Rspamd monitoring with OpenBSD relayd

Summary

I installed Rspamd on OpenBSD and configure it with OpenSMTPD the other day.

Rspamd installation and OpenSMTPD configuration on it on OpenBSD

Heddi Nabbisen ・ Jul 17 ・ 3 min read

Well, Rspamd includes web interface to monitor its performance.
I combined it with relayd.

This post shows how I built the environment.
It is possible to monitor Rspamd via a web browser only when relayd is running on the server.
The servers relation is:

* smtpd *
| .. Is MTA (Mail transfer agent)
|
* rspamd *
| .. Is filtering system
| .. Includes Web ui
|    .. Listens on 127.0.0.1 only (port 11334)
|    .. Confirms `password` when accessed not from `secure_ip`s
|
* relayd *
  .. Listens on 0.0.0.0, any outbound TCP traffic (port 11334 or any)
  .. Uses TLS connection with self-signed certificate

Tutorial

First, set up the web ui of Rspamd.

$ cd /etc/rspamd

$ # create a backup if necessary
$ doas cp -p worker-controller.inc worker-controller.inc.bak

$ doas nvim worker-controller.inc

It is officially strongly recommended to change the password. Besides, connection from secure_ip is not required password authorization by web ui.

- password = "**";
+ password = "<your-password>";
  secure_ip = "127.0.0.1"; 
  secure_ip = "::1";

The web ui protects your configuration and email information with the password:

The reason why "Not secure" in address bar is shown is that self-signed certificate is used by relayd as shown below.
This is how to create a self-signed certificate with openssl utility provided by LibreSSL:

$ cd /etc/ssl

$ set -x MYDOMAIN "rspamd-relayd"
$ doas openssl req -newkey rsa:2048 -new -nodes -x509 -days 36500 -keyout private/$MYDOMAIN.key -out $MYDOMAIN.crt \
    -subj "/C=<your.company>/ST=<your.state>/L=/O=<your.org>/OU=/CN=$MYDOMAIN"
$ doas chmod 400 private/$MYDOMAIN.key

Here we have:

$ ls -l /etc/ssl/rspamd-relayd.crt
-rw-r--r--  1 root  wheel  1135 Jul 14 21:09 /etc/ssl/rspamd-relayd.crt
$ doas ls -l /etc/ssl/private/rspamd-relayd.key
-r--------  1 root  wheel  1704 Jul 14 21:09 /etc/ssl/private/rspamd-relayd.key

Next, configure OpenBSD relayd.

$ doas nvim /etc/relayd.conf

Add the lines below to relayd.conf:

protocol rspamd {
        tls keypair "rspamd-relayd"
}

relay rspamd {
        # Run as a SSL/TLS accelerator
        listen on 0.0.0.0 port 11334 tls
        protocol rspamd

        # Forward to hosts in the webhosts table using a src/dst hash
        forward to 127.0.0.1 port 11334
}

relayd listens on 0.0.0.0:11334 with using TLS connection based on the self-signed certificate. When relayd accepts the requests, they will be forwarded to Rspamd web ui.

Configuration is done now.
Let's start relayd, which is disabled by default and therefore -f (force) option is required: