deploy: bcee78e2c1

2025-02-16 22:17:53 +00:00 · 2025-02-16 22:17:53 +00:00 · f5a659b925
parent 40b1176cb0
commit f5a659b925
2 changed files with 184 additions and 188 deletions
--- a/edge/config/security/rspamd/index.html
+++ b/edge/config/security/rspamd/index.html
@ -1117,36 +1117,33 @@
    </span>
  </a>
-</li>
+    <nav class="md-nav" aria-label="About">
        <li class="md-nav__item">
  <a href="#related-environment-variables" class="md-nav__link">
    <span class="md-ellipsis">
      Related Environment Variables
    </span>
  </a>
 </li>
        <li class="md-nav__item">
  <a href="#the-default-configuration" class="md-nav__link">
    <span class="md-ellipsis">
      The Default Configuration
    </span>
  </a>
    <nav class="md-nav" aria-label="The Default Configuration">
      <ul class="md-nav__list">
          <li class="md-nav__item">
-  <a href="#other-anti-spam-services" class="md-nav__link">
+  <a href="#enable-rspamd" class="md-nav__link">
    <span class="md-ellipsis">
-      Other Anti-Spam-Services
+      Enable Rspamd
    </span>
  </a>
 </li>
      </ul>
    </nav>
 </li>
        <li class="md-nav__item">
  <a href="#overview-of-rspamd-support" class="md-nav__link">
    <span class="md-ellipsis">
      Overview of Rspamd support
    </span>
  </a>
    <nav class="md-nav" aria-label="Overview of Rspamd support">
      <ul class="md-nav__list">
          <li class="md-nav__item">
  <a href="#mode-of-operation" class="md-nav__link">
    <span class="md-ellipsis">
@ -1258,19 +1255,10 @@
    <nav class="md-nav" aria-label="Providing Custom Settings & Overriding Settings">
      <ul class="md-nav__list">
          <li class="md-nav__item">
  <a href="#manually" class="md-nav__link">
    <span class="md-ellipsis">
      Manually
    </span>
  </a>
 </li>
          <li class="md-nav__item">
  <a href="#with-the-help-of-a-custom-file" class="md-nav__link">
    <span class="md-ellipsis">
-      With the Help of a Custom File
+      Using custom-commands.conf
    </span>
  </a>
@ -1282,33 +1270,15 @@
 </li>
        <li class="md-nav__item">
-  <a href="#examples-advanced-configuration" class="md-nav__link">
+  <a href="#advanced-configuration" class="md-nav__link">
    <span class="md-ellipsis">
-      Examples &amp; Advanced Configuration
+      Advanced Configuration
    </span>
  </a>
-    <nav class="md-nav" aria-label="Examples & Advanced Configuration">
+    <nav class="md-nav" aria-label="Advanced Configuration">
      <ul class="md-nav__list">
          <li class="md-nav__item">
  <a href="#a-very-basic-configuration" class="md-nav__link">
    <span class="md-ellipsis">
      A Very Basic Configuration
    </span>
  </a>
 </li>
          <li class="md-nav__item">
  <a href="#adjusting-and-extending-the-very-basic-configuration" class="md-nav__link">
    <span class="md-ellipsis">
      Adjusting and Extending The Very Basic Configuration
    </span>
  </a>
 </li>
          <li class="md-nav__item">
  <a href="#dkim-signing" class="md-nav__link">
    <span class="md-ellipsis">
@ -2575,36 +2545,33 @@
    </span>
  </a>
-</li>
+    <nav class="md-nav" aria-label="About">
        <li class="md-nav__item">
  <a href="#related-environment-variables" class="md-nav__link">
    <span class="md-ellipsis">
      Related Environment Variables
    </span>
  </a>
 </li>
        <li class="md-nav__item">
  <a href="#the-default-configuration" class="md-nav__link">
    <span class="md-ellipsis">
      The Default Configuration
    </span>
  </a>
    <nav class="md-nav" aria-label="The Default Configuration">
      <ul class="md-nav__list">
          <li class="md-nav__item">
-  <a href="#other-anti-spam-services" class="md-nav__link">
+  <a href="#enable-rspamd" class="md-nav__link">
    <span class="md-ellipsis">
-      Other Anti-Spam-Services
+      Enable Rspamd
    </span>
  </a>
 </li>
      </ul>
    </nav>
 </li>
        <li class="md-nav__item">
  <a href="#overview-of-rspamd-support" class="md-nav__link">
    <span class="md-ellipsis">
      Overview of Rspamd support
    </span>
  </a>
    <nav class="md-nav" aria-label="Overview of Rspamd support">
      <ul class="md-nav__list">
          <li class="md-nav__item">
  <a href="#mode-of-operation" class="md-nav__link">
    <span class="md-ellipsis">
@ -2716,19 +2683,10 @@
    <nav class="md-nav" aria-label="Providing Custom Settings & Overriding Settings">
      <ul class="md-nav__list">
          <li class="md-nav__item">
  <a href="#manually" class="md-nav__link">
    <span class="md-ellipsis">
      Manually
    </span>
