Install and Integrate Rspamd

Introduction

Before we begin talking about how to install and integrate Rspamd, let's briefly understand – What is Rspamd?

Rspamd is a powerful and efficient email filtering software that helps protect against spam, viruses, and other malicious content. It uses cutting-edge machine learning and statistical analysis to accurately identify and block unwanted emails, ensuring a clean inbox.

Rspamd is easy to integrate, making it a popular choice for email service providers and businesses seeking robust email security. With its user-friendly interface and regular updates, Rspamd is a reliable solution for keeping your inbox safe and clutter-free.

In this tutorial, we will go through the installation and configuration of the Rspamd spam filtering system and its integration into our mail server, creating DKIM and DMARC DNS records.

Advantages of Rspamd

Effective Email Filtering: Rspamd efficiently blocks spam, viruses, and phishing threats, ensuring a secure email environment.
Accurate Detection: Utilizes advanced machine learning and statistical analysis to precisely identify malicious content and unwanted emails.
Easy Integration: Seamless integration into existing email systems, making it a favored choice for businesses and service providers.
User-Friendly Interface: Rspamd offers a simple and intuitive interface, enabling hassle-free management and configuration.
Regular Updates: Frequent updates ensure continuous improvement, keeping your email protection up-to-date and reliable.

Prerequisites to Install and Integrate Rspamd

Make sure you are signed in as a user with sudo rights before moving on with this tutorial.

Install Redis

Rspamd will utilize Redis as a storage and caching system to install it, just type:

sudo apt install redis-server

Install Unbound

Unbound is a robustly protected DNS resolver that uses validation, recursion, and caching.

The primary goal of implementing this service is to decrease the amount of time spent responding to DNS queries from the outside world. You may choose to skip this step if you'd like.

sudo apt update
sudo apt install unbound

For the majority of servers, the Unbound default settings should be enough.

Run the following instructions to designate unbound as your server's main DNS resolver:

sudo echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u

⚠️

You must manually edit the /etc/resolv.conf file if you are not using resolvconf.

Install Rspamd

We will use Rspamd's official repository to install the most recent stable version.

Install the required software first:

sudo apt install software-properties-common lsb-release
sudo apt install lsb-release wget

Use the wget command below to add the repository GPG key to your apt sources keyring:

wget -O- https://rspamd.com/apt-stable/gpg.key | sudo apt-key add -

Enable the Rspamd repository by running:

echo "deb http://rspamd.com/apt-stable/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list

Using the following commands, install Rspamd when the repository has been enabled, and update the package index:

sudo apt update
sudo apt install rspamd

Configure Rspamd

Instead of changing the default configuration files, we will add new files to the /etc/rspamd/local.d/ directory and replace the existing ones.

The worker that analyses email messages for spam by default listens on port 11333 on all interfaces. To set up the Rspamd normal worker to exclusively listen on the localhost interface, create the file /etc/rspamd/local.d/worker-normal.inc with the following line:

bind_socket = "127.0.0.1:11333";

The milter protocol is supported by the proxy worker, which listens on port 11332. Milter mode must be enabled for Postfix and Rspamd to communicate, create file /etc/rspamd/local.d/worker-proxy.inc

bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
  default = yes;
  self_scan = yes;
}

The controller worker server, which grants access to the Rspamd web interface, has to have a password set up next. Run the following command to create an encrypted password.

rspamadm pw --encrypt -p P4ssvv0rD

The output should look something like this:

Output

$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb

Remember to replace the default password (P4ssvv0rD) with a more secure one.

From your terminal, copy the password, and then put it in the configuration file /etc/rspamd/local.d/worker-controller.inc :

password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";

In order to access the Rspamd web interface, we'll later setup Nginx as a reverse proxy to the controller worker web server.

By adding the following lines to the /etc/rspamd/local.d/classifier-bayes.conf file, Redis will be used as the backend for Rspamd statistics:

servers = "127.0.0.1";
backend = "redis";

Set the milter headers by opening the milter_headers.conf file:

use = ["x-spamd-bar", "x-spam-level", "authentication-results"];

More details regarding the Milter headers are available here.

Finally, for modifications to take effect, restart Rspamd:

sudo systemctl restart rspamd

Configure Nginx

For the PostfixAdmin instance, we built a Nginx server block in the first part of this series.

Install nginx if not installed.

sudo apt install nginx

The following location directive should be added to the Nginx configuration file /etc/nginx/sites-enabled/default:

...
location /rspamd {
    proxy_pass http://127.0.0.1:11334/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
...

Reload the Nginx service for changes to take effect:

sudo systemctl reload nginx

You may access the Rspamd web interface by going to https://mail.vegastack.com/rspamd/ and enter the password you previously created with the rspamadm pw command.

Configure Postfix

To utilize the Rspamd milter, Postfix has to be configured.

To update the Postfix main configuration file, use the following command:

sudo postconf -e "milter_protocol = 6"
sudo postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"
sudo postconf -e "milter_default_action = accept"
sudo postconf -e "smtpd_milters = inet:127.0.0.1:11332"
sudo postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"

Restart the Postfix service for changes to take effect:

sudo systemctl restart postfix

Configure Dovecot

We'll install the sieve filtering module and combining Dovecot with Rspamd.

Install the Dovecot filtering module first:

sudo apt install dovecot-sieve dovecot-managesieved

Open the following files once the packages have been installed:

...
protocol lmtp {
  postmaster_address = [email protected]
  mail_plugins = $mail_plugins sieve
}
...

...
protocol imap {
  ...
  mail_plugins = $mail_plugins imap_quota imap_sieve
  ...
}
...

...
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  ...
}
...
service managesieve {
  process_limit = 1024
}
...

plugin {
    ...
    # sieve = file:~/sieve;active=~/.dovecot.sieve
    sieve_plugins = sieve_imapsieve sieve_extprograms
    sieve_before = /var/mail/vmail/sieve/global/spam-global.sieve
    sieve = file:/var/mail/vmail/sieve/%d/%n/scripts;active=/var/mail/vmail/sieve/%d/%n/active-script.sieve

    imapsieve_mailbox1_name = Spam
    imapsieve_mailbox1_causes = COPY
    imapsieve_mailbox1_before = file:/var/mail/vmail/sieve/global/report-spam.sieve

    imapsieve_mailbox2_name = *
    imapsieve_mailbox2_from = Spam
    imapsieve_mailbox2_causes = COPY
    imapsieve_mailbox2_before = file:/var/mail/vmail/sieve/global/report-ham.sieve

    sieve_pipe_bin_dir = /usr/bin
    sieve_global_extensions = +vnd.dovecot.pipe
    ....
}

Save and close the files.

Create a directory for the sieve scripts:

mkdir -p /var/mail/vmail/sieve/global

To send emails classified as spam to the Spam directory, create a global sieve filter:

require ["fileinto","mailbox"];

if anyof(
    header :contains ["X-Spam-Flag"] "YES",
    header :contains ["X-Spam"] "Yes",
    header :contains ["Subject"] "*** SPAM ***"
    )
{
    fileinto :create "Spam";
    stop;
}

When you transfer an email into or out of the Spam directory, the following two sieve scripts will be activated:

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];

To make modifications effective, restart the Dovecot service:

sudo systemctl restart dovecot

Set the proper permissions and compile sieve scripts:

sievec /var/mail/vmail/sieve/global/spam-global.sieve
sievec /var/mail/vmail/sieve/global/report-spam.sieve
sievec /var/mail/vmail/sieve/global/report-ham.sieve
sudo chown -R vmail: /var/mail/vmail/sieve/

Create DKIM keys

DomainKeys Identified Mail (DKIM) is a protocol for verifying the origin of outgoing email messages by use of a cryptographic signature. Using this method, a recipient may confirm that an email sent from a certain domain indeed came from that domain's authorized sender. The major goal here is to avoid the spread of spoofed emails.

For simplicity, we'll use a single DKIM key that can be reused for any future domains we register. However, we may have separate DKIM keys for each of our domains, and even numerous keys for a single domain.

Generate a fresh DKIM key pair using the rspamadm program and place the key there.

sudo mkdir /var/lib/rspamd/dkim/
rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key | sudo tee -a  /var/lib/rspamd/dkim/mail.pub

In the aforementioned example, the mail is being used as a DKIM selector.

Mail.key, our private key file, and, mail.pub a file containing the DKIM public key, should now be present in the /var/lib/rspamd/dkim/ directory. Later, we will update the DNS zone records.

