From 35c40c29dde6762e682df699bd8eb5d42ee529ef Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.haas@performance-media.de>
Date: Mon, 2 Dec 2019 17:35:54 +0100
Subject: [PATCH 1/9] Roles enabled in main playbook

---
 ansible/ispmail.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/ispmail.yml b/ansible/ispmail.yml
index aa961eb..f89da8d 100644
--- a/ansible/ispmail.yml
+++ b/ansible/ispmail.yml
@@ -14,10 +14,10 @@
   roles:
   #- dumpvars
   - ispmail-packages
-#  - ispmail-certificate
+  - ispmail-certificate
   - ispmail-database
-#  - ispmail-postfix
-#  - ispmail-dovecot
+  - ispmail-postfix
+  - ispmail-dovecot
 #  - ispmail-webmail
   - ispmail-webmail-apache-horde
   - ispmail-tests

From b6aad486d2c0ce78413cd26a3171f347cc79244b Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.haas@performance-media.de>
Date: Tue, 3 Dec 2019 10:14:49 +0100
Subject: [PATCH 2/9] Milter rspamd settings added to Postfix

---
 ansible/roles/ispmail-postfix/tasks/main.yml | 27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --git a/ansible/roles/ispmail-postfix/tasks/main.yml b/ansible/roles/ispmail-postfix/tasks/main.yml
index d60c0af..e9aee6f 100644
--- a/ansible/roles/ispmail-postfix/tasks/main.yml
+++ b/ansible/roles/ispmail-postfix/tasks/main.yml
@@ -76,25 +76,18 @@
 - name: Set TLS encryption key
   command: postconf smtpd_tls_key_file=/etc/ssl/private/mailserver.pem
 
-# - name: Enabling Spamassassin milter
-#   command: postconf smtpd_milters=unix:/spamass/spamass.sock
-
-# - name: Configuring Spamassassin milter
-#   command: postconf milter_connect_macros="i j {daemon_name} v {if_name} _"
-
-# - name: Setting spamd options
-#   copy: src=etc-default-spamassassin dest=/etc/default/spamassassin
-#   notify: restart spamassassin
-
-# - name: Adding user spamass-milter to debian-spamd group
-#   user: name=spamass-milter groups=debian-spamd
-#   notify: restart spamassassin
-
-# - name: Enabling spamd at startup
-#   command: systemctl enable spamassassin
-
 - name: Allow emails up to 40 MB large
   command: postconf message_size_limit=41943040
 
 - name: Make Postfix listen on all interfaces
   command: postconf inet_interfaces=all
+
+- name: Set rspamd milter for smtpd
+  command: postconf smtpd_milters=inet:127.0.0.1:11332
+
+- name: Set rspamd milter for local mails
+  command: postconf non_smtpd_milters=inet:127.0.0.1:11332
+
+- name: Set rspamd milter macros
+  command: postconf milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}"
+

From 6de64db526993a65fadb11a270ea9242f85761f3 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.haas@performance-media.de>
Date: Tue, 3 Dec 2019 10:15:20 +0100
Subject: [PATCH 3/9] Password variable fixed

---
 ansible/group_vars/all | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 9100a67..d912abc 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -3,7 +3,7 @@
 ispmail_populate_test_data: true
 
 # MySQL password for read-only user
-ispmail_mysql_mailuser_password: ChangeMe
+ispmail_mysql_mailserver_password: ChangeMeServer
 
 # MySQL password for administrative root user
 ispmail_mysql_root_password: ChangeMeRoot

From 074ccfe1189bde53756e615a86fff09feb281e34 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.haas@performance-media.de>
Date: Thu, 5 Dec 2019 18:08:10 +0100
Subject: [PATCH 4/9] Antispam features added

---
 ansible/group_vars/all                             |  6 +-
 ansible/ispmail.yml                                |  3 +-
 .../roles/ispmail-dovecot/files/15-mailboxes.conf  | 80 ++++++++++++++++++++++
 ansible/roles/ispmail-dovecot/files/90-sieve.conf  | 42 ++++++++----
 .../roles/ispmail-dovecot/files/learn-ham.sieve    |  3 +
 .../roles/ispmail-dovecot/files/learn-spam.sieve   |  3 +
 .../ispmail-dovecot/files/rspamd-learn-ham.sh      |  2 +
 .../ispmail-dovecot/files/rspamd-learn-spam.sh     |  2 +
 ansible/roles/ispmail-dovecot/handlers/main.yml    |  2 -
 ansible/roles/ispmail-dovecot/tasks/main.yml       | 33 +++++++++
 ansible/roles/ispmail-packages/tasks/main.yml      |  1 +
 .../ispmail-rspamd/files/classifier-bayes.conf     |  0
 .../roles/ispmail-rspamd/files/milter_headers.conf |  1 +
 ansible/roles/ispmail-rspamd/files/redis.conf      |  1 +
 ansible/roles/ispmail-rspamd/files/statistic.conf  |  3 +
 ansible/roles/ispmail-rspamd/handlers/site.yml     |  5 ++
 ansible/roles/ispmail-rspamd/tasks/main.yml        | 41 +++++++++++
 .../templates/worker-controller.conf.j2            |  1 +
 .../tasks/main.yml                                 | 22 +++---
 .../templates/vhosts/https.j2                      |  7 ++
 20 files changed, 232 insertions(+), 26 deletions(-)
 create mode 100644 ansible/roles/ispmail-dovecot/files/15-mailboxes.conf
 create mode 100644 ansible/roles/ispmail-dovecot/files/learn-ham.sieve
 create mode 100644 ansible/roles/ispmail-dovecot/files/learn-spam.sieve
 create mode 100644 ansible/roles/ispmail-dovecot/files/rspamd-learn-ham.sh
 create mode 100644 ansible/roles/ispmail-dovecot/files/rspamd-learn-spam.sh
 create mode 100644 ansible/roles/ispmail-rspamd/files/classifier-bayes.conf
 create mode 100644 ansible/roles/ispmail-rspamd/files/milter_headers.conf
 create mode 100644 ansible/roles/ispmail-rspamd/files/redis.conf
 create mode 100644 ansible/roles/ispmail-rspamd/files/statistic.conf
 create mode 100644 ansible/roles/ispmail-rspamd/handlers/site.yml
 create mode 100644 ansible/roles/ispmail-rspamd/tasks/main.yml
 create mode 100644 ansible/roles/ispmail-rspamd/templates/worker-controller.conf.j2

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index e5e2f95..cdee4aa 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -34,6 +34,10 @@ ispmail_postmaster_address: postmaster@example.org
 # that points to your server.
 ispmail_webmail_hostname: 10.0.0.100
 
+# Password for rspamd web interface authentication at
+# https://…/rspamd
+ispmail_rspamd_web_password: ChangeMeRspamd
+
 # Information for self-signed certificate
 ispmail_certificate_country: DE
 ispmail_certificate_state: Schleswig-Holstein
@@ -44,5 +48,3 @@ ispmail_certificate_domains:
   - example.org
 ispmail_certificate_email: postmaster@example.org
 ispmail_certificate_days_valid: 3650
-
-# TODO: Let's Encrypt email address
diff --git a/ansible/ispmail.yml b/ansible/ispmail.yml
index de3cd86..f307e2f 100644
--- a/ansible/ispmail.yml
+++ b/ansible/ispmail.yml
@@ -25,6 +25,7 @@
       tags: dovecot
     - role: ispmail-webmail-apache-roundcube
       tags: roundcube
+    - role: ispmail-rspamd
+      tags: rspamd
     #  - ispmail-webmail-apache-horde
     #- ispmail-tests
-
diff --git a/ansible/roles/ispmail-dovecot/files/15-mailboxes.conf b/ansible/roles/ispmail-dovecot/files/15-mailboxes.conf
new file mode 100644
index 0000000..2f03a98
--- /dev/null
+++ b/ansible/roles/ispmail-dovecot/files/15-mailboxes.conf
@@ -0,0 +1,80 @@
+##
+## Mailbox definitions
+##
+
+# Each mailbox is specified in a separate mailbox section. The section name
+# specifies the mailbox name. If it has spaces, you can put the name
+# "in quotes". These sections can contain the following mailbox settings:
+#
+# auto:
+#   Indicates whether the mailbox with this name is automatically created
+#   implicitly when it is first accessed. The user can also be automatically
+#   subscribed to the mailbox after creation. The following values are
+#   defined for this setting:
+#
+#     no        - Never created automatically.
+#     create    - Automatically created, but no automatic subscription.
+#     subscribe - Automatically created and subscribed.
+#
+# special_use:
+#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
+#   mailbox. There are no validity checks, so you could specify anything
+#   you want in here, but it's not a good idea to use flags other than the
+#   standard ones specified in the RFC:
+#
+#     \All      - This (virtual) mailbox presents all messages in the
+#                 user's message store.
+#     \Archive  - This mailbox is used to archive messages.
+#     \Drafts   - This mailbox is used to hold draft messages.
+#     \Flagged  - This (virtual) mailbox presents all messages in the
+#                 user's message store marked with the IMAP \Flagged flag.
+#     \Junk     - This mailbox is where messages deemed to be junk mail
+#                 are held.
+#     \Sent     - This mailbox is used to hold copies of messages that
+#                 have been sent.
+#     \Trash    - This mailbox is used to hold messages that have been
+#                 deleted.
+#
+# comment:
+#   Defines a default comment or note associated with the mailbox. This
+#   value is accessible through the IMAP METADATA mailbox entries
+#   "/shared/comment" and "/private/comment". Users with sufficient
+#   privileges can override the default value for entries with a custom
+#   value.
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+    autoexpunge = 30d
+  }
+  mailbox Trash {
+    special_use = \Trash
+    autoexpunge = 30d
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+
+  # If you have a virtual "All messages" mailbox:
+  #mailbox virtual/All {
+  #  special_use = \All
+  #  comment = All my messages
+  #}
+
+  # If you have a virtual "Flagged" mailbox:
+  #mailbox virtual/Flagged {
+  #  special_use = \Flagged
+  #  comment = All my flagged messages
+  #}
+}
diff --git a/ansible/roles/ispmail-dovecot/files/90-sieve.conf b/ansible/roles/ispmail-dovecot/files/90-sieve.conf
index 6a2be9e..c37129e 100644
--- a/ansible/roles/ispmail-dovecot/files/90-sieve.conf
+++ b/ansible/roles/ispmail-dovecot/files/90-sieve.conf
@@ -16,7 +16,7 @@
 #
 # location = [<type>:]path[;<option>[=<value>][;...]]
 #
-# If the type prefix is omitted, the script location type is 'file' and the 
+# If the type prefix is omitted, the script location type is 'file' and the
 # location is interpreted as a local filesystem path pointing to a Sieve script
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
@@ -27,7 +27,7 @@ plugin {
   # delivery. The "include" extension uses this location for retrieving
   # :personal" scripts. This is also where the  ManageSieve service will store
   # the user's scripts, if supported.
-  # 
+  #
   # Currently only the 'file:' location type supports ManageSieve operation.
   # Other location types like 'dict:' and 'ldap:' can currently only
   # be used as a read-only script source ().
@@ -46,9 +46,9 @@ plugin {
   #     script.
   #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
-  # The name by which the default Sieve script (as configured by the 
-  # sieve_default setting) is visible to the user through ManageSieve. 
-  #sieve_default_name = 
+  # The name by which the default Sieve script (as configured by the
+  # sieve_default setting) is visible to the user through ManageSieve.
+  #sieve_default_name =
 
   # Location for ":global" include scripts as used by the "include" extension.
   #sieve_global =
@@ -63,7 +63,7 @@ plugin {
   #sieve_discard =
 
   # Location Sieve of scripts that need to be executed before the user's
-  # personal script. If a 'file' location path points to a directory, all the 
+  # personal script. If a 'file' location path points to a directory, all the
   # Sieve scripts contained therein (with the proper `.sieve' extension) are
   # executed. The order of execution within that directory is determined by the
   # file names, using a normal 8bit per-character comparison.
@@ -113,6 +113,7 @@ plugin {
   # (http://pigeonhole.dovecot.org) for available plugins.
   # The sieve_extprograms plugin is included in this release.
   #sieve_plugins =
+  sieve_plugins = sieve_imapsieve sieve_extprograms
 
   # The separator that is expected between the :user and :detail
   # address parts introduced by the subaddress extension. This may
@@ -182,18 +183,18 @@ plugin {
   ## TRACE DEBUGGING
   # Trace debugging provides detailed insight in the operations performed by
   # the Sieve script. These settings apply to both the LDA Sieve plugin and the
-  # IMAPSIEVE plugin. 
+  # IMAPSIEVE plugin.
   #
   # WARNING: On a busy server, this functionality can quickly fill up the trace
   # directory with a lot of trace files. Enable this only temporarily and as
   # selective as possible.
-  
+
   # The directory where trace files are written. Trace debugging is disabled if
-  # this setting is not configured or if the directory does not exist. If the 
+  # this setting is not configured or if the directory does not exist. If the
   # path is relative or it starts with "~/" it is interpreted relative to the
   # current user's home directory.
   #sieve_trace_dir =
-  
+
   # The verbosity level of the trace messages. Trace debugging is disabled if
   # this setting is not configured. Possible values are:
   #
@@ -204,12 +205,27 @@ plugin {
   #   "matching"       - Print all executed commands, performed tests and the
   #                      values matched in those tests.
   #sieve_trace_level =
-  
+
   # Enables highly verbose debugging messages that are usually only useful for
   # developers.
   #sieve_trace_debug = no
-  
+
   # Enables showing byte code addresses in the trace output, rather than only
   # the source line numbers.
-  #sieve_trace_addresses = no 
+  #sieve_trace_addresses = no
+
+  # From elsewhere to Junk folder
+  imapsieve_mailbox1_name = INBOX.Junk
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
+
+  # From Junk folder to elsewhere
+  imapsieve_mailbox2_name = *
+  imapsieve_mailbox2_from = INBOX.Junk
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
+
+  sieve_pipe_bin_dir = /etc/dovecot/sieve
+
+  sieve_global_extensions = +vnd.dovecot.pipe
 }
diff --git a/ansible/roles/ispmail-dovecot/files/learn-ham.sieve b/ansible/roles/ispmail-dovecot/files/learn-ham.sieve
new file mode 100644
index 0000000..769d6ae
--- /dev/null
+++ b/ansible/roles/ispmail-dovecot/files/learn-ham.sieve
@@ -0,0 +1,3 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+
+pipe :copy "rspamd-learn-ham.sh";
diff --git a/ansible/roles/ispmail-dovecot/files/learn-spam.sieve b/ansible/roles/ispmail-dovecot/files/learn-spam.sieve
new file mode 100644
index 0000000..6ab2ed3
--- /dev/null
+++ b/ansible/roles/ispmail-dovecot/files/learn-spam.sieve
@@ -0,0 +1,3 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+
+pipe :copy "rspamd-learn-spam.sh";
diff --git a/ansible/roles/ispmail-dovecot/files/rspamd-learn-ham.sh b/ansible/roles/ispmail-dovecot/files/rspamd-learn-ham.sh
new file mode 100644
index 0000000..c30528f
--- /dev/null
+++ b/ansible/roles/ispmail-dovecot/files/rspamd-learn-ham.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/rspamc learn_ham
diff --git a/ansible/roles/ispmail-dovecot/files/rspamd-learn-spam.sh b/ansible/roles/ispmail-dovecot/files/rspamd-learn-spam.sh
new file mode 100644
index 0000000..da8e276
--- /dev/null
+++ b/ansible/roles/ispmail-dovecot/files/rspamd-learn-spam.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/rspamc learn_spam
diff --git a/ansible/roles/ispmail-dovecot/handlers/main.yml b/ansible/roles/ispmail-dovecot/handlers/main.yml
index 15f975d..13d2cda 100644
--- a/ansible/roles/ispmail-dovecot/handlers/main.yml
+++ b/ansible/roles/ispmail-dovecot/handlers/main.yml
@@ -1,5 +1,3 @@
 ---
 - name: restart dovecot
   service: name=dovecot state=restarted
-- name: recompile sieve script
-  command: sievec /etc/dovecot/sieve-after
diff --git a/ansible/roles/ispmail-dovecot/tasks/main.yml b/ansible/roles/ispmail-dovecot/tasks/main.yml
index cf5191d..5f963c9 100644
--- a/ansible/roles/ispmail-dovecot/tasks/main.yml
+++ b/ansible/roles/ispmail-dovecot/tasks/main.yml
@@ -20,6 +20,9 @@
 - name: Copying SSL configuration (10-ssl.conf)
   template: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
   notify: restart dovecot
+- name: Set autoexpunge for Trash and Junk folders (15-mailboxes.conf)
+  copy: src=15-mailboxes.conf dest=/etc/dovecot/conf.d/15-mailboxes.conf
+  notify: restart dovecot
 - name: Copying LMTP configuration (20-lmtp.conf - enable sieve plugin)
   copy: src=20-lmtp.conf dest=/etc/dovecot/conf.d/20-lmtp.conf
   notify: restart dovecot
@@ -37,6 +40,11 @@
 - name: Create global sieve-after script to send spam to its mail folder
   copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve-after/spam-to-folder.sieve
   notify: recompile sieve script
+- name: Create sieve directory
+  file:
+    path: /etc/dovecot/sieve
+    state: directory
+
 - name: Copying Sieve plugin configuration (90-sieve.conf)
   copy: src=90-sieve.conf dest=/etc/dovecot/conf.d/90-sieve.conf
   notify: restart dovecot
@@ -49,3 +57,28 @@
     dest: /usr/local/bin/quota-warning.sh
     mode: 0750
   notify: restart dovecot
+- name: Copy learn sieve scripts
+  copy:
+    src: "{{item}}"
+    dest: "/etc/dovecot/sieve/{{item}}"
+  with_items:
+    - learn-ham.sieve
+    - learn-spam.sieve
+
+- name: Copy ham/spam learning scripts
+  copy:
+    src: "rspamd-learn-{{item}}.sh"
+    dest: "/etc/dovecot/sieve/rspamd-learn-{{item}}.sh"
+    mode: 0700
+  with_items:
+    - ham
+    - spam
+
+- name: recompile sieve scripts
+  command:
+    cmd: "sievec /etc/dovecot/{{item}}.sieve"
+    creates: "/etc/dovecot/{{item}}.svbin"
+  with_items:
+    - sieve-after/spam-to-folder
+    - sieve/learn-ham
+    - sieve/learn-spam
diff --git a/ansible/roles/ispmail-packages/tasks/main.yml b/ansible/roles/ispmail-packages/tasks/main.yml
index 13b5803..8b60916 100644
--- a/ansible/roles/ispmail-packages/tasks/main.yml
+++ b/ansible/roles/ispmail-packages/tasks/main.yml
@@ -28,4 +28,5 @@
       - fail2ban
       - ca-certificates
       - mutt
+      - redis
 # TODO: shorewall
diff --git a/ansible/roles/ispmail-rspamd/files/classifier-bayes.conf b/ansible/roles/ispmail-rspamd/files/classifier-bayes.conf
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/ispmail-rspamd/files/milter_headers.conf b/ansible/roles/ispmail-rspamd/files/milter_headers.conf
new file mode 100644
index 0000000..915a6e2
--- /dev/null
+++ b/ansible/roles/ispmail-rspamd/files/milter_headers.conf
@@ -0,0 +1 @@
+extended_spam_headers = true;
diff --git a/ansible/roles/ispmail-rspamd/files/redis.conf b/ansible/roles/ispmail-rspamd/files/redis.conf
new file mode 100644
index 0000000..5a9c582
--- /dev/null
+++ b/ansible/roles/ispmail-rspamd/files/redis.conf
@@ -0,0 +1 @@
+servers = "127.0.0.1";
diff --git a/ansible/roles/ispmail-rspamd/files/statistic.conf b/ansible/roles/ispmail-rspamd/files/statistic.conf
new file mode 100644
index 0000000..a3eab67
--- /dev/null
+++ b/ansible/roles/ispmail-rspamd/files/statistic.conf
@@ -0,0 +1,3 @@
+classifier "bayes" {
+   users_enabled = true;
+ }
diff --git a/ansible/roles/ispmail-rspamd/handlers/site.yml b/ansible/roles/ispmail-rspamd/handlers/site.yml
new file mode 100644
index 0000000..ab3c64a
--- /dev/null
+++ b/ansible/roles/ispmail-rspamd/handlers/site.yml
@@ -0,0 +1,5 @@
+---
+- name: restart rspamd
+  service:
+    name: rspamd
+    state: restarted
diff --git a/ansible/roles/ispmail-rspamd/tasks/main.yml b/ansible/roles/ispmail-rspamd/tasks/main.yml
new file mode 100644
index 0000000..db4a951
--- /dev/null
+++ b/ansible/roles/ispmail-rspamd/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: Enable rspamd autolearning
+  copy:
+    src: classifier-bayes.conf
+    dest: /etc/rspamd/override.d/classifier-bayes.conf
+  notify: restart rspamd
+
+- name: Enable rspamd extended headers
+  copy:
+    src: milter_headers.conf
+    dest: /etc/rspamd/override.d/milter_headers.conf
+  notify: restart rspamd
+
+- name: Enable rspamd per-user bayes training
+  copy:
+    src: statistic.conf
+    dest: /etc/rspamd/override.d/statistic.conf
+  notify: restart rspamd
+
+- name: Enable rspamd redis backend
+  copy:
+    src: redis.conf
+    dest: /etc/rspamd/override.d/redis.conf
+  notify: restart rspamd
+
+- name: Hash the rspamd web interface password
+  shell: "rspamadm pw -p {{ispmail_rspamd_web_password}}"
+  register: ispmail_rspamd_web_password_hashed
+  notify: restart rspamd
+
+- name: Set rspamd admin web interface password
+  template:
+    src: worker-controller.conf.j2
+    dest: /etc/rspamd/local.d/worker-controller.inc
+  notify: restart rspamd
+
+- name: Enable redis module in rspamd
+  copy:
+    src: redis.conf
+    dest: /etc/rspamd/override.d/redis.conf
+  notify: restart rspamd
diff --git a/ansible/roles/ispmail-rspamd/templates/worker-controller.conf.j2 b/ansible/roles/ispmail-rspamd/templates/worker-controller.conf.j2
new file mode 100644
index 0000000..11c578d
--- /dev/null
+++ b/ansible/roles/ispmail-rspamd/templates/worker-controller.conf.j2
@@ -0,0 +1 @@
+password = "{{ispmail_rspamd_web_password_hashed.stdout}}";
diff --git a/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml b/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml
index eff658e..8038488 100644
--- a/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml
@@ -22,20 +22,20 @@
 - name: Deploying Roundcube managesieve plugin configuration
   template:
     src: plugins/managesieve/config.inc.php.j2
-    dest: /etc/roundcube/plugins/managesieve/config.inc.php 
+    dest: /etc/roundcube/plugins/managesieve/config.inc.php
     owner: root
     group: www-data
     mode: 0640
 - name: Deploying Roundcube password plugin configuration
-  template: 
-    src: plugins/password/config.inc.php.j2 
-    dest: /etc/roundcube/plugins/password/config.inc.php 
-    owner: root 
-    group: www-data 
+  template:
+    src: plugins/password/config.inc.php.j2
+    dest: /etc/roundcube/plugins/password/config.inc.php
+    owner: root
+    group: www-data
     mode: 0640
 - name: Copy ISPmail logo
-  copy: 
-    src: ispmail-logo.png 
+  copy:
+    src: ispmail-logo.png
     dest: /var/lib/roundcube/skins/larry/
 - name: Enable Apache rewrite and ssl module
   shell: a2enmod {{item}}
@@ -76,3 +76,9 @@
   args:
     creates: /etc/apache2/sites-enabled/{{ispmail_fqdn}}-https.conf
   notify: restart apache
+
+- name: Enable Apache mod_proxy for rspamd admin web interface
+  command:
+    cmd: a2enmod http_proxy
+    creates: /etc/apache2/mods-enabled/proxy_http.load
+  notify: restart apache
diff --git a/ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2 b/ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2
index 0283cc0..9d8a875 100644
--- a/ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2
@@ -2,9 +2,16 @@
   ServerName {{ispmail_fqdn}}
   DocumentRoot /var/lib/roundcube
 
+  # Adminer
   Alias /adminer /usr/share/adminer/adminer
+
+  # Roundcube
   Include /etc/roundcube/apache.conf
 
+  # Rspamd admin interface
+  ProxyPass "/rspamd" "http://localhost:11334"
+  ProxyPassReverse "/rspamd" "http://localhost:11334"
+
   SSLEngine on
   SSLCertificateKeyFile /etc/ssl/private/mailserver.pem
   SSLCertificateFile /etc/ssl/certs/mailserver.pem

From 498f68c90ea40352cbd24fd0720fa1cdce69f0c7 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.haas@performance-media.de>
Date: Fri, 6 Dec 2019 09:38:08 +0100
Subject: [PATCH 5/9] Missing bayes config added

---
 ansible/roles/ispmail-rspamd/files/classifier-bayes.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ansible/roles/ispmail-rspamd/files/classifier-bayes.conf b/ansible/roles/ispmail-rspamd/files/classifier-bayes.conf
index e69de29..cc2c8b2 100644
--- a/ansible/roles/ispmail-rspamd/files/classifier-bayes.conf
+++ b/ansible/roles/ispmail-rspamd/files/classifier-bayes.conf
@@ -0,0 +1,5 @@
+classifier "bayes" {
+   users_enabled = true;
+   backend = "redis";
+   autolearn = true;
+ }

From f4bfc485b87f0f63364991060013aa932c6cbae7 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.haas@performance-media.de>
Date: Fri, 20 Dec 2019 11:56:26 +0100
Subject: [PATCH 6/9] Using TLS to connect to mailserver

---
 .../ispmail-webmail-apache-roundcube/templates/config.inc.php.j2      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2 b/ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2
index 6bf304a..d420907 100644
--- a/ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2
@@ -32,7 +32,7 @@ include_once("/etc/roundcube/debian-db-roundcube.php");
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %s - domain name after the '@' from e-mail address provided at login screen
 // For example %n = mail.domain.tld, %t = domain.tld
-$config['default_host'] = 'localhost';
+$config['default_host'] = 'tls://{{ispmail_fqdn}}';
 
 // SMTP server host (for sending mails).
 // Enter hostname with prefix tls:// to use STARTTLS, or use
@@ -44,7 +44,7 @@ $config['default_host'] = 'localhost';
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %z - IMAP domain (IMAP hostname without the first part)
 // For example %n = mail.domain.tld, %t = domain.tld
-$config['smtp_server'] = 'localhost';
+$config['smtp_server'] = 'tls://{{ispmail_fqdn}}';
 
 // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
 // deprecated SSL over SMTP (aka SMTPS))

From dd51470ada71f10e1979c9402495fb0e8007ef91 Mon Sep 17 00:00:00 2001
From: Adam Bardall <adam.bardall@asm.org.uk>
Date: Thu, 30 Jan 2020 15:13:25 +0100
Subject: [PATCH 7/9] Corrected notify 'recompile sieve script' to 'recompile
 sieve scripts'

---
 ansible/roles/ispmail-dovecot/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/ispmail-dovecot/tasks/main.yml b/ansible/roles/ispmail-dovecot/tasks/main.yml
index 5f963c9..0ecae4d 100644
--- a/ansible/roles/ispmail-dovecot/tasks/main.yml
+++ b/ansible/roles/ispmail-dovecot/tasks/main.yml
@@ -39,7 +39,7 @@
   file: path=/etc/dovecot/sieve-after state=directory
 - name: Create global sieve-after script to send spam to its mail folder
   copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve-after/spam-to-folder.sieve
-  notify: recompile sieve script
+  notify: recompile sieve scripts
 - name: Create sieve directory
   file:
     path: /etc/dovecot/sieve

From b69d6ab4532cff2201033383ea7835b6753b1afb Mon Sep 17 00:00:00 2001
From: Adam Bardall <adam.bardall@asm.org.uk>
Date: Thu, 30 Jan 2020 16:26:33 +0100
Subject: [PATCH 8/9] changed http_proxy to proxy_http

---
 ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml b/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml
index 8038488..5e18a6b 100644
--- a/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml
@@ -79,6 +79,6 @@
 
 - name: Enable Apache mod_proxy for rspamd admin web interface
   command:
-    cmd: a2enmod http_proxy
+    cmd: a2enmod proxy_http
     creates: /etc/apache2/mods-enabled/proxy_http.load
   notify: restart apache

From 9683de97fc5c06cdea651305adc8da7967905a61 Mon Sep 17 00:00:00 2001
From: Adam Bardall <adam.bardall@asm.org.uk>
Date: Thu, 30 Jan 2020 16:49:38 +0100
Subject: [PATCH 9/9] added handler for rspamd

---
 ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml b/ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml
index af398e8..eb089b3 100644
--- a/ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml
@@ -3,3 +3,8 @@
   service:
     name: apache2
     state: restarted
+
+- name: restart rspamd
+  service:
+    name: rspamd
+    state: restarted