Replacing Amavisd with Rspamd in ISPConfig 3.1 on Debian and Ubuntu

This tutorial describes the steps to replace amavis (amavisd-new) spam scanning software with Rspamd on an ISPConfig 3.1 server. The tutorial is written for Debian and Ubuntu Linux.


  • Root access.
  • ISPConfig 3.1 must be installed. The ISPConfig version will be 3.1.15 or newer after this procedure.
  • The server uses Debian 9 - 10 or Ubuntu 18.04 on an x86_64 processor (64Bit Linux). Older Debian and Ubuntu versions might work too, but I did not test them.

All commands below are run as root user. Login as root user or use 'su -' on Debian or 'sudo -s' on Ubuntu to become root user before you continue with this guide.

Note: This procedure will reconfigure all mailboxes and aliases to write the Rspamd config for each account (similar to an ISPConfig Tools > resync run), this may take quite some time and resources on large mail servers.

Install Redis

The Rspamd setup for ISPConfig requires Redis, so we will install it first.

apt-get install redis-server lsb-release

Install Unbound if BIND is not installed

If your server has no local DNS server installed, then a local DNS resolver like unbound should be installed.

First, check if BIND is installed by using this command:

which named

if the command returns the path to the named binary:

[email protected]:/tmp# which named

then BIND is installed and you must skip this step. In case no path to named is returned, then install unbound:

apt-get install unbound

Install and Configure Rspamd

The first step to install Rspamd is to add the Rspamd Debian/Ubuntu package repository.

CODENAME=`lsb_release -c -s` 
wget -O- | apt-key add -
echo "deb [arch=amd64] $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64] $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list

Update the Package list:

apt-get update

And Install Rspamd with apt:

apt-get install rspamd

Activate Redis in Rspamd configuration.

echo 'servers = "";' > /etc/rspamd/local.d/redis.conf

Increase the Rspamd history, enable compression and show the subject in the history. This step is optional.

echo "nrows = 2500;" > /etc/rspamd/local.d/history_redis.conf 
echo "compress = true;" >> /etc/rspamd/local.d/history_redis.conf
echo "subject_privacy = false;" >> /etc/rspamd/local.d/history_redis.conf

Then restart Rspamd.

systemctl restart rspamd

Update ISPConfig

ISPConfig needs to be updated to enable the Rspamd configuration. When the ISPConfig updater asks you if it shall reconfigure services, choose 'yes'.

cd /tmp
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php

You will see the line "Configuring Rspamd" in the output of the update script when Rspamd is detected and configured.

Enable Rspamd in ISPConfig

The final step requires that you log into ISPConfig as 'admin' user.

Log into ISPConfig

In ISPConfig navigate to System > Server Config > Mail.

There you change the value of the field Content Filter from Amavisd to Rspamd and press the save button at the bottom of the page. ISPConfig will start to reconfigure all mailboxes for Rspamd now.

When you go back to System > Server Config > Mail, then you can see some new fields where you can read and set the Rspamd password.

Rspamd password

Make Rspamd Dashboard accessible from outside

The Rspamd dashboard is on port 11334 on localhost, so it can not be accessed from outside. In this chapter, we will create a website in ISPConfig and add a proxy configuration. The configuration differs between Apache and Nginx web server, use the chapter which matches your installed web server software.


Enable the Proxy Module and restart apache.

a2enmod proxy
systemctl restart apache2

Then log into ISPconfig and create a website which will get used to access the Rspamd GUI. You are free to choose the domain name, I will use here. You don't have to enable any programming language or other options in that site, just leave everything at the defaults. Enabling SSL and Let's encrypt is highly recommended though.

Add website for Rspamd GUI

Go to the Options tab of the website and enter the following configuration into the Apache Directives field. For Apache 2.2, use:

 <Location /rspamd>
Order allow,deny
Allow from all
RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*)$1 [P]

For Apache 2.4, use this instead:

<Location /rspamd>
Require all granted
RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*)$1 [P]

Now you can access the Rspamd GUI with a web browser You will get asked for a password, use the password that you generated during Rspamd installation.