  </a>
 </li>
          <li class="md-nav__item">
  <a href="#with-the-help-of-a-custom-file" class="md-nav__link">
    <span class="md-ellipsis">
-      With the Help of a Custom File
+      Using custom-commands.conf
    </span>
  </a>
@ -2740,33 +2698,15 @@
 </li>
        <li class="md-nav__item">
-  <a href="#examples-advanced-configuration" class="md-nav__link">
+  <a href="#advanced-configuration" class="md-nav__link">
    <span class="md-ellipsis">
-      Examples &amp; Advanced Configuration
+      Advanced Configuration
    </span>
  </a>
-    <nav class="md-nav" aria-label="Examples & Advanced Configuration">
+    <nav class="md-nav" aria-label="Advanced Configuration">
      <ul class="md-nav__list">
          <li class="md-nav__item">
  <a href="#a-very-basic-configuration" class="md-nav__link">
    <span class="md-ellipsis">
      A Very Basic Configuration
    </span>
  </a>
 </li>
          <li class="md-nav__item">
  <a href="#adjusting-and-extending-the-very-basic-configuration" class="md-nav__link">
    <span class="md-ellipsis">
      Adjusting and Extending The Very Basic Configuration
    </span>
  </a>
 </li>
          <li class="md-nav__item">
  <a href="#dkim-signing" class="md-nav__link">
    <span class="md-ellipsis">
@ -2835,8 +2775,36 @@
 <h2 id="about"><a class="toclink" href="#about">About</a></h2>
 <p>Rspamd is a <a href="https://rspamd.com/">"fast, free and open-source spam filtering system"</a>. DMS integrates Rspamd like any other service. We provide a basic but easy to maintain setup of Rspamd.</p>
-<p>If you want to take a look at the default configuration files for Rspamd that DMS packs, navigate to <a href="https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd"><code>target/rspamd/</code> inside the repository</a>. Please consult the <a href="#the-default-configuration">section "The Default Configuration"</a> section down below for a written overview.</p>
+<p>If you want to take a look at the default configuration files for Rspamd that DMS adds, navigate to <a href="https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd"><code>target/rspamd/</code> inside the repository</a>. Please consult the <a href="#the-default-configuration">section "The Default Configuration"</a> section down below for a written overview.</p>
-<h2 id="related-environment-variables"><a class="toclink" href="#related-environment-variables">Related Environment Variables</a></h2>
+<h3 id="enable-rspamd"><a class="toclink" href="#enable-rspamd">Enable Rspamd</a></h3>
 <p>Rspamd is presently opt-in for DMS, but intended to become the default anti-spam service in a future release.</p>
 <p>DMS offers two anti-spam solutions:</p>
 <ul>
 <li>Legacy (<em>Amavis, SpamAssassin, OpenDKIM, OpenDMARC</em>)</li>
 <li>Rspamd (<em>Provides equivalent features of software from the legacy solution</em>)</li>
 </ul>
 <p>While you could configure Rspamd to only replace some of the legacy services, it is advised to only use Rspamd with the legacy services disabled.</p>
 <div class="admonition example">
 <p class="admonition-title">Switch to Rspamd</p>
 <p>To use Rspamd add the following ENV config changes:</p>
 <div class="highlight"><pre><span></span><code><span class="na">ENABLE_RSPAMD</span><span class="o">=</span><span class="s">1</span>
 <span class="c1"># Rspamd replaces the functionality of all these anti-spam services, disable them:</span>
 <span class="na">ENABLE_OPENDKIM</span><span class="o">=</span><span class="s">0</span>
 <span class="na">ENABLE_OPENDMARC</span><span class="o">=</span><span class="s">0</span>
 <span class="na">ENABLE_POLICYD_SPF</span><span class="o">=</span><span class="s">0</span>
 <span class="na">ENABLE_AMAVIS</span><span class="o">=</span><span class="s">0</span>
 <span class="na">ENABLE_SPAMASSASSIN</span><span class="o">=</span><span class="s">0</span>
 <span class="c1"># Greylisting is opt-in, if you had enabled Postgrey switch to the Rspamd equivalent:</span>
 <span class="na">ENABLE_POSTGREY</span><span class="o">=</span><span class="s">0</span>
 <span class="na">RSPAMD_GREYLISTING</span><span class="o">=</span><span class="s">1</span>
 <span class="c1"># Optional: Add anti-virus support with ClamAV (compatible with Rspamd):</span>
 <span class="na">ENABLE_CLAMAV</span><span class="o">=</span><span class="s">1</span>
 </code></pre></div>
 </div>
 <div class="admonition info">
 <p class="admonition-title">Relevant Environment Variables</p>
 <p>The following environment variables are related to Rspamd:</p>
 <ol>
 <li><a href="../../environment/#enable_rspamd"><code>ENABLE_RSPAMD</code></a></li>
@ -2850,12 +2818,10 @@
 <li><a href="../../environment/#move_spam_to_junk"><code>MOVE_SPAM_TO_JUNK</code></a></li>
 <li><a href="../../environment/#mark_spam_as_read"><code>MARK_SPAM_AS_READ</code></a></li>
 </ol>
-<p>With these variables, you can enable Rspamd itself, and you can enable / disable certain features related to Rspamd.</p>
+</div>
-<h2 id="the-default-configuration"><a class="toclink" href="#the-default-configuration">The Default Configuration</a></h2>
+<h2 id="overview-of-rspamd-support"><a class="toclink" href="#overview-of-rspamd-support">Overview of Rspamd support</a></h2>
 <h3 id="other-anti-spam-services"><a class="toclink" href="#other-anti-spam-services">Other Anti-Spam-Services</a></h3>
 <p>DMS packs other anti-spam services, like SpamAssassin or Amavis, next to Rspamd. There exist services, like ClamAV (<code>ENABLE_CLAMAV</code>), that Rspamd can utilize to improve the scanning. Except for ClamAV, we recommend disabling <strong>all other</strong> anti-spam services when using Rspamd. The <a href="#a-very-basic-configuration">basic configuration shown below</a> provides a good starting point.</p>
 <h3 id="mode-of-operation"><a class="toclink" href="#mode-of-operation">Mode of Operation</a></h3>
-<div class="admonition tip">
+<div class="admonition note">
 <p class="admonition-title">Attention</p>
 <p>Read this section carefully if you want to understand how Rspamd is integrated into DMS and how it works (on a surface level).</p>
 </div>
@ -2871,7 +2837,7 @@
 <p>And then there is a corresponding <code>X-Rspamd-Action</code> header, which shows the overall result and the action that is taken. In our example, it would be:</p>
 <div class="highlight"><pre><span></span><code>X-Rspamd-Action    no action
 </code></pre></div>
-<p>Since the score is <code>-2.80</code>, nothing will happen and the e-mail is not classified as spam. Our custom <a href="https://github.com/docker-mailserver/docker-mailserver/blob/v14.0.0/target/rspamd/local.d/actions.conf"><code>actions.conf</code></a> defines what to do at certain scores:</p>
+<p>Since the score is <code>-2.80</code>, nothing will happen and the e-mail is not classified as spam. Our custom <a href="https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd/local.d/actions.conf"><code>actions.conf</code></a> defines what to do at certain scores:</p>
 <ol>
 <li>At a score of 4, the e-mail is to be <em>greylisted</em>;</li>
 <li>At a score of 6, the e-mail is <em>marked with a header</em> (<code>X-Spam: Yes</code>);</li>
@ -2887,25 +2853,29 @@
 <p>When Rspamd is enabled, we implicitly also start an instance of Redis in the container:</p>
 <ul>
 <li>Redis is configured to persist its data via RDB snapshots to disk in the directory <code>/var/lib/redis</code> (<em>or the <a href="../../advanced/optional-config/#volumes-state"><code>/var/mail-state/</code></a> volume when present</em>).</li>
-<li>With the volume mount, the snapshot will restore the Redis data across container restarts, and provide a way to keep backup.</li>
+<li>With the volume mount, the snapshot will restore the Redis data across container updates, and provide a way to keep a backup.</li>
 <li>Without a volume mount a containers internal state will persist across restarts until the container is recreated due to changes like ENV or upgrading the image for the container.</li>
 </ul>
 <p>Redis uses <code>/etc/redis/redis.conf</code> for configuration:</p>
 <ul>
 <li>We adjust this file when enabling the internal Redis service.</li>
 <li>If you have an external instance of Redis to use, the internal Redis service can be opt-out via setting the ENV <a href="../../environment/#enable_rspamd_redis"><code>ENABLE_RSPAMD_REDIS=0</code></a> (<em>link also details required changes to the DMS Rspamd config</em>).</li>
 </ul>
 <p>If you are interested in using Valkey instead of Redis, please refer to <a href="https://github.com/docker-mailserver/docker-mailserver/issues/4001#issuecomment-2652596692">this guidance</a>.</p>
 <h3 id="web-interface"><a class="toclink" href="#web-interface">Web Interface</a></h3>
 <p>Rspamd provides a <a href="https://rspamd.com/webui/">web interface</a>, which contains statistics and data Rspamd collects. The interface is enabled by default and reachable on port 11334.</p>
 <p><img alt="Rspamd Web Interface" src="https://rspamd.com/img/webui.png" /></p>
 <p>To use the web interface you will need to configure a password, <a href="https://www.rspamd.com/doc/tutorials/quickstart.html#setting-the-controller-password">otherwise you won't be able to log in</a>.</p>
 <details class="example">
 <summary>Set a custom password</summary>
-<p>Add this line to <a href="#with-the-help-of-a-custom-file">your rspamd <code>custom-commands.conf</code> config</a> which sets the <code>password</code> option of the <em>controller worker</em>:</p>
+<p>Add this line to <a href="#with-the-help-of-a-custom-file">your Rspamd <code>custom-commands.conf</code> config</a> which sets the <code>password</code> option of the <em>controller worker</em>:</p>
 <div class="highlight"><pre><span></span><code>set-option-for-controller password &quot;your hashed password here&quot;
 </code></pre></div>
 <p>The password hash can be generated via the <code>rspamadm pw</code> command:</p>
 <div class="highlight"><pre><span></span><code>docker<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>-it<span class="w"> </span>&lt;CONTAINER_NAME&gt;<span class="w"> </span>rspamadm<span class="w"> </span>pw
 </code></pre></div>
 <hr />
 <p><strong>Related:</strong> A minimal Rspamd <code>compose.yaml</code> [example with a reverse-proxy for web access][gh-dms:guide::rspamd-web].</p>
 </details>
 <h3 id="dns"><a class="toclink" href="#dns">DNS</a></h3>
 <p>DMS does not supply custom values for DNS servers (to Rspamd). If you need to use custom DNS servers, which could be required when using <a href="#rbls-real-time-blacklists-dnsbls-dns-based-blacklists">DNS-based deny/allowlists</a>, you need to adjust <a href="https://rspamd.com/doc/configuration/options.html"><code>options.inc</code></a> yourself. Make sure to also read our <a href="../../../faq/#what-about-dns-servers">FAQ page on DNS servers</a>.</p>
@ -2928,107 +2898,133 @@
 <h4 id="anti-virus-clamav"><a class="toclink" href="#anti-virus-clamav">Anti-Virus (ClamAV)</a></h4>
 <p>You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable <code>ENABLE_CLAMAV=1</code>.</p>
 <h4 id="rbls-real-time-blacklists-dnsbls-dns-based-blacklists"><a class="toclink" href="#rbls-real-time-blacklists-dnsbls-dns-based-blacklists">RBLs (Real-time Blacklists) / DNSBLs (DNS-based Blacklists)</a></h4>
-<p>The <a href="https://rspamd.com/doc/modules/rbl.html">RBL module</a> is enabled by default. As a consequence, Rspamd will perform DNS lookups to various blacklists. Whether an RBL or a DNSBL is queried depends on where the domain name was obtained: RBL servers are queried with IP addresses extracted from message headers, DNSBL server are queried with domains and IP addresses extracted from the message body [<a href="https://forum.eset.com/topic/25277-dnsbl-vs-rbl-mail-security/?do=findComment&amp;comment=119818">source</a>].</p>
+<p>The <a href="https://rspamd.com/doc/modules/rbl.html">RBL module</a> is enabled by default. As a consequence, Rspamd will perform DNS lookups to various blacklists. Whether an RBL or a DNSBL is queried depends on where the domain name was obtained: RBL servers are queried with IP addresses extracted from message headers, DNSBL server are queried with domains and IP addresses extracted from the message body (<a href="https://forum.eset.com/topic/25277-dnsbl-vs-rbl-mail-security/#comment-119818">source</a>).</p>
 <div class="admonition danger">
 <p class="admonition-title">Rspamd and DNS Block Lists</p>
 <p>When the RBL module is enabled, Rspamd will do a variety of DNS requests to (amongst other things) DNSBLs. There are a variety of issues involved when using DNSBLs. Rspamd will try to mitigate some of them by properly evaluating all return codes. This evaluation is a best effort though, so if the DNSBL operators change or add return codes, it may take a while for Rspamd to adjust as well.</p>
 <p>If you want to use DNSBLs, <strong>try to use your own DNS resolver</strong> and make sure it is set up correctly, i.e. it should be a non-public &amp; <strong>recursive</strong> resolver. Otherwise, you might not be able (<a href="https://www.spamhaus.org/faq/section/DNSBL%20Usage#365">see this Spamhaus post</a>) to make use of the block lists.</p>
 </div>
 <h2 id="providing-custom-settings-overriding-settings"><a class="toclink" href="#providing-custom-settings-overriding-settings">Providing Custom Settings &amp; Overriding Settings</a></h2>
-<p>DMS brings sane default settings for Rspamd. They are located at <code>/etc/rspamd/local.d/</code> inside the container (or <code>target/rspamd/local.d/</code> in the repository).</p>
+<div class="admonition info">
-<h3 id="manually"><a class="toclink" href="#manually">Manually</a></h3>
+<p class="admonition-title">Rspamd config overriding precedence</p>
-<div class="admonition question">
+<p>Rspamd has a layered approach for configuration with <a href="https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories"><code>local.d</code> and <code>override.d</code> config directories</a>.</p>
-<p class="admonition-title">What is <a href="../../advanced/optional-config/#volumes-config"><code>docker-data/dms/config/</code></a>?</p>
+<ul>
 <li>DMS <a href="https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd">extends the Rspamd default configs via <code>/etc/rspamd/local.d/</code></a>.</li>
 <li>User config changes should be handled separately as overrides via the <a href="../../advanced/optional-config/#volumes-config">DMS Config Volume</a> (<code>docker-data/dms/config/</code>) with either:<ul>
 <li><code>./rspamd/override.d/</code> - Config files placed here are copied to <code>/etc/rspamd/override.d/</code> during container startup.</li>
 <li><a href="#with-the-help-of-a-custom-file"><code>./rspamd/custom-commands.conf</code></a> - Applied after copying any provided configs from <code>rspamd/override.d/</code> (DMS Config volume) to <code>/etc/rspamd/override.d/</code>.</li>
 </ul>
 </li>
 </ul>
 </div>
-<p>If you want to overwrite the default settings or provide your settings, you can place files at <code>docker-data/dms/config/rspamd/override.d/</code>. Files from this directory are copied to <code>/etc/rspamd/override.d/</code> during startup. These files <a href="https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories">forcibly override</a> Rspamd and DMS default settings.</p>
+<div class="admonition abstract">
-<div class="admonition question">
+<p class="admonition-title">Reference docs for Rspamd config</p>
-<p class="admonition-title">What is the <a href="https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories"><code>local.d</code> directory and how does it compare to <code>override.d</code></a>?</p>
+<ul>
 <li><a href="https://rspamd.com/doc/configuration/index.html">Config Overview</a>, <a href="https://rspamd.com/doc/tutorials/quickstart.html#configuring-rspamd">Quickstart guide</a>, and <a href="https://rspamd.com/doc/configuration/ucl.html">Config Syntax (UCL)</a></li>
 <li>Global Options (<a href="https://rspamd.com/doc/configuration/options.html"><code>options.inc</code></a>)</li>
 <li><a href="https://rspamd.com/doc/workers/">Workers</a> (<a href="https://rspamd.com/doc/workers/controller.html"><code>worker-controller.inc</code></a>, <a href="https://rspamd.com/doc/workers/rspamd_proxy.html"><code>worker-proxy.inc</code></a>)</li>
 <li><a href="https://rspamd.com/doc/modules/">Modules</a> (<em>view each module page for their specific config options</em>)</li>
 </ul>
 </div>
 <div class="admonition warning">
 <p class="admonition-title">Clashing Overrides</p>
 <p>Note that when also <a href="#with-the-help-of-a-custom-file">using the <code>custom-commands.conf</code> file</a>, files in <code>override.d</code> may be overwritten in case you adjust them manually and with the help of the file.</p>
 </div>
 <h3 id="with-the-help-of-a-custom-file"><a class="toclink" href="#with-the-help-of-a-custom-file">With the Help of a Custom File</a></h3>
 <p>DMS provides the ability to do simple adjustments to Rspamd modules with the help of a single file. Just place a file called <code>custom-commands.conf</code> into <code>docker-data/dms/config/rspamd/</code>. If this file is present, DMS will evaluate it. The structure is simple, as each line in the file looks like this:</p>
 <div class="highlight"><pre><span></span><code>COMMAND ARGUMENT1 ARGUMENT2 ARGUMENT3
 </code></pre></div>
 <p>where <code>COMMAND</code> can be:</p>
 <ol>
 <li><code>disable-module</code>: disables the module with name <code>ARGUMENT1</code></li>
 <li><code>enable-module</code>: explicitly enables the module with name <code>ARGUMENT1</code></li>
 <li><code>set-option-for-module</code>: sets the value for option <code>ARGUMENT2</code> to <code>ARGUMENT3</code> inside module <code>ARGUMENT1</code></li>
 <li><code>set-option-for-controller</code>: set the value of option <code>ARGUMENT1</code> to <code>ARGUMENT2</code> for the controller worker</li>
 <li><code>set-option-for-proxy</code>: set the value of option <code>ARGUMENT1</code> to <code>ARGUMENT2</code> for the proxy worker</li>
 <li><code>set-common-option</code>: set the option <code>ARGUMENT1</code> that <a href="https://rspamd.com/doc/configuration/options.html">defines basic Rspamd behavior</a> to value <code>ARGUMENT2</code></li>
 <li><code>add-line</code>: this will add the complete line after <code>ARGUMENT1</code> (with all characters) to the file <code>/etc/rspamd/override.d/&lt;ARGUMENT1&gt;</code></li>
 </ol>
 <div class="admonition example">
 <p class="admonition-title">An Example Is <a href="#adjusting-and-extending-the-very-basic-configuration">Shown Down Below</a></p>
 </div>
 <div class="admonition note">
 <p class="admonition-title">File Names &amp; Extensions</p>
 <p>For command 1 - 3, we append the <code>.conf</code> suffix to the module name to get the correct file name automatically. For commands 4 - 6, the file name is fixed (you don't even need to provide it). For command 7, you will need to provide the whole file name (including the suffix) yourself!</p>
 </div>
 <p>You can also have comments (the line starts with <code>#</code>) and blank lines in <code>custom-commands.conf</code> - they are properly handled and not evaluated.</p>
 <div class="admonition tip">
-<p class="admonition-title">Adjusting Modules This Way</p>
+<p class="admonition-title">View rendered config</p>
-<p>These simple commands are meant to give users the ability to <em>easily</em> alter modules and their options. As a consequence, they are not powerful enough to enable multi-line adjustments. If you need to do something more complex, we advise to do that <a href="#manually">manually</a>!</p>
+<p><code>rspamadm configdump</code> will output the full rspamd configuration that is used should you need it for troubleshooting / inspection.</p>
 <ul>
 <li>You can also see which modules are enabled / disabled via <code>rspamadm configdump --modules-state</code></li>
 <li>Specific config sections like <code>dkim</code> or <code>worker</code> can also be used to filter the output to just those sections: <code>rspamadm configdump dkim worker</code></li>
 <li>Use <code>--show-help</code> to include inline documentation for many settings.</li>
 </ul>
 </div>
-<h2 id="examples-advanced-configuration"><a class="toclink" href="#examples-advanced-configuration">Examples &amp; Advanced Configuration</a></h2>
+<h3 id="with-the-help-of-a-custom-file"><a class="toclink" href="#with-the-help-of-a-custom-file">Using <code>custom-commands.conf</code></a></h3>
-<h3 id="a-very-basic-configuration"><a class="toclink" href="#a-very-basic-configuration">A Very Basic Configuration</a></h3>
+<p>For convenience DMS provides a single config file that will directly create or modify multiple configs at <code>/etc/rspamd/override.d/</code>. This is handled as the final rspamd configuration step during container startup.</p>
-<p>Do you want to start using Rspamd? Rspamd is disabled by default, so you need to set the following environment variables:</p>
+<p>DMS will apply this config when you provide <code>rspamd/custom-commands.conf</code> in your DMS Config volume. Configure it with directive lines as documented below.</p>
-<div class="highlight"><pre><span></span><code><span class="na">ENABLE_RSPAMD</span><span class="o">=</span><span class="s">1</span>
+<div class="admonition note">
-<span class="c1"># ClamAV is compatible with Rspamd. Optionally enable it for anti-virus support:</span>
+<p class="admonition-title">Only use this feature for <code>option = value</code> changes</p>
-<span class="na">ENABLE_CLAMAV</span><span class="o">=</span><span class="s">1</span>
+<p><code>custom-commands.conf</code> is only suitable for adding or replacing simple <code>option = value</code> settings for configs at <code>/etc/rspamd/override.d/</code>.</p>
 <ul>
 <li>New settings are appended to the associated config file.</li>
 <li>When replacing an existing setting in an override config, that setting may be any matching line (<em>allowing for nested scopes, instead of only top-level keys</em>).</li>
 </ul>
 <p>Any changes involving more advanced <a href="https://rspamd.com/doc/configuration/ucl.html">UCL config syntax</a> should instead add UCL config files directly to <code>rspamd/override.d/</code> (<em>in the DMS Config volume</em>).</p>
 </div>
 <div class="admonition info">
 <p class="admonition-title"><code>custom-commands.conf</code> syntax</p>
 <p>There are 7 directives available to manage custom Rspamd configurations. Add these directive lines into <code>custom-commands.conf</code>, they will be processed sequentially.</p>
 <p><strong>Directives:</strong></p>
 <div class="highlight"><pre><span></span><code># For /etc/rspamd/override.d/{options.inc,worker-controller.inc,worker-proxy}.inc
 set-common-option         &lt;OPTION NAME&gt; &lt;OPTION VALUE&gt;