The proper ownership and permissions should be set:

sudo chown -R _rspamd: /var/lib/rspamd/dkim
sudo chmod 440 /var/lib/rspamd/dkim/*

The final line will allow DKIM signing for alias sender addresses, and the next two lines will inform Rspamd where to seek for the DKIM key. Create a new file with the following information in it to do that:

selector = "mail";
path = "/var/lib/rspamd/dkim/$selector.key";
allow_username_mismatch = true;

Authenticated Received Chain (ARC) signatures may be signed using Rspamd. More details on the ARC standard are available here.

Rspamd handles ARC signatures using the DKIM module, therefore we can just replicate the previous configuration:

sudo cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf

Restart the Rspamd service for changes to take effect:

sudo systemctl restart rspamd

DNS Settings

The DNS zone has to be updated now that a DKIM key pair has previously been generated. The mail.pub file contains the DKIM public key. The file's content should seem as follows:

cat /var/lib/rspamd/dkim/mail.pub

Output

mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4yl"
	"nVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"
) ;

You just need to copy and paste the record into your domain zone file if you are managing your Bind DNS server. If you're using the DNS web interface, you must create a new TXT record with the name mail._domainkey and the value/content is the concatenation of the three lines with no quotes. In our situation, the TXT record's value and content should resemble the following:

Output

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB

Additionally, a Domain-based Message Authentication (DMARC) system will be developed. This system is intended to inform the receiving server whether or not to accept an email from a certain sender. In essence, it will strengthen your domain's reputation and safeguard it against direct domain spoofing.

Your domain should already have an SFP record. The sender domain must have both an SPF record and a DKIM record published to put up a DMARC record. When validations are unsuccessful, the receiver should handle your domain's emails according to the DMARC policy, which is published as a TXT record.

The DMARC policy listed below will be put into effect in this article:

_dmarc  IN  TXT  "v=DMARC1; p=none; adkim=r; aspf=r;"

Let’s break down the above DMARC record:

v=DMARC1 - This is the DMARC identifier
p=none - This instructs the recipient on how to handle messages that fail the DMARC check. In our situation, it is set to none, meaning that if a message fails DMARC, no action should be taken. You may also use quarantine or refuse.
adkim=r and aspf=r - DKIM and SPF alignment, r for relaxed and s for Strict, in our case, we are using Relaxed Alignment for both DKIM and SPF.

The record has to be copied and pasted into your domain zone file if you are using your own Bind DNS server, and a TXT record with the names _dmarc and the values/content v=DMARC1; p=none; adkim=r; aspf=r needs to be created if you are using another DNS provider.

The DNS updates can take some time to spread. With the help of the dig command, you may determine if the records have spread:

dig mail._domainkey.linuxize.com TXT +short

Output

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGa" "VuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFdepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"

dig _dmarc.linuxize.com TXT +short

Output

"v=DMARC1; p=none; adkim=r; aspf=r;"

Here, you may also build your own DMARC policy or check the existing one for your domain.

FAQs to Install and Integrate Rspamd

How does Rspamd work to filter out spam and malicious content?

Rspamd uses cutting-edge machine learning and statistical analysis to accurately detect and block unwanted emails, keeping your inbox protected from potential threats.

Is Rspamd compatible with different email systems and platforms?

Yes, Rspamd is designed to be easily integrated into various email systems, making it a versatile solution for businesses and service providers.

Can I customize the filtering rules and settings in Rspamd?

Absolutely! Rspamd offers extensive customization options, allowing you to tailor the filtering rules and settings according to your specific requirements.

Does integrating Rspamd slow down email processing?

No, Rspamd is known for its efficiency and minimal impact on email processing speed, ensuring smooth and uninterrupted email delivery.

Does Rspamd require frequent updates to stay effective?

Yes, Rspamd regularly releases updates to enhance its detection capabilities and address emerging email threats, ensuring ongoing protection.

Is Rspamd suitable for both small businesses and large enterprises?

Absolutely! Rspamd is scalable and caters to businesses of all sizes, offering reliable email security for organizations with varying needs.

Does Rspamd provide real-time monitoring and reporting features?

Yes, Rspamd includes real-time monitoring and detailed reporting, enabling you to track the performance of the email filtering system and stay informed about potential threats.

Conclusion

We have gone through the installation and configuration of the Rspamd spam filtering system and its integration into our mail server, creating DKIM and DMARC DNS records.

If you have any queries, please leave a comment below and we’ll be happy to respond to them.