Log into ISPconfig and create a website which will get used for accessing the Rspamd GUI. You are free to choose the domain name, I will use here. You don't have to enable any programming language or other options in that site, just leave everything at the defaults. Enabling SSL and Let's encrypt is highly recommended though.

Add website on Nginx web server

Go to the Options tab of the website and enter the following configuration into the Nginx Directives field.

location / {
root /usr/share/rspamd/www/;
try_files $uri @proxy;

location @proxy {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

Now you can access the Rspamd GUI with a web browser You will get asked for a password, use the password that you have set for Rspamd in ISPConfig.

Rspamd GUI

Now you can access the Rspamd GUI with a browser and get detailed statistics about the spam filter rate and throughput.

ISPConfig has been reconfigured to use Rspamd instead of Amavis to scan for spam emails. Rspamd is also used for Dkim Signing.

Disable Amavis

Finally, we stop and disable amavisd service:

systemctl stop amavisd-new
systemctl disable amavisd-new


Rspamd is a modern high-performance spam scan software for Linux servers which delivers very accurate filter results. ISPConfig supports Rspamd as spam scan unit since version 3.1.15. This tutorial shows how to replace with Rspamd on an ISPConfig 3.1 server.

Share this page:

Suggested articles

74 Comment(s)

Add comment


By: felan

Hmm. How would I go about getting the webinterface up on a multiserver setup, that does not have web enabled on the mail server?

By: till

Put the Rspamd website on the master or on another web server node of your setup and use the IP of the mail server in the proxy snippet that goes into the apache or nginx directives field instead of On the mail server, edit the rspamd config like this:

nano /etc/rspamd/local.d/

# change or add line:
bind_socket = "<external IP of the mail server>:11334";
secure_ip = "<outgoing ip of master server>";

and replace the two IP placeholders with the correct IP addresses. Finally, restart Rspamd to apply the changes.

By: felan

Excellent works perfectly!

By: Mccyberix

Hello, I have a 3 node multiserver runing and have successfully switched to rspamd, but my problem is that I'm not able to ad more servers to the GUI. When I add the above lines I get a Serever Error: 503. I have also tried to add the neighbors list to the as described here but then it says: "cannot get server status, request failed". My cluster is on a public network not private! So does anyone have a clue how the implementation of other nodes to the rspamd-gui should be done?Thanks in advance!Mccyberix

By: 30uke

This looks great! I will try this as soon as possible (probably this weekend or somehwere next week). Thanks for the tutorial. Very much appreciated :-)

By: 3|K

Thanks alot for this!

By: Chriz!

worked like a charm! Thanks!

By: Björn Hahnefeld

Can this snippet also taken with existing domain:



<Location /rspamd>

Order allow,deny

Allow from all


RewriteEngine On

RewriteRule ^/rspamd$ /rspamd/ [R,L]

RewriteRule ^/rspamd/(.*)$1 [P]



For example ?


By: till

> Can this snippet also taken with existing domain




> For example


That's not a website of an existing domain, it's the ispconfig vhost on port  8080. You can modify the ispconfig vhost by using this snippet, but this requires some more work and you have to create a custom config template etc.

By: Björn

This host I added in ISPConfig. So it is existing as web.

By: Steini86

For Apache2.4 you should use 

<Location /rspamd>

Require all granted



I use it for my where the roundcube is located. Running nice. Thanks!

I put directive in website->options in ispconfig. But I get this:


Not Found

The requested URL was not found on this server.


By: Alexandros

Hi, i have the same issue (404 error) in one of my server with exact same setup while others are working ok...

If you find a solution please tell us ;)

By: IceManXS


when I use your nginx config to make Rspamd accessible from outside I get the dashbord just as text, no grafix and no password prompt. It is unuseable.

