Dovecot learn ham/spam with rspamd via inet protocol for docker

I started rebuilding my mail server following Thomas Leisters Howto. However I decided to dockerize the whole setup. With that I needed to get rid of any socket communication and move to tcp based communication between different docker containers.

This was mainly easy, as most components already communicate via tcp. However the learn spam and ham mechanism still uses a socket.

So here are some details for my setup:

  • I used a user defined network via docker compose to connect the different containers. By that I have full control over the containers IPs
  • Each process is running in one container, so I have unbound, redis, rspamd, dovecot, postfix
  • Host system is a debian stretch
  • Docker containers are based on Alpine:latest

So what is the solution

BEWARE: I am basing my guide on Thomas config linked above.

1. First you need to change a few details in the ham/spam piping.

Within the dovecot.conf down at the plugin settings you need to set the “sieve_pipe_bin_dir” option to the location, where the pipe scripts (Step 3) will be stored. Beware to set the path as it will be in your docker image.

My setting:

sieve_pipe_bin_dir = /usr/local/sbin

2. Adapt the sieve scripts. These scripts trigger the learning as you can see in dovecot.conf. Ham on copying out of SPAM folder, Spam on copying into SPAM folder.

Do not forget to call “sievec” after placing them in the sieve folder.

learn-spam.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamd-pipe-spam";

learn-ham.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamd-pipe-ham";

3. Adapt the pipe scripts itself. These scripts will actually connect to rspamd to deliver the mail for learning.
During docker image creation you will need to copy the “rspamd-pipe-spam” and “rspam-pipe-ham” scripts into the “sieve_pipe_bin_dir” location (Step 1) and make them executable.

The script is connecting via the container name “rspamd” if you have a different one, you need to change or use the IP.

rspamd-pipe-spam

#!/bin/ash
cat $1 | /usr/bin/curl -s --data-binary @- http://rspamd:11334/learnspam
exit 0

rspamd-pipe-ham

#!/bin/ash
cat $1 | /usr/bin/curl -s --data-binary @- http://rspamd:11334/learnham
exit 0

4. To allow this scripts to call rspamd you need to allow the IP of dovecot for the worker controller.

worker-controller.inc

bind_socket = "rspamd container>:11334";
password = "<your pwd as described in the guide>";
secure_ip = "<dovecot container ip>";

This should enable ham/spam learning via sieve within a docker setup.

Addendum: To train existing mails, e.g. from an old server, you need to execute the following commands in the dovecot docker. Please make sure you adapt paths, if you changed them.
Learn HAM

find /var/vmail/mailboxes/*/*/mail/cur -type f -exec /usr/local/sbin/rspamd-pipe-ham {} \;

Learn SPAM

 

find /var/vmail/mailboxes/*/*/mail/Spam/cur -type f -exec /usr/local/sbin/rspamd-pipe-spam {} \;

4 thoughts on “Dovecot learn ham/spam with rspamd via inet protocol for docker

    • No, I did not post the dockerfiles. I did not want to give a second tutorial on Thomas setup, but only noted the difficult parts, like getting rspamd to be handled via inet protocol. All other components, like dovecot, etc. were very well doumented already and straight forward.

      To push you in the right direction:
      The Dockerfiles itself are very straight forward (if you are interested you can look at the mailcow setup, Thomas linked in its guide as well: https://github.com/mailcow/mailcow-dockerized)
      To make a docker setup run, you need to switch each component from socket based to inet protocol (e.g. in dovecot.conf each service definition to inet_listener). You can actually start doing this in Thomas non-docker setup and then move everything over (reuse the configuration) when it is working.
      There is also another way, to share the sockets between the docker containers, however depending on your setup you might get into a mess with file permissions.

      If you have a specific problem, let me know, I am happy to help.

  1. I have looked into Mailcow but I use Kubernetes and mailcow is docker-compose dependent and wont run under Kubernetes. I like the idea of breaking them up in to pieces and a good starting point would be nice.

    • My setup uses docker-compose as well. However, I sent you an E-Mail with the dockerfiles and some explanations.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s