Rspamd Installation Guide

# Install EPEL repository if needed
sudo dnf install -y epel-release

# Install rspamd
sudo dnf install -y rspamd redis, lua

# Enable and start service
sudo systemctl enable --now rspamd

# Configure firewall
sudo firewall-cmd --permanent --add-service=rspamd
sudo firewall-cmd --reload

# Verify installation
rspamd --version || systemctl status rspamd

# Update package index
sudo apt update

# Install rspamd
sudo apt install -y rspamd redis, lua

# Enable and start service
sudo systemctl enable --now rspamd

# Configure firewall
sudo ufw allow 11333/11334

# Verify installation
rspamd --version || systemctl status rspamd

# Install rspamd
sudo pacman -S rspamd

# Enable and start service
sudo systemctl enable --now rspamd

# Verify installation
rspamd --version || systemctl status rspamd

# Install rspamd
apk add --no-cache rspamd

# Enable and start service
rc-update add rspamd default
rc-service rspamd start

# Verify installation
rspamd --version || rc-service rspamd status

# Install rspamd
sudo zypper install -y rspamd redis, lua

# Enable and start service
sudo systemctl enable --now rspamd

# Configure firewall
sudo firewall-cmd --permanent --add-service=rspamd
sudo firewall-cmd --reload

# Verify installation
rspamd --version || systemctl status rspamd

# Using Homebrew
brew install rspamd

# Start service
brew services start rspamd

# Verify installation
rspamd --version

# Using pkg
pkg install rspamd

# Enable in rc.conf
echo 'rspamd_enable="YES"' >> /etc/rc.conf

# Start service
service rspamd start

# Verify installation
rspamd --version || service rspamd status

# Using Chocolatey
choco install rspamd

# Or using Scoop
scoop install rspamd

# Verify installation
rspamd --version

# Create configuration directory if needed
sudo mkdir -p /etc/rspamd

# Set up basic configuration
sudo tee /etc/rspamd/rspamd.conf << 'EOF'
# Rspamd Configuration
workers = 4
EOF

# Test configuration
sudo rspamd -t || sudo rspamd configtest

# Reload service
sudo systemctl reload rspamd

# Set appropriate permissions
sudo chown -R rspamd:rspamd /etc/rspamd
sudo chmod 750 /etc/rspamd

# Enable security features
# See security section for detailed hardening steps

# Enable service
sudo systemctl enable rspamd

# Start service
sudo systemctl start rspamd

# Stop service
sudo systemctl stop rspamd

# Restart service
sudo systemctl restart rspamd

# Reload configuration
sudo systemctl reload rspamd

# Check status
sudo systemctl status rspamd

# View logs
sudo journalctl -u rspamd -f

# Enable service
rc-update add rspamd default

# Start service
rc-service rspamd start

# Stop service
rc-service rspamd stop

# Restart service
rc-service rspamd restart

# Check status
rc-service rspamd status

# Enable in /etc/rc.conf
echo 'rspamd_enable="YES"' >> /etc/rc.conf

# Start service
service rspamd start

# Stop service
service rspamd stop

# Restart service
service rspamd restart

# Check status
service rspamd status

# Using Homebrew services
brew services start rspamd
brew services stop rspamd
brew services restart rspamd

# Check status
brew services list | grep rspamd

# Start service
net start rspamd

# Stop service
net stop rspamd

# Using PowerShell
Start-Service rspamd
Stop-Service rspamd
Restart-Service rspamd

# Check status
Get-Service rspamd

# Configure performance settings
cat >> /etc/rspamd/rspamd.conf << 'EOF'
workers = 4
EOF

# Apply system tuning
sudo sysctl -w net.core.somaxconn=65535
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=65535

# Restart service
sudo systemctl restart rspamd

# Configure clustering (if supported)
# See official documentation for cluster setup

# Basic load balancing setup example
# Configure multiple instances on different ports

upstream rspamd_backend {
    server 127.0.0.1:11333/11334;
    server 127.0.0.1:{default_port}1 backup;
}

server {
    listen 80;
    server_name rspamd.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name rspamd.example.com;

    ssl_certificate /etc/ssl/certs/rspamd.example.com.crt;
    ssl_certificate_key /etc/ssl/private/rspamd.example.com.key;

    location / {
        proxy_pass http://rspamd_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # WebSocket support (if needed)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

