Rspamd is a high-performance, open-source spam filtering system designed to protect email systems from spam, phishing, malware, and other email-borne threats. It uses a wide variety of sophisticated techniques, including machine learning, statistical analysis, regular expressions, and reputation systems, to assess and score emails for potential threats. Rspamd is known for its flexibility, speed, and low resource consumption, making it suitable for high-throughput environments. It can be integrated with various mail servers, such as Postfix and Exim, and allows for granular configuration through LUA scripting, enabling administrators to customize filtering rules and actions based on specific needs. Rspamd also supports distributed scanning and can work in conjunction with other email security systems, enhancing its ability to provide comprehensive protection against evolving email threats.
This tutorial will show how to write a LUA script for Rspamd that logs the “from” email address, “to” email address, and size of the email to a custom log file located in /var/log/rspamd/.
Steps:
- The script hooks into the
postfilterevent. - It extracts the required details (
from,to, andsize) from the email message. - It writes the information to a custom log file located at
/var/log/rspamd/custom_email_log.log.
LUA Script:
-- LUA script for Rspamd to log email details (from, to, size) to a custom log file
local rspamd_logger = require "rspamd_logger"
local lfs = require "lfs"
-- Define the log file location
local log_file_path = "/var/log/rspamd/custom_email_log.log"
-- Function to write to the log file
local function log_to_file(log_entry)
local file, err = io.open(log_file_path, "a")
if not file then
rspamd_logger.errx(rspamd_config, "Failed to open log file: %1", err)
return
end
file:write(log_entry .. "\n")
file:close()
end
-- Hook into the postfilter phase to capture email details after processing
rspamd_config:register_post_filter(function(task)
-- Get the 'from' address
local from = task:get_from('smtp')
local from_address = from and from[1] and from[1]['addr'] or 'unknown'
-- Get the 'to' address
local to = task:get_recipients('smtp')
local to_address = to and to[1] and to[1]['addr'] or 'unknown'
-- Get the email size
local size = task:get_size() or 0
-- Create log entry
local log_entry = string.format("From: %s, To: %s, Size: %d bytes", from_address, to_address, size)
-- Write to the custom log file
log_to_file(log_entry)
end)
-- Ensure the directory exists (optional, in case the directory might not be created)
local function ensure_log_dir_exists()
local log_dir = "/var/log/rspamd"
if not lfs.attributes(log_dir, "mode") then
local success, err = lfs.mkdir(log_dir)
if not success then
rspamd_logger.errx(rspamd_config, "Failed to create log directory: %1", err)
end
end
end
-- Initialize log directory check
ensure_log_dir_exists()Explanation:
- Logging Function (
log_to_file): The functionlog_to_fileopens the custom log file in append mode and writes a new entry containing thefromemail address,toemail address, and the size of the email. - Postfilter Hook: The script hooks into the
postfilterphase usingregister_post_filter. This ensures that the logging happens after the email has been processed by Rspamd. Inside the function, it retrieves the sender (from) and recipient (to) email addresses and the size of the email. If the values are unavailable, default values are used. - Directory Check (
ensure_log_dir_exists): Theensure_log_dir_existsfunction checks if the/var/log/rspamd/directory exists, and if not, attempts to create it. This step is optional but can help prevent errors in cases where the directory might not already exist. - Logging Format: The log entry is formatted as a string and written to the log file. Each log entry is on a new line.
Permissions:
Ensure that the Rspamd user (typically rspamd or nobody) has the necessary permissions to write to /var/log/rspamd/. You may need to adjust the permissions of the directory or file:
sudo chown -R rspamd:rspamd /var/log/rspamd
sudo chmod 755 /var/log/rspamdThis script can be added to the /etc/rspamd/local.d/ or /etc/rspamd/override.d/ configuration directories, depending on how you prefer to manage your customizations.