If I enter the following configuration, copied from the Rspamd-Site, into the Nginx Directives field it works perfectly. And you can use just instead of

location / { root /usr/share/rspamd/www/; try_files $uri @proxy; } location @proxy { proxy_pass; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; }


By: Neptun

Debian 10 & nginx - perfect working

Just one question - why amavisd-new pkgs will not be removed ? is it still anywhere needed ?

thanks for the great job

By: till

You can remove them if you want. I just wanted to keep the ability to switch it back on easily and it does not use that much hard disk space, so it should not really matter if you remove it or not.

By: reset

How long the conversion process? I see the spinning bars for more than half hour. The system have 800-900 mailboxes.

By: till

Depends on the speed of your server, so thats fully system dependent. You can see in ISPConfig how many tasks are left, stop the time, count how many items got processed, then you know when it's finished.

By: Jay

Thanks for the tut.

One Question: After following this tutorial, I noticed, that in "ISPConfig -> System -> Server Configuration -> Mail" the DKIM-Path is still "/var/lib/amavis/dkim". Shouldn't this be changed?


By: till

No, the path should remain as it is.

By: egaldoch

I left the path as it is, but for DKIM signing to work I had to change the user and group of the directory and restart rspamd

"chown -R _rspamd:_rspamd /var/lib/amavis/dkim && service rspamd restart"

By: André

Don't do this. Simply ensure that the user "_rspamd" is part of the group "amavis". This is the default and allows access to the required files.

By: Alexandros

Hello, and for Centos / Rhel systems some info since i sucesfully made the alterations :)



yum install redis

systemctl start redis

systemctl enable redis


#test redis – correct feedback is PONG

redis-cli ping


#install rspamd


curl > /etc/yum.repos.d/rspamd.repo

rpm --import

yum update

yum install rspamd


#monit setup


check process rspamd

    matching 'rspamd: main process'

    start program = "/bin/systemctl start rspamd.service"

    stop program = "/bin/systemctl stop rspamd.service"


   if cpu is greater than 40% for 2 cycles then alert

   if cpu > 60% for 5 cycles then alert

   if memory > 80% for 4 cycles then alert

   if totalmem > 512 MB for 5 cycles then alert



Usefull links:


By: Steini86

Might be the wrong place to ask:

rspamd now rejects mails which I get from an outside account via fetchmail. This does not work, I get an undelivered message error, to [email protected] How can I set rspamd, such that mails coming from fetchmail are only marked, not rejected (outside mails via delivery should be rejected if spam)

By: Frost

how can you enable ssl for its web interface?

By: till

Enable ssl for the website where you added the config snippet.

By: Frost

I did that but it redirects me to non-secure url due to the rewrite rule

RewriteRule ^/rspamd/(.*) http://mailserver:11334/$1 [P]

By: till

That's a proxy, not a redirect, so the browser connection stays on the secured SSL link. If you want to enable SSL on the connection between web- and mail server too, then you might have to install a minimal nginx server on the mail system and enable SSL for it and let it connect to Rspamd on localhost.

By: nicolas

got this error "redis_cache_cb received error: Connexion refused", any idea ? it works anyway

By: newan

Same problem here

By: till

Most likely Redis is not started on your system when you get this message. Start it with 'systemctl start redis' or you had Redis installed before and configured it to reject connections. if you need further help, please post in the forum.

By: Milkki

The problem appears to be that localhost sometimes resolves to ipv6 address and Redis is listening to ipv4 out-of-the-box. 

Change /etc/rspamd/local.d/redis.conf to:

read_servers = "";write_servers = "";


By: Alexandros

Hello again,

I would like to share one thing i noticed.

On web GUI i noticed that on history - greylist i get some errors that contain the following message format.

cannot load dkim key /var/lib/rspamd/dkim/ cannot stat private key

/var/lib/rspamd/dkim/ No such file or directory

Where of course there are multiple such errors with Internal domains hosted in the server.

Is it something worth investigating, what do you think?


By: till

Please make a post in the ISPConfig support forum here at howtoforge.

By: Lionheart82
By: orlovnv

2019-09-16 16:48:11 #20450(normal) <sqaezx>; lua; lua_redis.lua:1145: cannot upload script to connection refused 

how to solve it?

