How to Install and Integrate Rspamd
Introduction
Before we begin talking about how to install and integrate Rspamd, let's briefly understand – What is Rspamd?
Rspamd is a powerful and efficient email filtering software that helps protect against spam, viruses, and other malicious content. It uses cutting-edge machine learning and statistical analysis to accurately identify and block unwanted emails, ensuring a clean inbox.
Rspamd is easy to integrate, making it a popular choice for email service providers and businesses seeking robust email security. With its user-friendly interface and regular updates, Rspamd is a reliable solution for keeping your inbox safe and clutter-free.
In this tutorial, we will go through the installation and configuration of the Rspamd spam filtering system and its integration into our mail server, creating DKIM and DMARC DNS records.
Advantages of Rspamd
- Effective Email Filtering: Rspamd efficiently blocks spam, viruses, and phishing threats, ensuring a secure email environment.
- Accurate Detection: Utilizes advanced machine learning and statistical analysis to precisely identify malicious content and unwanted emails.
- Easy Integration: Seamless integration into existing email systems, making it a favored choice for businesses and service providers.
- User-Friendly Interface: Rspamd offers a simple and intuitive interface, enabling hassle-free management and configuration.
- Regular Updates: Frequent updates ensure continuous improvement, keeping your email protection up-to-date and reliable.
Prerequisites to Install and Integrate Rspamd
Make sure you are signed in as a user with sudo rights before moving on with this tutorial.
Install Redis
Rspamd will utilize Redis as a storage and caching system to install it, just type:
sudo apt install redis-server
Install Unbound
Unbound is a robustly protected DNS resolver that uses validation, recursion, and caching.
The primary goal of implementing this service is to decrease the amount of time spent responding to DNS queries from the outside world. You may choose to skip this step if you'd like.
sudo apt update
sudo apt install unbound
For the majority of servers, the Unbound default settings should be enough.
Run the following instructions to designate unbound as your server's main DNS resolver:
sudo echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u
/etc/resolv.conf
file if you are not using resolvconf.Install Rspamd
We will use Rspamd's official repository to install the most recent stable version.
Install the required software first:
sudo apt install software-properties-common lsb-release
sudo apt install lsb-release wget
Use the wget command below to add the repository GPG key to your apt sources keyring:
wget -O- https://rspamd.com/apt-stable/gpg.key | sudo apt-key add -
Enable the Rspamd repository by running:
echo "deb http://rspamd.com/apt-stable/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list
Using the following commands, install Rspamd when the repository has been enabled, and update the package index:
sudo apt update
sudo apt install rspamd
Configure Rspamd
Instead of changing the default configuration files, we will add new files to the /etc/rspamd/local.d/
directory and replace the existing ones.
The worker that analyses email messages for spam by default listens on port 11333 on all interfaces. To set up the Rspamd normal worker
to exclusively listen on the localhost interface, create the file /etc/rspamd/local.d/worker-normal.inc
with the following line:
bind_socket = "127.0.0.1:11333";
The milter protocol is supported by the proxy worker
, which listens on port 11332. Milter mode must be enabled for Postfix and Rspamd to communicate, create file /etc/rspamd/local.d/worker-proxy.inc
bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
default = yes;
self_scan = yes;
}
The controller worker
server, which grants access to the Rspamd web interface, has to have a password set up next. Run the following command to create an encrypted password.
rspamadm pw --encrypt -p P4ssvv0rD
The output should look something like this:
Output
$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb
Remember to replace the default password (P4ssvv0rD)
with a more secure one.
From your terminal, copy the password, and then put it in the configuration file /etc/rspamd/local.d/worker-controller.inc
:
password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";
In order to access the Rspamd web interface, we'll later setup Nginx as a reverse proxy to the controller worker web server.
By adding the following lines to the /etc/rspamd/local.d/classifier-bayes.conf
file, Redis will be used as the backend for Rspamd statistics:
servers = "127.0.0.1";
backend = "redis";
Set the milter headers by opening the milter_headers.conf
file:
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
More details regarding the Milter headers are available here.
Finally, for modifications to take effect, restart Rspamd:
sudo systemctl restart rspamd
Configure Nginx
For the PostfixAdmin instance, we built a Nginx server block in the first part of this series.
Install nginx if not installed.
sudo apt install nginx
The following location directive should be added to the Nginx configuration file /etc/nginx/sites-enabled/default
:
...
location /rspamd {
proxy_pass http://127.0.0.1:11334/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
...
Reload the Nginx service for changes to take effect:
sudo systemctl reload nginx
You may access the Rspamd web interface by going to https://mail.vegastack.com/rspamd/
and enter the password you previously created with the rspamadm pw
command.
Configure Postfix
To utilize the Rspamd milter, Postfix has to be configured.
To update the Postfix main configuration file, use the following command:
sudo postconf -e "milter_protocol = 6"
sudo postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"
sudo postconf -e "milter_default_action = accept"
sudo postconf -e "smtpd_milters = inet:127.0.0.1:11332"
sudo postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
Restart the Postfix service for changes to take effect:
sudo systemctl restart postfix
Configure Dovecot
We'll install the sieve
filtering module and combining Dovecot with Rspamd.
Install the Dovecot filtering module first:
sudo apt install dovecot-sieve dovecot-managesieved
Open the following files once the packages have been installed:
...
protocol lmtp {
postmaster_address = postmaster@linuxize.com
mail_plugins = $mail_plugins sieve
}
...
...
protocol imap {
...
mail_plugins = $mail_plugins imap_quota imap_sieve
...
}
...
...
service managesieve-login {
inet_listener sieve {
port = 4190
}
...
}
...
service managesieve {
process_limit = 1024
}
...
plugin {
...
# sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_before = /var/mail/vmail/sieve/global/spam-global.sieve
sieve = file:/var/mail/vmail/sieve/%d/%n/scripts;active=/var/mail/vmail/sieve/%d/%n/active-script.sieve
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/var/mail/vmail/sieve/global/report-spam.sieve
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/var/mail/vmail/sieve/global/report-ham.sieve
sieve_pipe_bin_dir = /usr/bin
sieve_global_extensions = +vnd.dovecot.pipe
....
}
Save and close the files.
Create a directory for the sieve scripts:
mkdir -p /var/mail/vmail/sieve/global
To send emails classified as spam
to the Spam directory, create a global sieve filter:
require ["fileinto","mailbox"];
if anyof(
header :contains ["X-Spam-Flag"] "YES",
header :contains ["X-Spam"] "Yes",
header :contains ["Subject"] "*** SPAM ***"
)
{
fileinto :create "Spam";
stop;
}
When you transfer an email into or out of the Spam
directory, the following two sieve scripts will be activated:
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];
To make modifications effective, restart the Dovecot service:
sudo systemctl restart dovecot
Set the proper permissions and compile sieve scripts:
sievec /var/mail/vmail/sieve/global/spam-global.sieve
sievec /var/mail/vmail/sieve/global/report-spam.sieve
sievec /var/mail/vmail/sieve/global/report-ham.sieve
sudo chown -R vmail: /var/mail/vmail/sieve/
Create DKIM keys
DomainKeys Identified Mail (DKIM) is a protocol for verifying the origin of outgoing email messages by use of a cryptographic signature. Using this method, a recipient may confirm that an email sent from a certain domain indeed came from that domain's authorized sender. The major goal here is to avoid the spread of spoofed emails.
For simplicity, we'll use a single DKIM key that can be reused for any future domains we register. However, we may have separate DKIM keys for each of our domains, and even numerous keys for a single domain.
Generate a fresh DKIM key pair using the rspamadm
program and place the key there.
sudo mkdir /var/lib/rspamd/dkim/
rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key | sudo tee -a /var/lib/rspamd/dkim/mail.pub
In the aforementioned example, the mail
is being used as a DKIM selector.
Mail.key
, our private key file, and, mail.pub
a file containing the DKIM public key, should now be present in the /var/lib/rspamd/dkim/
directory. Later, we will update the DNS zone records.
The proper ownership and permissions should be set:
sudo chown -R _rspamd: /var/lib/rspamd/dkim
sudo chmod 440 /var/lib/rspamd/dkim/*
The final line will allow DKIM signing for alias sender addresses, and the next two lines will inform Rspamd where to seek for the DKIM key. Create a new file with the following information in it to do that:
selector = "mail";
path = "/var/lib/rspamd/dkim/$selector.key";
allow_username_mismatch = true;
Authenticated Received Chain (ARC) signatures may be signed using Rspamd. More details on the ARC standard are available here.