 set-option-for-controller &lt;OPTION NAME&gt; &lt;OPTION VALUE&gt;
 set-option-for-proxy      &lt;OPTION NAME&gt; &lt;OPTION VALUE&gt;
-<span class="c1"># Rspamd replaces the functionality of all these anti-spam services, disable them:</span>
+# For /etc/rspamd/override.d/&lt;MODULE NAME&gt;.conf
-<span class="na">ENABLE_OPENDKIM</span><span class="o">=</span><span class="s">0</span>
+enable-module         &lt;MODULE NAME&gt;
-<span class="na">ENABLE_OPENDMARC</span><span class="o">=</span><span class="s">0</span>
+disable-module        &lt;MODULE NAME&gt;
-<span class="na">ENABLE_POLICYD_SPF</span><span class="o">=</span><span class="s">0</span>
+set-option-for-module &lt;MODULE NAME&gt; &lt;OPTION NAME&gt; &lt;OPTION VALUE&gt;
 <span class="na">ENABLE_AMAVIS</span><span class="o">=</span><span class="s">0</span>
 <span class="na">ENABLE_SPAMASSASSIN</span><span class="o">=</span><span class="s">0</span>
-<span class="c1"># Provided you&#39;ve set `RSPAMD_GREYLISTING=1`, also disable Postgrey:</span>
+# For /etc/rspamd/override.d/&lt;FILENAME&gt;
-<span class="na">ENABLE_POSTGREY</span><span class="o">=</span><span class="s">0</span>
+add-line &lt;FILENAME&gt; &lt;CONTENT&gt;
 </code></pre></div>
-<p>This will enable Rspamd and disable services you don't need when using Rspamd.</p>
+<p><strong>Syntax:</strong></p>
-<h3 id="adjusting-and-extending-the-very-basic-configuration"><a class="toclink" href="#adjusting-and-extending-the-very-basic-configuration">Adjusting and Extending The Very Basic Configuration</a></h3>
+<ul>
-<p>Rspamd is running, but you want or need to adjust it? First, create a file named <code>custom-commands.conf</code> under <code>docker-data/dms/config/rspamd</code> (which translates to <code>/tmp/docker-mailserver/rspamd/</code> inside the container). Then add your changes:</p>
+<li>Blank lines are ok.</li>
-<ol>
+<li><code>#</code> at the start of a line represents a comment for adding notes.</li>
-<li>Say you want to be able to easily look at the frontend Rspamd provides on port 11334 (default) without the need to enter a password (maybe because you already provide authorization and authentication). You will have to adjust the controller worker: <code>set-option-for-controller secure_ip "0.0.0.0/0"</code>.</li>
+<li><code>&lt;OPTION VALUE&gt;</code> and <code>&lt;CONTENT&gt;</code> will contain the remaining content of their line, any preceding inputs are delimited by white-space.</li>
-<li>Do you additionally want to enable the auto-spam-learning for the Bayes module? No problem: <code>set-option-for-module classifier-bayes autolearn true</code>.</li>
+</ul>
-<li>But the chartable module gets on your nerves? Easy: <code>disable-module chartable</code>.</li>
+<hr />
-</ol>
+<details class="note">
 <summary><code>&lt;MODULE NAME&gt;</code> can also target non-module configs</summary>
 <p>An example is the <code>statistics</code> module, which has config to import a separate file (<code>classifier-bayes.conf</code>) for easier overrides to this section of the module config.</p>
 </details>
 </div>
 <details class="example">
-<summary>What Does the Result Look Like?</summary>
+<summary>Example</summary>
-<p>Here is what the file looks like in the end:</p>
+<div class="highlight"><span class="filename">rspamd/custom-commands.conf</span><pre><span></span><code><span class="c1"># If you&#39;re confident you&#39;ve properly secured access to the rspamd web service/API (Default port: 11334)</span>
-<div class="highlight"><pre><span></span><code><span class="c1"># See 1.</span>
+<span class="c1"># with your own auth layer (eg: reverse-proxy) you can bypass rspamd requiring credentials:</span>
-<span class="c1"># ATTENTION: this disables authentication on the website - make sure you know what you&#39;re doing!</span>
+<span class="c1"># https://rspamd.com/doc/workers/controller.html#controller-configuration</span>
-set-option-for-controller<span class="w"> </span>secure_ip<span class="w"> </span><span class="s2">&quot;0.0.0.0/0&quot;</span>
+<span class="na">set-option-for-controller secure_ip &quot;0.0.0.0/0&quot;</span>
-<span class="c1"># See 2.</span>
+<span class="c1"># Some settings aren&#39;t documented well, you may find them in snippets or Rspamds default config files:</span>
-set-option-for-module<span class="w"> </span>classifier-bayes<span class="w"> </span>autolearn<span class="w"> </span><span class="nb">true</span>
+<span class="c1"># https://rspamd.com/doc/tutorials/quickstart.html#using-of-milter-protocol-for-rspamd--16</span>
 <span class="c1"># /etc/rspamd/worker-proxy.inc</span>