By: till

Might be related to the boot order, or you do not have Redis installed yet and started as described in the tutorial above. Restart rspamd and if it does not solve it, restart redis first and then rspamd. See also here:

If you need further help, post in the ISPConfig support forum here at howtoforge.

By: Thiago

I was able to install rspamd following its walkthrough, but I can't log in (access) the GUI. Returns request failed / undefined error


Any tips to fix this?thks!

By: dmgeurts

I'm having the same issue for rspamd sites on a different server to the one the proxy domain is on. Weird enough I one server which is working and one that isn't...

By: dmgeurts

For me it turned out to be as simple as a missing trailing slash.

By: Tom



a few days ago we used this howto to migrate to rspamd, and we are quite satisfied with it. Thanks for that!

Now we would like to whitelist some sender addresses, but the spamfilter whitelist editor of ISPConfig doesn't seem to work here.

Can anyone tell us how we can best do this?


Thanks a lot!

Regards, Tom

By: till

The spamfilter white- and blacklist is implemented for rspamd as well. But that's out of the scope of this guide, if you have such detailed questions, please use the forum.

By: Matt

Hi till, thanks a lot, this helps soo much. One question: Is it possible or even recommended to remove postgrey and let rspamd handle greylisting? I'm not sure whether I understand the process correctly, but I think having both can lead to long time waiting for some mail. However so far I did not succeed in removing postgrey and end up in breaking postfix when trying to remove the lines:

smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:

Should postgrey stay? If not, does anyone know how to remove it correctly?


By: dmgeurts

I think you're on to something here. It's not as easy as commenting out greylisting in as that results in emails being dropped!

By: Jesse Norell

Rspamd greylists based on a score threshhold, whereas postgrey forces mail to use greylisting for configured addresses; you may want both, or just to use rspamd.


To remove postgrey, in addition to those two changes, you need to remove 'check_recipient_access mysql:/etc/postfix/' from smtpd_recipient_restrictions.  Be sure to put your changes in a conf-custom file so they survive future updates.


Or as an alternative, leave those settings alone and change the query in to something like `select 'permit' from server where FALSE;` (and be sure to save that in a conf-custom template).

By: chaosad

Has anyone a working nginx config for

thank you

By: Omahd

Hello Till,

I have followed this guide, however I'm getting a 404 error when trying to access the Rspamd GUI (on Ubuntu 18.04, with the Apache 2.4 option) I can browse to "" but returns a 404. any ideas how to troubleshoot this would be much appreciated.

By: ChristosG

While not the best place to ask, but.. Are there any "Perfect Server" tutorials that include rspamd by "default"

By: 30uke

Thank you Till! This tutorial is great. It has helped me to install spamd with ease. Thanks :-)

By: dmgeurts

Great tutorial and fantastic idea about proxy config, have adapted it to have the haproxy admin/monitoring page under the same domain.

Now, that I've done this on a test server, I'm looking at updating our documentation. I (used to) run amavisd with spamassassin. Sorry if this is a silly question but rspamd replaces both, right? If so I should remove/disable spamassassin in addition to disabling amavisd...

By: till

Yes, it replaces amavis and spamassassin.

By: dmgeurts

Thank you. And clamav...?

By: dmgeurts

Are there special considerations for those of us who run ISPConfig clusters. It would be great if slave servers sync their Rspamd filters etc with their masters and vice versa.

By: Jon

So we could add:

systemctl stop spamassassin systemctl disable spamassassin


By: MikySal78

in history i have this error:

local > Cannot receive history: {"error": "Connessione rifiutata"}


By: adam.noise

Hey. Is thera any chance to rspamd learn spam from "junk" folder?

By: Jesse Norell

You can use rspamc from the command line, eg. `rspamc learn_spam /var/vmail/domain.tld/user/Maildir/.Junk`


You might also see and for imap-based training.

By: Danny

I have MAILSERVER1 and i want MAILSERVER2 in my MAILSERVER1 GUI. How can i proceed with this?

By: Angelos


Both are working for themselfs (not cluster) but i would love to have my second mailserver in my first mailservers GUI.