Rspamd handles ARC signatures using the DKIM module, therefore we can just replicate the previous configuration:
sudo cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
Restart the Rspamd service for changes to take effect:
sudo systemctl restart rspamd
DNS Settings
The DNS zone has to be updated now that a DKIM key pair has previously been generated. The mail.pub
file contains the DKIM public key. The file's content should seem as follows:
cat /var/lib/rspamd/dkim/mail.pub
Output
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4yl"
"nVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"
) ;
You just need to copy and paste the record into your domain zone file if you are managing your Bind DNS server. If you're using the DNS web interface, you must create a new TXT record with the name mail._domainkey
and the value/content is the concatenation of the three lines with no quotes. In our situation, the TXT record's value and content should resemble the following:
Output
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB
Additionally, a Domain-based Message Authentication (DMARC)
system will be developed. This system is intended to inform the receiving server whether or not to accept an email from a certain sender. In essence, it will strengthen your domain's reputation and safeguard it against direct domain spoofing.
Your domain should already have an SFP
record. The sender domain must have both an SPF record and a DKIM record published to put up a DMARC record. When validations are unsuccessful, the receiver should handle your domain's emails according to the DMARC policy, which is published as a TXT record.
The DMARC policy listed below will be put into effect in this article:
_dmarc IN TXT "v=DMARC1; p=none; adkim=r; aspf=r;"
Let’s break down the above DMARC record:
v=DMARC1
- This is the DMARC identifierp=none
- This instructs the recipient on how to handle messages that fail the DMARC check. In our situation, it is set to none, meaning that if a message fails DMARC, no action should be taken. You may also usequarantine
or refuse.adkim=r
andaspf=r
-DKIM
andSPF
alignment,r
for relaxed ands
for Strict, in our case, we are using Relaxed Alignment for both DKIM and SPF.
The record has to be copied and pasted into your domain zone file if you are using your own Bind DNS server, and a TXT record with the names _dmarc
and the values/content v=DMARC1
; p=none
; adkim=r
; aspf=r
needs to be created if you are using another DNS
provider.
The DNS updates can take some time to spread. With the help of the dig command, you may determine if the records have spread:
dig mail._domainkey.linuxize.com TXT +short
Output
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGa" "VuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFdepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"
dig _dmarc.linuxize.com TXT +short
Output
"v=DMARC1; p=none; adkim=r; aspf=r;"
Here, you may also build your own DMARC policy or check the existing one for your domain.
FAQs to Install and Integrate Rspamd
How does Rspamd work to filter out spam and malicious content?
Rspamd uses cutting-edge machine learning and statistical analysis to accurately detect and block unwanted emails, keeping your inbox protected from potential threats.
Is Rspamd compatible with different email systems and platforms?
Yes, Rspamd is designed to be easily integrated into various email systems, making it a versatile solution for businesses and service providers.
Can I customize the filtering rules and settings in Rspamd?
Absolutely! Rspamd offers extensive customization options, allowing you to tailor the filtering rules and settings according to your specific requirements.
Does integrating Rspamd slow down email processing?
No, Rspamd is known for its efficiency and minimal impact on email processing speed, ensuring smooth and uninterrupted email delivery.
Does Rspamd require frequent updates to stay effective?
Yes, Rspamd regularly releases updates to enhance its detection capabilities and address emerging email threats, ensuring ongoing protection.
Is Rspamd suitable for both small businesses and large enterprises?
Absolutely! Rspamd is scalable and caters to businesses of all sizes, offering reliable email security for organizations with varying needs.
Does Rspamd provide real-time monitoring and reporting features?
Yes, Rspamd includes real-time monitoring and detailed reporting, enabling you to track the performance of the email filtering system and stay informed about potential threats.
Conclusion
We have gone through the installation and configuration of the Rspamd spam filtering system and its integration into our mail server, creating DKIM and DMARC DNS records.
If you have any queries, please leave a comment below and we’ll be happy to respond to them.