design, I'd also suggest you do not use the Zimbra proxy as a general reverse proxy as your changes may not survive any ZCS upgrades. Why don't you just connect directly to your Rspamd instance?

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Fri Jan 14, 2022 7:14 pm
by chris_60
phoenix wrote:Why don't you just connect directly to your Rspamd instance?


The native client has no SSL capabilities.

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Sun Jan 23, 2022 10:29 am
by mgarbin
To preserve the nginx custom configuration you need to change template config file.
You can modify the nginx template adding this code, it allow to connect to rspamd only from private network :

Code: Select all

   
    location /rspamd/ {
        proxy_pass http://YOUR_RSPAMD_IP:11334/;
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        allow 10.0.0.0/8;
        allow 192.168.37.0/24;
        allow 172.16.0.0/12;
        allow 127.0.0.1;

        proxy_http_version 1.1;
    }


File to modify :

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

Add the code before the nginx location :

Code: Select all

location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/


Zimbra upgrade the template file only if there will be a new zimbra-proxy-patch .
If you want to save your configuration in a smart way you can create a folder under /opt/zimbra/conf/your_folder and put it all the modified things that you want to add on nginx.
Then use an include like :

Code: Select all

include /opt/zimbra/conf/YOUR_FOLDER/*.conf;


Then if you upgrade zimbra you need to re-add only one line.

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Mon Jan 24, 2022 1:29 pm
by chris_60
Thank-you mgarbin!

I almost have this working now.

I have put the location block into a include file as you suggested under a folder

Code: Select all

/opt/zimbra/conf/local


I have added an include statement to both of the following templates:

Code: Select all

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template


Question: Is it necessary to have the include statement in both of these template files or just the default?

This code is already in both the above mentioned templates:

Code: Select all

location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/


After doing this and restarting the proxy, the rspamd log on displays properly using

Code: Select all

https://mail.mysite.com/rspamd/


[s]However, upon entering creds and clicking the Connect button, things bork a bit. Basically the page submits the password to https://mail.mysite.com/rspamd/auth to which nginx responds with a 403 Forbidden.

Have I missed something in the configuration mods? Should the nginx location match regexp include a reference to 'auth' ?[/s]

UPDATE: The auth issue was due to a bad password. Once corrected, this mod works as expected.

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Thu May 26, 2022 8:26 pm
by MisterM74
Hello

Yes, here I am again

Well, this replacement, compatible what version of Zimbra ?

Do you have a good tutorial ?

Mz

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Thu May 26, 2022 8:31 pm
by phoenix
Did you read the first post in this thread or the wiki article on the subject? Both of those have instructions on how to instal Rspamd.

BTW, it makes no difference what version of ZCS you're using as there are no 'compatibility problems with Zimbra.

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Thu May 26, 2022 8:36 pm
by MisterM74
No, I did not look at it, sorry

Compatible with the latest version of zimbra?

Mz

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Fri May 27, 2022 6:45 am
by phoenix
It will run with any version of Zimbra and there is no such requirement as 'compatibility' as it uses a milter in Postfix.