Rspamd - Central Redis

Started by itngo, October 06, 2023, 07:51:26 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 06, 2023, 07:51:26 AM
Hi,

we are in progress migrating spamfilter from "Proxmox Mail Gateway" to Rspamd for about 30 opnsense-customers.

Rspamd is cabable of using a central Redis-Database, so that each Spam-Filter can learn and use a central database. Can this be accomplished with opnsense also? Where should configuration take place?

Regards
October 06, 2023, 01:28:17 PM #1
You can do a port forward on localhost to redisport via the external redisdb
October 06, 2023, 02:25:26 PM #2
Quote from: mimugmail on October 06, 2023, 01:28:17 PM
You can do a port forward on localhost to redisport via the external redisdb

And can this be an "Central" Opnsense we have? Currently we do this for MalTrail-Sensors and vor Central-Management of IPS, Dashboard, Tunables.... so can the RedisDB on opnsense be the target for about 30 other opnsense, even reachable only by WAN with latency?
October 06, 2023, 05:39:25 PM #3
No experience with such a setup, but in theory, yes
October 07, 2023, 09:42:54 AM #4
Quote from: mimugmail on October 06, 2023, 05:39:25 PM
No experience with such a setup, but in theory, yes

We will test this in a couple of weeks and report back about this... Thank you....
October 07, 2023, 11:29:27 AM #5
I'm curious about the outcome, too. All projects I am familiar with use redis as an O(1) lookup memory cache, so I'm sceptical about a connection that might introduce high delay. Thanks in advance for reporting back.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 26, 2024, 04:11:48 PM #6 Last Edit: May 26, 2024, 04:17:38 PM by dragoangel
Quote from: itngo on October 06, 2023, 02:25:26 PM
Quote from: mimugmail on October 06, 2023, 01:28:17 PM
You can do a port forward on localhost to redisport via the external redisdb

And can this be an "Central" Opnsense we have? Currently we do this for MalTrail-Sensors and vor Central-Management of IPS, Dashboard, Tunables.... so can the RedisDB on opnsense be the target for about 30 other opnsense, even reachable only by WAN with latency?

Not the best idea to do as:
1. rspamd do not speak to redis itself over ssl as this unstable, only stunnel is supported, you will need add extra care.
2. delay is not so critical for writes, but for reads - well, it's better to be quick, so instead of trying connect rspamd to redis which is located far away better:
a) connect redis replica to remote redis master and point rspamd to local replica for reads and remote master for writes. Rspamd using non blocking operations, so writes to redis by modules (like bayes, neural & reputation & learning etc) usually done after scanning email. And would repeat - tls not supported directly, but stunnel is - if you not using VPN to reach master, you must use this one to not speak to redis over web without encryption.
b) you can consider using rspamd over http or https instead of using rspamd per server at all. this possible by using /checkv2 endpoint. If you need connect something via milter - you setup rspamd-proxy and configure it to scan over remote rspam-normal worker which can be somewhere in far away location. This also allow you to spin up many rspamd normals balanced by some haproxy as example, here is how it looks: https://rspamd.com/doc/workers/rspamd_proxy.html#proxy-mode need to mention that rspamd has option to compress data from rspamd-proxy (milter) to rspamd-normal with zstd and encrypt it with own encryption similar to mTLS but a bit different one, this will secure your connection even over web without https. For cases when you don't need milter, but need rspamd-normal /checkv2 directly (zonemta as example) - you can point it to haproxy that will add ssl over plain rspamd-normal endpoint
Print
Go Up Pages1
User actions