Rspamd monitoring with OpenBSD relayd

nabbisen - Jul 18 '21 - - Dev Community

Summary

I installed Rspamd on OpenBSD and configure it with OpenSMTPD the other day.

Well, Rspamd includes web interface to monitor its performance.
I combined it with relayd.

This post shows how I built the environment.
It is possible to monitor Rspamd via a web browser only when relayd is running on the server.
The servers relation is:

* smtpd *
| .. Is MTA (Mail transfer agent)
|
* rspamd *
| .. Is filtering system
| .. Includes Web ui
|    .. Listens on 127.0.0.1 only (port 11334)
|    .. Confirms `password` when accessed not from `secure_ip`s
|
* relayd *
  .. Listens on 0.0.0.0, any outbound TCP traffic (port 11334 or any)
  .. Uses TLS connection with self-signed certificate
Enter fullscreen mode Exit fullscreen mode

Tutorial

First, set up the web ui of Rspamd.

$ cd /etc/rspamd

$ # create a backup if necessary
$ doas cp -p worker-controller.inc worker-controller.inc.bak

$ doas nvim worker-controller.inc
Enter fullscreen mode Exit fullscreen mode

It is officially strongly recommended to change the password. Besides, connection from secure_ip is not required password authorization by web ui.

- password = "**";
+ password = "<your-password>";
  secure_ip = "127.0.0.1"; 
  secure_ip = "::1";
Enter fullscreen mode Exit fullscreen mode

The web ui protects your configuration and email information with the password:

password protection

The reason why "Not secure" in address bar is shown is that self-signed certificate is used by relayd as shown below.
This is how to create a self-signed certificate with openssl utility provided by LibreSSL:

$ cd /etc/ssl

$ set -x MYDOMAIN "rspamd-relayd"
$ doas openssl req -newkey rsa:2048 -new -nodes -x509 -days 36500 -keyout private/$MYDOMAIN.key -out $MYDOMAIN.crt \
    -subj "/C=<your.company>/ST=<your.state>/L=/O=<your.org>/OU=/CN=$MYDOMAIN"
$ doas chmod 400 private/$MYDOMAIN.key
Enter fullscreen mode Exit fullscreen mode

Here we have:

$ ls -l /etc/ssl/rspamd-relayd.crt
-rw-r--r--  1 root  wheel  1135 Jul 14 21:09 /etc/ssl/rspamd-relayd.crt
$ doas ls -l /etc/ssl/private/rspamd-relayd.key
-r--------  1 root  wheel  1704 Jul 14 21:09 /etc/ssl/private/rspamd-relayd.key
Enter fullscreen mode Exit fullscreen mode

Next, configure OpenBSD relayd.

$ doas nvim /etc/relayd.conf
Enter fullscreen mode Exit fullscreen mode

Add the lines below to relayd.conf:

protocol rspamd {
        tls keypair "rspamd-relayd"
}

relay rspamd {
        # Run as a SSL/TLS accelerator
        listen on 0.0.0.0 port 11334 tls
        protocol rspamd

        # Forward to hosts in the webhosts table using a src/dst hash
        forward to 127.0.0.1 port 11334
}
Enter fullscreen mode Exit fullscreen mode

relayd listens on 0.0.0.0:11334 with using TLS connection based on the self-signed certificate. When relayd accepts the requests, they will be forwarded to Rspamd web ui.

Configuration is done now.
Let's start relayd, which is disabled by default and therefore -f (force) option is required:

$ doas rcctl -f start relayd
relayd(OK)
Enter fullscreen mode Exit fullscreen mode

Of course, alternatively, you can do rcctl enable relayd (and rcctl start relayd).

Conclusion

Now the Rspamd web ui is public in the web world. Access to https://<fqdn>:11334.

rspamd web ui status

rspamd web ui history

Really useful information :)

Finally, stop the relayd:

$ doas rcctl stop relayd
relayd(OK)
Enter fullscreen mode Exit fullscreen mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .