I-MSCP and rspamd

  • Attention:Use this how to at your own risk and make a backup before trying it. This is not an official how to and should only be used for advanced users. As usual: use at your own risk!


    Attention: It seems that rspamd is going to be integrated as official anti spam protection into 1.5.4 --> i-MSCP version 1.5.4 (not released yet) - Rspamd && ClamAV integrated in core


    Attention: As I switched to an own mailserver called mailcow which implements all these and much more, I am not going to update this howto or its configuration files. If anyone wants to continue please feel free to contact me (but I think there is no need because 1.5.4 should introduce the rspamd native support).


    Changelog:

    Introduction


    The rspamd anti spam solution includes a lot of technics to fight against spam of any cases. It was developed to be as fast and resource friendly as possible. It is not only including filters against spams, it could also do some protection stuff like opendkim creation for outgoiung mails (like the OpenDKIM plugin in the store).


    This howto shows how this system can be included in I-MSCP using default configurations. It is importent that you check all configurations before using. Also feel free to take a look into the rspamd documentation at https://rspamd.com/doc/index.html.


    Is this becoming an I-MSCP plugin?


    I am sorry but I have not the skills and time to create a plugin for that. But if anyone wants to do a plugin please feel free to use my howto or ask my for any questions to generate one.


    What you need to know

    • General: all information below are important but need to be checked. All in all all plugins (but not PostGrey) can be enabled while rspamd is used.
    • General: this howto was made using Ubuntu 16.04 server edition so there could be differences to other distributions!
    • rspamd: Do not edit any default configuration file. rspamd is designed to load configuration files from the /etc/rspamd/local.d/ folder. Take a look into the documentation for available configs and parameters.
    • I-MSCP plugins which are obsolete using this (because they are integrated into rspamd and enabled by this config):

      • ClamAV (can be used parallel but makes no sense)
      • SpamAssassin (can be used parallel and can make sense but doubles the resources needed to scan mails)
      • Postgrey (as this is integrated into rspamd it would double greylist mails in the worst case which could remove any chance to get good mails if they hit once the greylist)
      • Postscreen (not tested if it can be used parallel but makes no sense)
      • PolicydSPF (not tested if it can be used parallel but makes no sense)
    • I-MSCP plugins which needs to be used to fullfill some requirements:
      • OpenDKIM (if you want to DKIM sign your outgoing mails this configuration is using the files generated from the OpenDKIM plugin - not the best way)

    Known problems


    The OpenDKIM plugin seems to no longer working because of added/modified header information by rspamd. As rspamd has its own module to sign mails with a dkim signature this is switched on in the next config update. The current solution is working with the OpenDKIM plugin which is nice because you have the web ui inside the admin panel. But as it is no longer able to sign it is producing one error message per sent mail. This is not bad but ugly. Maybe there is a better solution in the future.

    • Fixed in update from 19.02.2018 by switching dkim signing process to rspamd using OpenDKIM plugin generated files (see below).

    Requirements and installation


    The following software programs and scripts are needed to be installed to fullfill the requirements of rspamd and the provided example configuration.


    Redis


    Installing redis is needed for a lot of modules for rspamd. Redis is a in memory data storage server which is designed to store and deliver information fast. Installing is very easy:

    Code
    1. # aptitude install redis-server

    rspamd


    To install it please follow the installation instruction on the developer homepage: https://rspamd.com/downloads.html
    Attention: Check how it is recommended to install rspamd because on some systems the packages provided by the package installer for rspamd could be terrible outdated.


    I-MSCP listener file


    This listener file is including the needed entries into the postfix configuration file (special thanks to @Nuxwin). All parameters are the one which the base installation of rspamd is configured with.
    Download the listener file from https://gist.github.com/nuxwin…baae7d2482b68126e8206c534 to /etc/imscp/listeners.d/10_postfix_rspamd.pl. As soon as you are finished you need to call a reconfigure. Please do that at the very end after everything is configured to avoid a broken milter.


    Configure rspamd


    Please download the provided attached configuration files container which provides you with a starting configuration. This configuration tries to enable a default protection. If you want to change that please feel free to add, remove or change any configuration file as you want. These configuration package should only give you a good start into rspamd. For any questions about the configuration files and/or the possibilities please visit these pages

    Below only the configuration files which needs a configuration are described. Feeld free to discover all other settings I included and make your own. If you do not want to learn more about rspamd you can leave all other files untouched. In this case you should have a good basic protection. I included in all my configuration files at the first line a link to the corresponding rspamd developer page.


    /etc/rspamd/local.d/antivirus.conf


    The configuration for ClamAV is made for Ubuntu 16.04 - it could be that the parameter servers needs to be modified on other distributions. In any cases please check if this file exists. If the file does not exist please check for the unix socket or the binding port of clamav and configure it.


    /etc/rspamd/local.d/dkim_signing.conf


    As this config is using the OpenDKIM plugin to sign outgoing mails using rspamd, there has to be a copy job to make sure rspamd can access this folder. If you do not want to do it this way feel free to check https://rspamd.com/doc/modules/dkim_signing.html


    I tried to configure rspamd to use the OpenDKIM tables provided inside the /etc/opendkim folder. But that seems to be not possible. So I decided to make all keys visible for rspamd (and only rspamd) that it is able to do the signing on his own. If you want to use it the way I do, please make sure, that your DNS entries are set, because with this logic it would sign each mail if there is a key inside the OpenDKIM keys folder like /etc/opendkim/keys/domain.tld/mail.private. All these keys can be viewed inside I-MSCP ui but as I do not know how exactly OpenDKIM is working it would be great if one who knows can tell me if this is the correct way or not.


    The copy job needs to place the private keys somewhere else because the path where OpenDKIM keeps them is only be able to be viewed by the OpenDKIM user. That is why I created a cron job for the user root which is mirroring the keys folder. For that I am using a tool called rsync which should be available on each linux system. If not: this tool can be installed very easy: # aptitude install rsync. After that I created the following cron job which mirrors the folder to /etc/rspamd/dkim/:

    Shell-Script: # crontab -e
    1. 0,5,10,15,20,25,30,35,40,45,50,55 * * * * rsync -rltD --delete /etc/opendkim/keys/ /etc/rspamd/dkim/ >/dev/null 2>&1 && chown -R _rspamd: /etc/rspamd/dkim/ >/dev/null 2>&1

    If you changed the path make sure to modify it in the config file too!


    /etc/rspamd/local.d/phishing.conf


    The phishing module is configured to use a cached phishing database from phishtank. It is cached for one reason: it's size is about 50mb so it should be transfered fast. To achieve this we need to create a new internal nginx page:


    First we need to create a temp folder. In this config the cache is configured to be at /cache/nginx/phishtank. If you want to have it somewhere else feel free to configure another destination. Make sure the full path is available - so create the folders that nginx can access the folder (because it is not creating the folder).


    Now we need to make a new nginx webpage. In this configuration the port 8010 is used. If you specify another port please change it inside the /etc/rspamd/local.d/phishing.conf configuration too! In this configuration the cache holds the phishing list for 1 hour. After that it is fetched again. As it seems to be not easy to retrieve it directly from phishtank we retrieve the compressed/compiled edition of this list from rspamd.com - this reduces the size to about 3-4mb. The only negative thing is that there is a webserver between the hoster and us and that rspamd.com is updating the list only once per hour. So if this is not up2date for you feel free to try https://rspamd.com/doc/modules/phishing.html (this docu does not include that the download is a html page redirecting using html headers which seems to be difficult to proxy too).

    Code: /etc/nginx/sites-available/phishtank_cache.conf
    1. proxy_cache_path /cache/nginx/phishtank levels=1:2 keys_zone=phish:60m;
    2. server {
    3. listen 8010;
    4. location / {
    5. proxy_pass https://rspamd.com:443;
    6. proxy_cache phish;
    7. proxy_cache_lock on;
    8. proxy_cache_valid 200 206 1h;
    9. }
    10. }

    and we need to enable the new nginx page:

    Shell-Script
    1. # ln -s /etc/nginx/sites-available/phishtank_cache.conf /etc/nginx/sites-enabled/
    2. # service nginx restart

    To see if it is working please download the following file twice. The first download should take its time depending on your internet connection and the available bandwith at the destination server. The second one should be as fast as your filesystem is. The example script below is deleting the downloaded files after the test. (As we are using a compressed/compiled version which is about 4mb big it could be that you cannot see any differences. Check the configured cache path of nginx to see if it is cached or not.)

