Rspamd RBLs and Postfix smtpd_*_restrictions

Discussion in 'General' started by TonyG, Jan 8, 2021.

  1. TonyG

    TonyG Active Member

    In the ISPConfig UI we can update a list of MTA-level RBLs. Rspamd has it's own list of default and available RBL rules. I'm hoping someone who is familiar with this area can clarify if there is some redundancy in these settings.

    Why does the ISPConfig UI still show RBL list when the Content Filter = Rspamd?

    The ISPConfig UI RBLs seems to only be applied to smtpd_client_restrictions. Is there are reason there are no RBL settings for smtpd_sender_restrictions or others?

    Is there anything else that we can/should we leave to Rspamd with changes in main.cf or master.cf?

    Thanks
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    When postfix rejects incoming mail before accepting it, it saves resources. The mail is not given to filtering in RSPAMD or other mail filter. rspamd uses quite a lot of resources. Same with virus detection when e-mail is scanned and fingerprints are loaded.
    So there is reason for MTA level RBL. It may not be relevant reason for some, but on a very busy e-mail server it makes a difference.
    Current situaion is a bit complicated and confusing. I think this is due to rspamd support being new in ISPConfig. This RBL stuff may get streamlined in future versions of ISPConfig.
     
  3. TonyG

    TonyG Active Member

    REALLY great points. Thanks @Taleman. Yes, we want to keep as much as possible outside the door, but once it's in the door, then we can allow Rspamd to do its part. With that I will look to adding to the list of Postfix Client restrictions, and remove those specific restrictions from Rspamd, being careful to remove only true redundancies for that specific step in the process.
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Now I remember another point: the receiving e-mail server can accept or reject the arriving message, but when it accepts then it is supposed to deliver the message. So message should not be rejected once it has been accepted. Refusing to accept the message on the other hand is perfectly OK, sender can find out message was not delivered and can act accordingly. If rspamd or amavis rejects message, sender knows nothing about this and remains waiting for answer to e-mail.
     
    Last edited: Jan 22, 2021 at 8:29 PM
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    There is no need for both, it's the same client ip address, so they will be rejected or not whether you specify it in client_restrictions, helo_restrictions, sender_restrictions, or recipient_restrictions. The default config doesn't reject until Rcpt stage even for any of those (in order to have rcpt info in logs), so it wouldn't behave any differently at any of those points.

    rspamd is a milter and rejects in smtp, while the sender is still connected; amavis discarding a message would indeed create that situation.

    You can make use of rbl lists in both postfix and rspamd/amavis, eg. I use weighted rbls in postscreen, so that many of the lower quality rbls can still be used (just not as a single block/allow decision); if the client ip is on some lists but not high enough to block, rspamd/amavis can use those same rbl entries to add to the spam score and perform better scan results. And there's almost no overhead in doing so, the DNS lookups are already done and sitting in your DNS cache (at least if all rbls rspamd/amavis check are also checked in postfix).
     
    Taleman likes this.

Share This Page