<VirtualHost *:80>
    ServerName rspamd.example.com
    Redirect permanent / https://rspamd.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName rspamd.example.com
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/rspamd.example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/rspamd.example.com.key
    
    ProxyRequests Off
    ProxyPreserveHost On
    
    ProxyPass / http://127.0.0.1:11333/11334/
    ProxyPassReverse / http://127.0.0.1:11333/11334/
    
    # WebSocket support (if needed)
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) "ws://127.0.0.1:11333/11334/$1" [P,L]
</VirtualHost>

frontend rspamd_frontend
    bind *:80
    bind *:443 ssl crt /etc/ssl/certs/rspamd.pem
    redirect scheme https if !{ ssl_fc }
    default_backend rspamd_backend

backend rspamd_backend
    balance roundrobin
    option httpchk GET /health
    server rspamd1 127.0.0.1:11333/11334 check
    server rspamd2 127.0.0.1:{default_port}1 check backup

# Set appropriate permissions
sudo chown -R rspamd:rspamd /etc/rspamd
sudo chmod 750 /etc/rspamd

# Configure firewall
sudo firewall-cmd --permanent --add-service=rspamd
sudo firewall-cmd --reload

# Enable SELinux policies (if applicable)
sudo setsebool -P httpd_can_network_connect on

# Configure fail2ban
sudo tee /etc/fail2ban/jail.d/rspamd.conf << 'EOF'
[rspamd]
enabled = true
port = 11333/11334
filter = rspamd
logpath = /var/log/rspamd/*.log
maxretry = 5
bantime = 3600
EOF

# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/ssl/private/rspamd.key \
    -out /etc/ssl/certs/rspamd.crt

# Configure SSL in rspamd
# See official documentation for SSL configuration

# Create database and user
sudo -u postgres psql << EOF
CREATE DATABASE rspamd_db;
CREATE USER rspamd_user WITH ENCRYPTED PASSWORD 'secure_password';
GRANT ALL PRIVILEGES ON DATABASE rspamd_db TO rspamd_user;
EOF

# Configure rspamd to use PostgreSQL
# See official documentation for database configuration

# Create database and user
sudo mysql << EOF
CREATE DATABASE rspamd_db;
CREATE USER 'rspamd_user'@'localhost' IDENTIFIED BY 'secure_password';
GRANT ALL PRIVILEGES ON rspamd_db.* TO 'rspamd_user'@'localhost';
FLUSH PRIVILEGES;
EOF

# Kernel parameters
sudo tee -a /etc/sysctl.conf << EOF
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.ip_local_port_range = 1024 65535
net.core.netdev_max_backlog = 5000
vm.swappiness = 10
EOF

sudo sysctl -p

# Rspamd specific tuning
workers = 4

# Configure system limits
sudo tee -a /etc/security/limits.conf << EOF
rspamd soft nofile 65535
rspamd hard nofile 65535
rspamd soft nproc 32768
rspamd hard nproc 32768
EOF

# prometheus.yml configuration
scrape_configs:
  - job_name: 'rspamd'
    static_configs:
      - targets: ['localhost:11333/11334']
    metrics_path: '/metrics'

# Basic health check script
#!/bin/bash
if systemctl is-active --quiet rspamd; then
    echo "Rspamd is running"
    exit 0
else
    echo "Rspamd is not running"
    exit 1
fi

# Configure log rotation
sudo tee /etc/logrotate.d/rspamd << 'EOF'
/var/log/rspamd/*.log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
    create 0640 rspamd rspamd
    postrotate
        systemctl reload rspamd > /dev/null 2>&1 || true
    endscript
}
EOF

#!/bin/bash
# Rspamd backup script
BACKUP_DIR="/backup/rspamd"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p "$BACKUP_DIR"

# Stop service (if required)
systemctl stop rspamd

# Backup configuration
tar -czf "$BACKUP_DIR/rspamd-config-$DATE.tar.gz" /etc/rspamd

# Backup data (adjust paths as needed)
tar -czf "$BACKUP_DIR/rspamd-data-$DATE.tar.gz" /var/lib/rspamd

# Start service
systemctl start rspamd

# Clean old backups (keep 30 days)
find "$BACKUP_DIR" -name "*.tar.gz" -mtime +30 -delete

echo "Backup completed: $BACKUP_DIR"

