Attention:Use this how to at your own risk and make a backup before trying it. This is not an official how to and should only be used for advanced users. As usual: use at your own risk!
Attention: It seems that rspamd is going to be integrated as official anti spam protection into 1.5.4 --> i-MSCP version 1.5.4 (not released yet) - Rspamd && ClamAV integrated in core
Attention: As I switched to an own mailserver called mailcow which implements all these and much more, I am not going to update this howto or its configuration files. If anyone wants to continue please feel free to contact me (but I think there is no need because 1.5.4 should introduce the rspamd native support).
Changelog:
- 18.09.2019
- added attention that this howto is no longer updated due to usage of another mail server solution
- 19.07.2018
- updated config files to new rspamd version
- 19.02.2018
- provided new local.d config files
- new metrics with higher weight for spamhaus dbl
- enabled rspamd integrated dkim signing by using the opendkim provided keys (so the ui continues to work) - a little bit ugly because opendkim is running but no longer be used.
- modified openskim config to minimize / remove errors produced by the plugin on trying to sign mails
- switched using rspamd.com for phishing list retrieval - this reduces the size from ~70mb to 3-4mb
- 16.02.2018: Added "Known problems" section
- 13.02.2018: Complete redesign using listener file from Nuxwin
- 12.02.2018: Creation
- 12.02.2018: Added learn section
Introduction
The rspamd anti spam solution includes a lot of technics to fight against spam of any cases. It was developed to be as fast and resource friendly as possible. It is not only including filters against spams, it could also do some protection stuff like opendkim creation for outgoiung mails (like the OpenDKIM plugin in the store).
This howto shows how this system can be included in I-MSCP using default configurations. It is importent that you check all configurations before using. Also feel free to take a look into the rspamd documentation at https://rspamd.com/doc/index.html.
Is this becoming an I-MSCP plugin?
I am sorry but I have not the skills and time to create a plugin for that. But if anyone wants to do a plugin please feel free to use my howto or ask my for any questions to generate one.
What you need to know
-
General: all information below are important but need to be checked. All in all all plugins (but not PostGrey) can be enabled while rspamd is used.
-
General: this howto was made using Ubuntu 16.04 server edition so there could be differences to other distributions!
-
rspamd: Do not edit any default configuration file. rspamd is designed to load configuration files from the /etc/rspamd/local.d/ folder. Take a look into the documentation for available configs and parameters.
-
I-MSCP plugins which are obsolete using this (because they are integrated into rspamd and enabled by this config):
- ClamAV (can be used parallel but makes no sense)
- SpamAssassin (can be used parallel and can make sense but doubles the resources needed to scan mails)
- Postgrey (as this is integrated into rspamd it would double greylist mails in the worst case which could remove any chance to get good mails if they hit once the greylist)
- Postscreen (not tested if it can be used parallel but makes no sense)
- PolicydSPF (not tested if it can be used parallel but makes no sense)
- I-MSCP plugins which needs to be used to fullfill some requirements:
- OpenDKIM (if you want to DKIM sign your outgoing mails this configuration is using the files generated from the OpenDKIM plugin - not the best way)
Known problems
The OpenDKIM plugin seems to no longer working because of added/modified header information by rspamd. As rspamd has its own module to sign mails with a dkim signature this is switched on in the next config update. The current solution is working with the OpenDKIM plugin which is nice because you have the web ui inside the admin panel. But as it is no longer able to sign it is producing one error message per sent mail. This is not bad but ugly. Maybe there is a better solution in the future.
- Fixed in update from 19.02.2018 by switching dkim signing process to rspamd using OpenDKIM plugin generated files (see below).
Requirements and installation
The following software programs and scripts are needed to be installed to fullfill the requirements of rspamd and the provided example configuration.
Redis
Installing redis is needed for a lot of modules for rspamd. Redis is a in memory data storage server which is designed to store and deliver information fast. Installing is very easy:
- # aptitude install redis-server
rspamd
To install it please follow the installation instruction on the developer homepage: https://rspamd.com/downloads.html
Attention: Check how it is recommended to install rspamd because on some systems the packages provided by the package installer for rspamd could be terrible outdated.
I-MSCP listener file
This listener file is including the needed entries into the postfix configuration file (special thanks to @Nuxwin). All parameters are the one which the base installation of rspamd is configured with.
Download the listener file from https://gist.github.com/nuxwin…baae7d2482b68126e8206c534 to /etc/imscp/listeners.d/10_postfix_rspamd.pl. As soon as you are finished you need to call a reconfigure. Please do that at the very end after everything is configured to avoid a broken milter.
Configure rspamd
Please download the provided attached configuration files container which provides you with a starting configuration. This configuration tries to enable a default protection. If you want to change that please feel free to add, remove or change any configuration file as you want. These configuration package should only give you a good start into rspamd. For any questions about the configuration files and/or the possibilities please visit these pages
Below only the configuration files which needs a configuration are described. Feeld free to discover all other settings I included and make your own. If you do not want to learn more about rspamd you can leave all other files untouched. In this case you should have a good basic protection. I included in all my configuration files at the first line a link to the corresponding rspamd developer page.
/etc/rspamd/local.d/antivirus.conf
The configuration for ClamAV is made for Ubuntu 16.04 - it could be that the parameter servers needs to be modified on other distributions. In any cases please check if this file exists. If the file does not exist please check for the unix socket or the binding port of clamav and configure it.
/etc/rspamd/local.d/dkim_signing.conf
As this config is using the OpenDKIM plugin to sign outgoing mails using rspamd, there has to be a copy job to make sure rspamd can access this folder. If you do not want to do it this way feel free to check https://rspamd.com/doc/modules/dkim_signing.html
I tried to configure rspamd to use the OpenDKIM tables provided inside the /etc/opendkim folder. But that seems to be not possible. So I decided to make all keys visible for rspamd (and only rspamd) that it is able to do the signing on his own. If you want to use it the way I do, please make sure, that your DNS entries are set, because with this logic it would sign each mail if there is a key inside the OpenDKIM keys folder like /etc/opendkim/keys/domain.tld/mail.private. All these keys can be viewed inside I-MSCP ui but as I do not know how exactly OpenDKIM is working it would be great if one who knows can tell me if this is the correct way or not.
The copy job needs to place the private keys somewhere else because the path where OpenDKIM keeps them is only be able to be viewed by the OpenDKIM user. That is why I created a cron job for the user root which is mirroring the keys folder. For that I am using a tool called rsync which should be available on each linux system. If not: this tool can be installed very easy: # aptitude install rsync. After that I created the following cron job which mirrors the folder to /etc/rspamd/dkim/:
- 0,5,10,15,20,25,30,35,40,45,50,55 * * * * rsync -rltD --delete /etc/opendkim/keys/ /etc/rspamd/dkim/ >/dev/null 2>&1 && chown -R _rspamd: /etc/rspamd/dkim/ >/dev/null 2>&1
If you changed the path make sure to modify it in the config file too!
/etc/rspamd/local.d/phishing.conf
The phishing module is configured to use a cached phishing database from phishtank. It is cached for one reason: it's size is about 50mb so it should be transfered fast. To achieve this we need to create a new internal nginx page:
First we need to create a temp folder. In this config the cache is configured to be at /cache/nginx/phishtank. If you want to have it somewhere else feel free to configure another destination. Make sure the full path is available - so create the folders that nginx can access the folder (because it is not creating the folder).
Now we need to make a new nginx webpage. In this configuration the port 8010 is used. If you specify another port please change it inside the /etc/rspamd/local.d/phishing.conf configuration too! In this configuration the cache holds the phishing list for 1 hour. After that it is fetched again. As it seems to be not easy to retrieve it directly from phishtank we retrieve the compressed/compiled edition of this list from rspamd.com - this reduces the size to about 3-4mb. The only negative thing is that there is a webserver between the hoster and us and that rspamd.com is updating the list only once per hour. So if this is not up2date for you feel free to try https://rspamd.com/doc/modules/phishing.html (this docu does not include that the download is a html page redirecting using html headers which seems to be difficult to proxy too).
- proxy_cache_path /cache/nginx/phishtank levels=1:2 keys_zone=phish:60m;
- server {
- listen 8010;
- location / {
- proxy_pass https://rspamd.com:443;
- proxy_cache phish;
- proxy_cache_lock on;
- proxy_cache_valid 200 206 1h;
- }
- }
and we need to enable the new nginx page:
To see if it is working please download the following file twice. The first download should take its time depending on your internet connection and the available bandwith at the destination server. The second one should be as fast as your filesystem is. The example script below is deleting the downloaded files after the test. (As we are using a compressed/compiled version which is about 4mb big it could be that you cannot see any differences. Check the configured cache path of nginx to see if it is cached or not.)
/etc/rspamd/local.d/worker-controller.inc
Inside this configuration file the password for the webinterface is set. So we are now setting up the rspamd webinterface including this password.
If the configuration documentation is correct you could set in here your password in plain text but this is in no way recommended! To use an encrypted password you need to use one of rspamd's commandline tools:
This command asks you to enter your password. As soon as you did an encrypted text returned. Use this text as your password in your configuration file (it should start with something like $1$... (PBKDF2-Blake2)). Now put this generated password inside the configuration parameter password.
As we have a password set we now need to configure the webinterface that it is accessable. rspamd is hosting it's own small webserver to show the webinterface. So all you need to do is to configure a proxy redirection inside I-MSCP:
Login to your I-MSCP control panel and create a new subdomain (domain also works but I have no idea if you want to use a full domain for that):
After a restart of rspamd using service rspamd restart it should be accessable using the password you set inside the configuration file.
Learn based on existing mails (optional)
You can train the spam filter using existing I-MSCP mails. But be careful if you have mailboxes you are not managing because if you learn spam as ham (or the other way aroung) it could be bad for the detection. Below I wrote two example learnings which seems to be safe for me but could also be dangerouse for huge mail servers with foreign users:
Learning from all Junk folders (over all users) seems to be fine because only already detected spam or learned spam should be in this folder.
As second suggest I would learn all mails from the Sent folder because I think noone on my system is sending spam mails.
Restart service and apply configurations
To apply all configurations you need to restart all services which are related to this how to:
And as last step we need to apply the new postfix configuration. One way is to use the reconfigure script which is included inside of I-MSCP. But as this takes a long time @Nuxwin wrote a script which is doing that for us:
Download and execute this script: https://gist.github.com/nuxwin…0383bf30d3e7c29bfd25ba784
After that please check /etc/postfix/main.cf. To see if it worked please check the parameter smtpd_milters if it contains inet:localhost:11332. If not something went wrong. If it is there everything worked as expected and your rspamd should be live now. You can see it by checking the webinterface wich is listing all in- and outgoing mails.
Autolearn spam
There are possibilities using dovecot sieve rules to learn spams if moved to the Junk folder and to learn ham if moved from the Junk folder to somewhere else. But I was unable to configure this so it is no part of this how to. You can give it a try if you want using https://words.bombast.net/rspa…x-dovecot-debian-stretch/. (And please tell me if it is working for you on Ubuntu 16.04 because it would be great using that!)