rspamd_user: rspamd rspamd_group: rspamd rspamd_conf_dir: /etc/rspamd rspamd_local_dir: "{{ rspamd_conf_dir }}/local.d" rspamd_local_map_dir: "{{ rspamd_local_dir }}/maps.d" rspamd_override_dir: "{{ rspamd_conf_dir }}/override.d" rspamd_dkim_rsa2048_key: "{{ rspamd_local_dir }}/dkim-rsa2048.key" rspamd_dkim_ed25519_key: "{{ rspamd_local_dir }}/dkim-ed25519.key" rspamd_redis_socket: /run/redis/redis.sock rspamd_controller_port: 11334 rspamd_default_config: actions: reject: 1000 add_header: 8 greylist: 12 grow_factor: 1.1 logging: type: syslog facility: mail level: notice log_re_cache: no log_severity: yes options: local_addrs: - "{{ int_net }}" - "fe80::/10" max_message: 100Mb monitoring_watch_interval: 600s dns: nameserver: - "{{ hostvars[services.recursive_ns.hostname]['ansible_host'] }}:53" timeout: 2s settings: authenticated: priority: high authenticated: yes apply: groups_disabled: - rbl - spf - headers - excessb64 - arc worker-controller: bind_socket: "*:{{ rspamd_controller_port }}" password: "{{ rspamd_controller_password }}" enable_password: "{{ rspamd_controller_password }}" secure_ip: [] worker-normal: enabled: no worker-proxy: milter: yes timeout: 40s bind_socket: "*:{{ mail_server.rspamd_port }}" reject_message: "Message rejected" upstream: local: default: yes hosts: localhost self_scan: yes worker-fuzzy: expire: 30d backend: redis antivirus: enabled: no arc: enabled: yes domain: __tld__: selector: rsa2048 path: "{{ rspamd_dkim_rsa2048_key }}" use_domain: recipient allow_envfrom_empty: yes allow_hdrfrom_mismatch: yes allow_hdrfrom_multiple: no allow_username_mismatch: yes sign_authenticated: no sign_inbound: yes sign_local: no try_fallback: no use_redis: no use_esld: yes sign_headers: "(o)From:(o)Sender:(o)Reply-To:(o)Subject:(o)To:(o)Cc:(o)In-Reply-To:(o)References:(o)Message-ID:BIMI-Selector:DKIM-Signature" sign_networks: [] chartable: threshold: 0.3 classifier-bayes: backend: redis new_schema: yes expire: 8640000 min_learns: 50 autolearn: spam_threshold: 7.5 ham_threshold: -0.01 check_balance: yes min_balance: 0.9 dkim: time_jitter: 6h trusted_only: no dkim_signing: enabled: yes domain: __tld__: selectors: - selector: ed25519 path: "{{ rspamd_dkim_ed25519_key }}" - selector: rsa2048 path: "{{ rspamd_dkim_rsa2048_key }}" use_domain: header allow_envfrom_empty: yes allow_hdrfrom_mismatch: yes allow_hdrfrom_multiple: yes allow_username_mismatch: yes sign_authenticated: yes sign_local: yes try_fallback: no use_redis: no use_esld: yes sign_headers: "(o)From:(x)Sender:(o)Reply-To:(o)Subject:(o)To:(o)Cc:(x)In-Reply-To:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:References:Message-ID:BIMI-Selector" sign_networks: [] dmarc: actions: quarantine: add_header reject: add_header greylist: whitelisted_ip: "$LOCAL_CONFDIR/local.d/maps.d/local_ip_ranges.inc" whitelisted_domains_url: "$LOCAL_CONFDIR/local.d/maps.d/local_domains.inc" expire: 3d timeout: 10min greylist_min_score: 12 ipv4_mask: 32 ipv6_mask: 64 message: "Your message has been temporarily greylisted. Try again later" action: "soft reject" history_redis: servers: "{{ rspamd_redis_socket }}" key_prefix: rs_history compress: yes milter_headers: use: - remove-headers - spam-header - x-spamd-bar - x-spam-level - fuzzy-hashes - authentication-results authenticated_headers: - authentication-results extended_spam_headers: no skip_local: yes skip_authenticated: yes routines: remove-headers: headers: X-Spamd-Bar: 1 X-Spam-Level: 1 X-Spam-Score: 1 X-Spam-Status: 1 X-Spam-Flag: 1 spam-header: header: X-Spam-Flag value: "YES" remove: 1 fuzzy-hashes: header: X-Spam-Fuzzy authentication-results: header: Authentication-Results remove: 1 spf_symbols: pass: R_SPF_ALLOW fail: R_SPF_FAIL softfail: R_SPF_SOFTFAIL neutral: R_SPF_NEUTRAL temperror: R_SPF_DNSFAIL none: R_SPF_NA permerror: R_SPF_PERMFAIL dkim_symbols: pass: R_DKIM_ALLOW fail: R_DKIM_REJECT temperror: R_DKIM_TEMPFAIL none: R_DKIM_NA permerror: R_DKIM_PERMFAIL dmarc_symbols: pass: DMARC_POLICY_ALLOW permerror: DMARC_BAD_POLICY temperror: DMARC_DNSFAIL none: DMARC_NA reject: DMARC_POLICY_REJECT softfail: DMARC_POLICY_SOFTFAIL quarantine: DMARC_POLICY_QUARANTINE mime_types: application/pdf: "-0.5" application/gzip: "-0.25" multimap: FILENAME_BLACKLISTED: type: filename filter: extension map: '${LOCAL_CONFDIR}/local.d/maps.d/bad_filenames.map' symbol: FILENAME_BLACKLISTED score: 100 action: reject message: "Your mail has been rejected because a potentially malicious file has been found in its attachments" mx_check: enabled: yes timeout: 5 neural: enabled: yes symbols: NEURAL_SPAM: weight: "3.0" description: "Neural network spam" NEURAL_HAM: weight: "-3.0" description: "Neural network ham" phishing: enabled: yes openphish_enabled: yes openphish_map: "https://www.openphish.com/feed.txt" redis: servers: "{{ rspamd_redis_socket }}" replies: action: "no action" rspamd_bad_filenames: - ade - adp - apk - appx - appxbundle - bat - cab - chm - cmd - com - cpl - dll - dmg - ex - ex_ - exe - hta - ins - isp - iso - jar - js - jse - lib - lnk - mde - msc - msi - msix - msixbundle - msp - mst - nsh - pif - ps1 - scr - sct - shb - sys - vb - vbe - vbs - vxd - wsc - wsf - wsh