 <span class="na">set-option-for-proxy reject_message &quot;Rejected - Detected as spam&quot;</span>
-<span class="c1"># See 3.</span>
+<span class="c1"># Equivalent to the previous example, but `add-line` is more verbose:</span>
-disable-module<span class="w"> </span>chartable
+<span class="na">add-line worker-proxy.inc reject_message</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;Rejected - Detected as spam&quot;</span>
 <span class="c1"># Enable Bayes auto-learning feature to classify spam based on Rspamd action/score results:</span>
 <span class="c1"># NOTE: The statistics module imports a separate file for classifier-bayes config</span>
 <span class="c1"># https://rspamd.com/doc/configuration/statistic.html#autolearning</span>
 <span class="na">set-option-for-module classifier-bayes autolearn true</span>
 <span class="c1"># Disable the `chartable` module:</span>
 <span class="c1"># https://rspamd.com/doc/modules/chartable.html</span>
 <span class="na">disable-module chartable</span>
 </code></pre></div>
 </details>
 <h2 id="advanced-configuration"><a class="toclink" href="#advanced-configuration">Advanced Configuration</a></h2>
 <h3 id="dkim-signing"><a class="toclink" href="#dkim-signing">DKIM Signing</a></h3>
 <p>There is a dedicated <a href="../../best-practices/dkim_dmarc_spf/#dkim">section for setting up DKIM with Rspamd in our documentation</a>.</p>
 <h3 id="arc-authenticated-received-chain"><a class="toclink" href="#arc-authenticated-received-chain">ARC (Authenticated Received Chain)</a></h3>
-<p>ARC is not set up by default, but you can easily enable it by adding a file called <code>arc.conf</code> to <code>docker-data/dms/config/rspamd/override.d/</code>. ARC can use DKIM keys that you should have already created. The configuration file could then contain the following:</p>
+<p><a href="https://en.wikipedia.org/wiki/Authenticated_Received_Chain">ARC</a> support in DMS is opt-in via config file. <a href="https://rspamd.com/doc/modules/arc.html">Enable the ARC Rspamd module</a> by creating a config file at <code>docker-data/dms/config/rspamd/override.d/arc.conf</code>.</p>
-<div class="highlight"><pre><span></span><code><span class="na">sign_local</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
+<div class="admonition example">
 <p class="admonition-title">Example</p>
 <p>For each mail domain you have DMS manage, add the equivalent <code>example.com</code> sub-section to <code>domain</code> and adjust the <code>path</code> + <code>selector</code> fields as necessary.</p>
 <div class="highlight"><span class="filename">rspamd/override.d/arc.conf</span><pre><span></span><code><span class="na">sign_local</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
 <span class="na">sign_authenticated</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">true</span><span class="c1">;</span>
 <span class="na">domain {</span>
-<span class="w">    </span><span class="na">&lt;DOMAIN NAME&gt; {</span>
+<span class="w">    </span><span class="na">example.com {</span>
-<span class="w">        </span><span class="c1"># Change the path here to your actual private key</span>
+<span class="w">        </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-example.private.txt&quot;</span><span class="c1">;</span>
 <span class="w">        </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-&lt;DOMAIN NAME&gt;.private.txt&quot;</span><span class="c1">;</span>
 <span class="w">        </span><span class="c1"># Changhe the selected if you chose a non-default one</span>
 <span class="w">        </span><span class="na">selector</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;mail&quot;</span><span class="c1">;</span>
 <span class="w">    </span><span class="na">}</span>
 <span class="na">}</span>
 </code></pre></div>
 </div>
 <div class="admonition tip">
 <p class="admonition-title">Using a common keypair</p>
 <p>As with DKIM, the keypair can be shared across your configured domains.</p>
 <p>Your ARC config can share the same DKIM private key + selector (<em>with associated DNS record for the public key</em>).</p>
 </div>
 <h3 id="abusix-integration"><a class="toclink" href="#abusix-integration"><em>Abusix</em> Integration</a></h3>
 <p>This subsection provides information about the integration of <a href="https://abusix.com/">Abusix</a>, "a set of blocklists that work as an additional email security layer for your existing mail environment". The setup is straight-forward and well documented:</p>
 <ol>
--- a/edge/search/search_index.json
+++ b/edge/search/search_index.json