By: André

I want to share this insight for people using DKIM and e-mail aliases. In this case the FROM address might be different form the smtp auth address and thus default rspamd config refuses to sign outgoing mails. Simply solve creating the files:


# apply dkim signing for alias domains

allow_username_mismatch = true;


And for more privacy:



# don't show smpt auth user in header

routines {

   authentication-results {

       add_smtp_user = false;




Hope this helps!

By: José


In the interface, "History", section "Errors", show the message: cannot resolve query refused

How to resolve this issue?

By: Spaetzle

HiIf I do a new installation following the "The Perfect Server - Ubuntu 18.04 (Bionic Beaver) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1" but I want to use rspamd. Can I do the Installation without installing Amavisd-new and SpamAssassin or are thos two packages needed for other functions?Is it a problem if those packages are installed and running?Stay healthyBernd

By: Taleman

I installed on a virtual host where processor was the default kvm64. This results in:

This CPU lacks support for the Supplemental Streaming SIMD Extensions 3   ? 

 ? (SSSE3) instruction set that is required to execute programs linked       ? 

 ? against hyperscan.                                                        ? 

 ?                                                                           ? 

 ? Really install package? 

So I answerd "no"  to abort rspamd install, shutdown the virtual host, changed CPU of virtual host to better, and turned the virtual host back on. The command

apt --fix-broken install

finished installing rspamd. 

By: Taleman

When starting to use rspamd, would it make sense to not reject any e-mails? My experience is it rejects some legitimate e-mails, especially reports that logwatch sends. Rejected e-mails disappear, just marking them as spam would allow me to still see them in SPAM folder. 

By: vinc


i have the same Problem like @Taleman   Rejected mails are just Lost and i can't teach the system (rspamd) to be HAM

have a nice dayvinc 

By: Gaston Girardi

Has anyone had a problem that Rspamd GUI doesn't open on the web page?, with the message that the page can't be found?

By: ledufakademy

the how to not working with multiserver setup.


By: ledufakademy

For multiserver setup woth dedicated server (web, db, mail)

the snipets , code for nginx rproxy: must be :


location /rspamd/ {  proxy_pass       http://<internal_ip_mailserver>:11334/;  proxy_set_header Host      $host;  proxy_set_header X-Real-IP $remote_addr;  proxy_set_header X-Forwarded-For "";}


And :


# Included from top-level .conf filetype = "controller";count = 1;password = "a1db108c79834e1d9102452b";bind_socket = "<mail_server_ip>:11334";secure_ip = "<web_server_ip(rproxy server)>";secure_ip = "::1";static_dir = "${WWWDIR}";

By: Olivier BOUMATI

Hello,I thought I could remove the amavisd-new packages but this is a real problem since the DKIM signing keys were stored in the /var/lib/amavis/dkim folder !Removing the amavisd-new package with the "dpkg --purge amavisd-new" command therefore removed all DKIM keys.How should we proceed ?Could the keys not be saved in a folder independent of amavisd-new ?

By: till

Restore the missing folders from a backup. In general, you can remove the amavis package, but do not purge it! Or better, follow the guide above without altering the steps, then everything works out of the box. ISPConfig allows you to switch between amavis and Rspamd, so you can't purge the amavis folders without breaking your setup.

By: Curtis Maurand

The document needs the instruction about integration with Postfix

By: till

That's not the case, there is nothing missing. ISPConfig takes care of the integration Rspamd in Postfix automatically, all you have to do is to follow the instructions in chapter "Enable Rspamd in ISPConfig" in the above guide.

By: kameleon1er

Thanks Till.

By: George

Hello, I made the switch exactly as instructed and rspamd scans outgoing mail but does not scan incoming mail.I have also enabled adding headers to mail (in override.d/milter_headers.conf), but there are no headers at all for incoming mail and the rspamd log does not record incoming mail at all.I am running a multiserver installation with two mail servers with one being a mirror of the other. Incoming mail is not scanned on either. Is there any more settings in ISPConfig that need to be adjusted besides changing the Content Filter to rspamd ?

Does anyone have any ideas ?

Thank you