# Stop service
sudo systemctl stop rspamd

# Restore configuration
sudo tar -xzf /backup/rspamd/rspamd-config-*.tar.gz -C /

# Restore data
sudo tar -xzf /backup/rspamd/rspamd-data-*.tar.gz -C /

# Set permissions
sudo chown -R rspamd:rspamd /etc/rspamd
sudo chown -R rspamd:rspamd /var/lib/rspamd

# Start service
sudo systemctl start rspamd

# Check logs
sudo journalctl -u rspamd -n 100
sudo tail -f /var/log/rspamd/*.log

# Check configuration
sudo rspamd -t || sudo rspamd configtest

# Check permissions
ls -la /etc/rspamd
ls -la /var/lib/rspamd

# Check if service is listening
sudo ss -tlnp | grep 11333/11334
sudo netstat -tlnp | grep 11333/11334

# Check firewall
sudo firewall-cmd --list-all
sudo iptables -L -n

# Test connection
telnet localhost 11333/11334
nc -zv localhost 11333/11334

# Check resource usage
top -p $(pgrep rspamd)
htop -p $(pgrep rspamd)

# Check connections
ss -ant | grep :11333/11334 | wc -l

# Monitor I/O
iotop -p $(pgrep rspamd)

# Run in debug mode
sudo rspamd -d
# or
sudo rspamd debug

# Increase log verbosity
# Edit configuration to enable debug logging

version: '3.8'
services:
  rspamd:
    image: rspamd:latest
    container_name: rspamd
    ports:
      - "11333/11334:11333/11334"
    volumes:
      - ./config:/etc/rspamd
      - ./data:/var/lib/rspamd
    environment:
      - rspamd_CONFIG=/etc/rspamd/rspamd.conf
    restart: unless-stopped
    networks:
      - rspamd_net

networks:
  rspamd_net:
    driver: bridge

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rspamd
spec:
  replicas: 3
  selector:
    matchLabels:
      app: rspamd
  template:
    metadata:
      labels:
        app: rspamd
    spec:
      containers:
      - name: rspamd
        image: rspamd:latest
        ports:
        - containerPort: 11333/11334
        volumeMounts:
        - name: config
          mountPath: /etc/rspamd
      volumes:
      - name: config
        configMap:
          name: rspamd-config
---
apiVersion: v1
kind: Service
metadata:
  name: rspamd
spec:
  selector:
    app: rspamd
  ports:
  - port: 11333/11334
    targetPort: 11333/11334
  type: LoadBalancer

---
- name: Install and configure Rspamd
  hosts: all
  become: yes
  tasks:
    - name: Install rspamd
      package:
        name: rspamd
        state: present
    
    - name: Configure rspamd
      template:
        src: rspamd.conf.j2
        dest: /etc/rspamd/rspamd.conf
        owner: rspamd
        group: rspamd
        mode: '0640'
      notify: restart rspamd
    
    - name: Start and enable rspamd
      systemd:
        name: rspamd
        state: started
        enabled: yes
  
  handlers:
    - name: restart rspamd
      systemd:
        name: rspamd
        state: restarted

# RHEL/CentOS/Rocky/AlmaLinux
sudo dnf update rspamd

# Debian/Ubuntu
sudo apt update && sudo apt upgrade rspamd

# Arch Linux
sudo pacman -Syu rspamd

# Alpine Linux
apk update && apk upgrade rspamd

# openSUSE
sudo zypper update rspamd

# FreeBSD
pkg update && pkg upgrade rspamd

# Always backup before updates
tar -czf /backup/rspamd-pre-update-$(date +%Y%m%d).tar.gz /etc/rspamd

# Restart after updates
sudo systemctl restart rspamd

# Clean logs
find /var/log/rspamd -name "*.log" -mtime +30 -delete

# Verify integrity
sudo rspamd --verify || sudo rspamd check

# Update databases (if applicable)
sudo rspamd-update-db

# Optimize performance
sudo rspamd-optimize

# Check for security updates
sudo rspamd --security-check