Setting up rspamd

Published on December 29, 2020

Installation

Install redis and rspamd:

apk add redis rspamd rspamd-client rspamd-controller rspamd-fuzzy rspamd-proxy

Configuration

Run the rspamd configuration wizard:

rspamadm configwizard

Set the WebUI controller password, set up Redis with the defaults and set up the DKIM signing feature.

In terms of DKIM, select option 1. Then press enter until it asks for a domain to sign. Now you can specify a domain, use the default selector, create a private key for each domain you want to add.

Start the services:

/etc/init.d/redis start
/etc/init.d/rspamd start
rc-update add redis
rc-update add rspamd

Check if the rspamd services are listening:

netstat -anp | grep rspamd

Add the milter to /etc/postfix/main.cf:

milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = $smtpd_milters

Add -o smtpd_milters= to /etc/postfix/master.cf to prevent mail from being routed twice to rspamd:

# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o smtpd_milters=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Reload the Postfix configuration to enable the milters:

/etc/init.d/postfix reload

Configure the DNS records:

@ TXT v=spf1 a mx mx:example.com -all
_adsp._domainkey TXT dkim=all
_dmarc TXT v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@example.com; aspf=s; adkim=s;

Also add the DKIM records that can be found in /var/lib/rspamd/dkim/example.com.dkim.key.pub:

dkim._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLaiAmj5xUQ6s4AlEhwHwnW3JqNc0LZH2SEMZ9y7qIk+C7EvplDYkLf8tG6iVFSb1+ouPCESgRza6/sM4BZYdIYB5SUkM5bn+CqpTtBEWUPvaGawzqer+on1/+Y9pXFKgV3O8WaG223w+THrvfCj9g0FsRKff6lfWekQr2+8G70wIDAQAB

Dovecot Sieve

Now that rspamd is running, we will use Dovecot's sieving functionality to automatically move any mail marked as spam by rspamd to the spam folder. In addition, we will add two sieve scripts that monitor any transactions moving mail from or to the spam folder to use that mail to train rspamd

Enable the imap_sieve plugin for the imap protocol in /etc/dovecot/conf.d/20-imap.conf:

protocol imap {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins imap_sieve

  ...
}

Add or edit the following options in /etc/dovecot/conf.d/90-sieve.conf:

  sieve_before = /var/mail/sieve/global/spam-global.sieve
  sieve_pipe_bin_dir = /usr/bin
  sieve_global_extensions = +vnd.dovecot.pipe
  sieve_plugins = sieve_imapsieve sieve_extprograms

Reload the Dovecot configuration to enable the Sieve extensions:

/etc/init.d/dovecot reload

Create the directory for the sieve scripts:

mkdir -p /var/mail/sieve/global

Edit /var/mail/sieve/global/spam-global.sieve:

require ["fileinto", "mailbox"];

if anyof(
	header :contains ["X-Spam-Flag"] "YES",
	header :contains ["X-Spam"] "Yes",
	header :contains ["Subject"] "*** SPAM ***"
) {
	fileinto :create "Spam";
	stop;
}

Edit /var/mail/sieve/global/learn-spam.sieve:

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];

Edit /var/mail/sieve/global/learn-ham.sieve:

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];

Compile the scripts:

sievec /var/mail/sieve/global/spam-global.sieve
sievec /var/mail/sieve/global/learn-spam.sieve
sievec /var/mail/sieve/global/learn-ham.sieve

Correct the permissions:

chown -hR vmail: /var/mail/sieve

Add the following to /etc/dovecot/conf.d/90-sieve.conf:

  # Learn about spam when mail is moved from any mailbox into spam.
  imapsieve_mailbox1_name = Spam
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_before = file:/var/mail/sieve/global/learn-spam.sieve

  # Learn aboout ham when mail is moved from spam into any mailbox.
  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = Spam
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/var/mail/sieve/global/learn-ham.sieve

Reload the Dovecot configuration to enable the sieve filters:

/etc/init.d/dovecot reload

Web Interface

Add the following to /etc/nginx/sites-available/02_localhost:

	location /rspamd {
		alias /usr/share/rspamd/www;
		try_files $uri @rspamd;
	}

	location @rspamd {
		rewrite /rspamd/(.*) /$1 break;
		proxy_pass http://127.0.0.1:11334;
		proxy_set_header Host $http_host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

Forward the port using SSH:

ssh -L 8000:localhost:8000 example.com

Point your browser to http://localhost:8000/rspamd/.

Testing

To test your rspamd installation, you can send an e-mail from another domain to yourself and check the e-mail headers. They should contain an Authentication-Results field if SPF, DKIM and DMARC are operational.

Authentication-Results: example.com;
    dkim=pass header.d=gmail.com header.s=smtpapi header.b=XXXXXXXX;
    dmarc=none;
    spf=pass

Furthermore, if the spam filter is working, then the header should also contain a X-Spam-Score field.

Vice versa, if you send an e-mail, rspamd should now sign the e-mail with the DKIM private key belonging to your domain name. You can use https://dkimvalidator.com to fully verify your SPF, DKIM and DMARC setup when sending e-mails.


If you like my work or if my work has been useful to you in any way, then feel free to donate me a cup of coffee. Any donation is much appreciated!