-
-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update rspamd #40434
Update rspamd #40434
Conversation
Be able to test aliased options with isDefined.
Deprecated by rspamd_proxy.
Add locals and overrides to configure individual modules. Improve default configuration. Enable controller and milter proxy by default with unix sockets. Fix aliases, before they overrode module defaults. Fix types in submodules. Add postfix configuration for quick integration. Fix service dependencies so that systemd sockets aren't removed.
Use unix sockets, don't test IPv6, general cleanup.
ceb90ac LGTM, closes #40414.
I think my #40418 is a much better fix for what 07cfa1a and new `import` lines in 8795776 try to do. I think we hit the same bug in the core, but I like my change more because 07cfa1a looks like a work-around that duplicates a piece of `doRename`, and I just fixed `doRename`.
As to the rest, I'm not sure we should just straight up remove `rmilter`. nixos-mailserver project, for instance, depends on it.
|
/cc @fpletz |
Please review #40418.
Let's also discuss the changes to the rspamd service. In my branch, when I made a support for milter-less setup, I _removed_ some options from the service to allow for more flexibility in `extraConfig`. This branch _adds_ options.
Thoughts?
|
|
||
systemd.services.rspamd = { | ||
description = "Rspamd Service"; | ||
|
||
wantedBy = mkIf (!cfg.socketActivation) [ "multi-user.target" ]; | ||
after = [ "network.target" ] ++ | ||
(if cfg.socketActivation then allSocketNames else []); | ||
requires = mkIf cfg.socketActivation allSocketNames; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why remove these? In your commit message you mention that service dependencies where changed to counteract the sockets getting deleted but that problem is fixed further down by not setting RuntimeDirectory
@@ -323,6 +372,7 @@ in | |||
value = { | |||
description = "Rspamd socket ${toString each.index} for worker ${each.name}"; | |||
wantedBy = [ "sockets.target" ]; | |||
after = optional (each.name == "rspamd_proxy") "postfix.service"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be before? You want the socket to be started before postfix uses it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be not required when socket activation is used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be not required when socket activation is used.
You are right this line is not required. But thought this line is at best redundant and in my opinion also wrong since you want the socket to be created before not after the service, there is some logic behind adding an explicit dependency between postfix and the socket. In situations where the socket and postfix has been manually stopped an explicit dependency makes systemd also start the socket when you start postfix.
But I think this would have been a better way to add the dependency:
systemd.services.postfix = mkIf cfg.postfix.enable {
after = [ "rspamd-normal-1.socket" ];
requires = [ "rspamd-normal-1.socket" ];
}
Status update. #40418 got merged recently (thanks @7c6f434c and @nbp!) so the first patch in this patchset and import lines in 8795776 are no longer needed. I picked rspamd update to #42858 for convenience in case anyone still wants that (two closed PRs for one, btw. hurry up to claim your prize! etc etc). I guess the rest is stalled until someone with commit access decides to take interest... |
Sorry this did not got into 18.09. I am now also using rspamd and would review this if rebased. |
controller = {}; | ||
rspamd_proxy = {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good default but should be also mentioned in the release notes.
services.postfix.extraConfig = mkIf cfg.postfix.enable '' | ||
smtpd_milters = unix:private/rspamd | ||
non_smtpd_milters = $smtpd_milters | ||
milter_protocol = 6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is apparently the default in our postfix version.
|
||
services.postfix.extraConfig = mkIf cfg.postfix.enable '' | ||
smtpd_milters = unix:private/rspamd | ||
non_smtpd_milters = $smtpd_milters |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The official documentation does not mention this: https://rspamd.com/doc/integration.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No but if you want rspamd to also scan mails from command line you need this. And if you use the DKIM module in rspamd to also add DKIM signatures you want rspamd to also be called for command line mails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
makes sense.
cc @avnik |
This might not be the place but since this is the latest change to the rspamd module I thought I might bring it up here. The socket activation code for rspamd doesn't work and can't be made to work until rspamd/rspamd#2035 is fixed. See also #47421 Also the worker configuration needs to be changed to better reflect how rspamd works. I am planning on working on these changes to the worker configuration in the near future. But in essence the problem is that a configuration of:
results in the bad rspamd config of:
But the essence of what I am trying to do with my controller2 config (i.e. a second controller with a different password) is actually possible with rspamd. The config just has to look like this:
|
On a more review note I like the |
My PR #49620 that adds my version of I have also created #49809 that adds support for multiple workers as well as the What this means is that once #49809 is merged all the changes made by this PR have in one form or another been implemented in other PRs and so this PR can probably be closed. |
Motivation for this change
Deprecate rmilter and all this more configurable.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)