    Shell-Script
    1. # wget -O nginx_cache_uncached http://localhost:8010/data/online-valid.json
    2. # wget -O nginx_cache_cached http://localhost:8010/data/online-valid.json
    3. # rm nginx_cache_uncached nginx_cache_cached

    /etc/rspamd/local.d/worker-controller.inc


    Inside this configuration file the password for the webinterface is set. So we are now setting up the rspamd webinterface including this password.


    If the configuration documentation is correct you could set in here your password in plain text but this is in no way recommended! To use an encrypted password you need to use one of rspamd's commandline tools:

    Shell-Script
    1. # rspamadm pw

    This command asks you to enter your password. As soon as you did an encrypted text returned. Use this text as your password in your configuration file (it should start with something like $1$... (PBKDF2-Blake2)). Now put this generated password inside the configuration parameter password.


    As we have a password set we now need to configure the webinterface that it is accessable. rspamd is hosting it's own small webserver to show the webinterface. So all you need to do is to configure a proxy redirection inside I-MSCP:


    Login to your I-MSCP control panel and create a new subdomain (domain also works but I have no idea if you want to use a full domain for that):

    After a restart of rspamd using service rspamd restart it should be accessable using the password you set inside the configuration file.


    Learn based on existing mails (optional)


    You can train the spam filter using existing I-MSCP mails. But be careful if you have mailboxes you are not managing because if you learn spam as ham (or the other way aroung) it could be bad for the detection. Below I wrote two example learnings which seems to be safe for me but could also be dangerouse for huge mail servers with foreign users:


    Learning from all Junk folders (over all users) seems to be fine because only already detected spam or learned spam should be in this folder.

    Shell-Script: Learn from all Junk folders
    1. # find /var/mail/virtual/*/*/.Junk/cur -type f -exec /usr/bin/rspamc learn_spam {} \;

    As second suggest I would learn all mails from the Sent folder because I think noone on my system is sending spam mails.

    Shell-Script: Learn from all Sent folders
    1. # find /var/mail/virtual/*/*/.Sent/cur -type f -exec /usr/bin/rspamc learn_ham {} \;

    Restart service and apply configurations


    To apply all configurations you need to restart all services which are related to this how to:

    Shell-Script
    1. # service rspamd restart
    2. # service postfix restart


    And as last step we need to apply the new postfix configuration. One way is to use the reconfigure script which is included inside of I-MSCP. But as this takes a long time @Nuxwin wrote a script which is doing that for us:
    Download and execute this script: https://gist.github.com/nuxwin…0383bf30d3e7c29bfd25ba784


    After that please check /etc/postfix/main.cf. To see if it worked please check the parameter smtpd_milters if it contains inet:localhost:11332. If not something went wrong. If it is there everything worked as expected and your rspamd should be live now. You can see it by checking the webinterface wich is listing all in- and outgoing mails.


    Autolearn spam


    There are possibilities using dovecot sieve rules to learn spams if moved to the Junk folder and to learn ham if moved from the Junk folder to somewhere else. But I was unable to configure this so it is no part of this how to. You can give it a try if you want using https://words.bombast.net/rspa…x-dovecot-debian-stretch/. (And please tell me if it is working for you on Ubuntu 16.04 because it would be great using that!)

    Files

    • local.d.zip

      (9.65 kB, downloaded 11 times, last: )

    Edited 14 times, last by UncleSam ().

  • 5. Keep in mind
    Now you are done. But you have to keep in mind that this is not a plugin of I-MSCP which is doing the stuff for you. So I-MSCP is overwriting the changes inside the postfix main.cf every time it is reconfigured or updated.

    Unless you make use of that listener (for instance, i-MSCP 1.5.1): https://github.com/i-MSCP/imsc…tfix/10_postfix_tuning.pl


    Thank you mate for this howto ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Ah thx I had no idea something like this exists. One question before I start to try this today in the evening:


    If I see this correct it would overwrite the whole setting. So if I add the smtpd_milter setting I had to make sure every milter is added correctly. I would prefere not using it in this way because some other plugins like clamav, spamassassin, postscrenn, ... are using that too and if I want to disable one the listener would enable it again (which could lead into broken milters which is bad). So is there a possibility to make a milter which only adds some settings and which is adding a smtpd_milter entry at the beginning? (Sorry I am not familiar with perl which makes it difficult for me to write one which could be the best way in my eyes to achieve that.)

  • @UncleSam


    If I see this correct it would overwrite the whole setting.


    Yes but you can make it a bit more smart. The listener that listen on the afterMtaBuildConf event make use of the Servers::mta::postfix:postconf() method internally to replace the parameters. So yes, by default the listener will replace previous values. However, if you read: https://github.com/i-MSCP/imsc…rvers/mta/postfix.pm#L888 you will see that it is easy to change the behavior. Some usage examples of that method:

    You can find some other usage examples in plugins where Postfix is involved. So here, best would be to write your own listener file. If you give me the parameters needed for your service, including values, I can write one for you.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @Nuxwin
    Thanks for your help. I tried to figure out how this works but it is a little bit too strange for me. I wanted to give it a try but currently I only know C-Like programming languages like C#.Net, Java or Php. So it is a little bit too much work for me for just writing one listener file. So it would be great if you could do me the favor and write a listener file for it.


    I describe it as detailed as needed. If you need more information please feel free to contact me - I do my best to answer as soon as possible.


    Postfix main.cf (/etc/postfix/main.cf on ubuntu):


    All parameters as described in here: https://rspamd.com/doc/integration.html
    I tried to figure out what each parameter does but I think I have too less knowledge about the postfix milter system. All parameters below are fixed values for default installation and should work without any problems.


    Paramter smtpd_milters:

    Code
    1. # Append at first parameter at smtpd_milters the connection to rspamd server (default configuration):
    2. # inet:localhost:11332#
    3. # Reason why as first:
    4. # All in all it is doing the work the same way if it is on first position or not. But in my eyes there are some features like the greylist based on spam score which should occure before all other
    5. # milters. So I would suggest putting it at first milter.
    6. # example how it should look if the server already has milters:smtpd_milters = inet:localhost:11332, unix:/spamass/spamass.sock, unix:/clamav/clamav-milter.ctl, unix:/var/run/opendkim/opendkim.sock
    7. # example if there are no milters currently
    8. smtpd_milters = inet:localhost:11332


    Parameter milter_protocol:

    Code
    1. # Add a new postfix parameter called milter_protocol (seems to be unused currently)
    2. # This seems to be needed by rspamd and should be 6 on all modern postfix version. As in their docu
    3. # described the version 6 is default since Postfix 2.6 - before it was version 2.
    4. # As the current Ubuntu 16.04 version is 3.1.0 and (if I googled correctly) debian is using >= 2.9
    5. # this should be safe for both. I haven't checked other distributions.
    6. # You can read it at this page: http://www.postfix.org/MILTER_README.html
    7. # The needed new value to make sure the correct version is used
    8. milter_protocol = 6

    Parameter milter_mail_macros:

    Code
    1. # Add a new postfix parameter called milter_mail_macros (seems to be unused currently)
    2. # Some king of information which are provided to the milters. I have no idea if this affects any other i-MSCP related plugin. Currently I can say that spamassassin, clamav, spf and opendkim seems to work fine with this configuration. It seems to be some kind of sendmail macro emulation: http://www.postfix.org/MILTER_README.html
    3. # I am not really familar with that value because of too less knowledge about sendmail, its macros and the milter interface or how it is used.
    4. #
    5. # Default value on Ubuntu:
    6. # milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
    7. # New value:
    8. # milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
    9. # The needed new value for the macros (not tested if the default ones work too)
    10. milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}


    And at least force postfix to apply these settings (no idea if reload or restart is doing that but I think you or the I-MSCP system is knowing that).


    If you have the time to write me a litener for it I will write a more detail howto in here which will include the example config I already uploaded in here.


    Additional:


    All other things like installations, managing the configuration files or configuring the webinterface has to be done by the user. If somedays someone wants to write a plugin for it I can provide details. But currently I am looking forward to know more about rspamd :-) (currently I think it is a good anti spam solution).

  • @UncleSam


    Please check: https://gist.github.com/nuxwin…baae7d2482b68126e8206c534 and say me if that look good for you ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @UncleSam

    Is there an easy way to test the listener or only by reconfiguring i-mscp?

    I'll provide you with a script that will make you able to test it without reconfiguring whole i-MSCP. Give me few minutes please.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Ok I already tried the reconfigure way and got this error (maybe I am a little bit too fast :-) ) :

  • @UncleSam


    For the script allowing to test without reconfiguring: https://gist.github.com/nuxwin…0383bf30d3e7c29bfd25ba784


    For the error in the listener file, I'll update the gist. Wait my green light please. Note that I've not tested anything. All is out of my brain AS THIS.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206