Replacing Amavisd with Rspamd in ISPConfig 3.1 on Debian and Ubuntu

This tutorial describes the steps to replace amavis (amavisd-new) spam scanning software with Rspamd on an ISPConfig 3.1 server. The tutorial is written for Debian and Ubuntu Linux.

Prerequisites

  • Root access.
  • ISPConfig 3.1 must be installed. The ISPConfig version will be 3.1.15 or newer after this procedure.
  • The server uses Debian 9 - 10 or Ubuntu 18.04 on an x86_64 processor (64Bit Linux). Older Debian and Ubuntu versions might work too, but I did not test them.

All commands below are run as root user. Login as root user or use 'su -' on Debian or 'sudo -s' on Ubuntu to become root user before you continue with this guide.

Note: This procedure will reconfigure all mailboxes and aliases to write the Rspamd config for each account (similar to an ISPConfig Tools > resync run), this may take quite some time and resources on large mail servers.

Install Redis

The Rspamd setup for ISPConfig requires Redis, so we will install it first.

apt-get install redis-server lsb-release

Install Unbound if BIND is not installed

If your server has no local DNS server installed, then a local DNS resolver like unbound should be installed.

First, check if BIND is installed by using this command:

which named

if the command returns the path to the named binary:

[email protected]:/tmp# which named
/usr/sbin/named

then BIND is installed and you must skip this step. In case no path to named is returned, then install unbound:

apt-get install unbound

Install and Configure Rspamd

The first step to install Rspamd is to add the Rspamd Debian/Ubuntu package repository.

CODENAME=`lsb_release -c -s` 
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list

Update the Package list:

apt-get update

And Install Rspamd with apt:

apt-get install rspamd

Activate Redis in Rspamd configuration.

echo 'servers = "127.0.0.1";' > /etc/rspamd/local.d/redis.conf

Increase the Rspamd history, enable compression and show the subject in the history. This step is optional.

echo "nrows = 2500;" > /etc/rspamd/local.d/history_redis.conf 
echo "compress = true;" >> /etc/rspamd/local.d/history_redis.conf
echo "subject_privacy = false;" >> /etc/rspamd/local.d/history_redis.conf

Then restart Rspamd.

systemctl restart rspamd

Update ISPConfig

ISPConfig needs to be updated to enable the Rspamd configuration. When the ISPConfig updater asks you if it shall reconfigure services, choose 'yes'.

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php

You will see the line "Configuring Rspamd" in the output of the update script when Rspamd is detected and configured.

Enable Rspamd in ISPConfig

The final step requires that you log into ISPConfig as 'admin' user.

Log into ISPConfig

In ISPConfig navigate to System > Server Config > Mail.

There you change the value of the field Content Filter from Amavisd to Rspamd and press the save button at the bottom of the page. ISPConfig will start to reconfigure all mailboxes for Rspamd now.

When you go back to System > Server Config > Mail, then you can see some new fields where you can read and set the Rspamd password.

Rspamd password

Make Rspamd Dashboard accessible from outside

The Rspamd dashboard is on port 11334 on localhost, so it can not be accessed from outside. In this chapter, we will create a website in ISPConfig and add a proxy configuration. The configuration differs between Apache and Nginx web server, use the chapter which matches your installed web server software.

Apache

Enable the Proxy Module and restart apache.

a2enmod proxy
systemctl restart apache2

Then log into ISPconfig and create a website which will get used to access the Rspamd GUI. You are free to choose the domain name, I will use rspamd.example.com here. You don't have to enable any programming language or other options in that site, just leave everything at the defaults. Enabling SSL and Let's encrypt is highly recommended though.

Add website for Rspamd GUI

Go to the Options tab of the website and enter the following configuration into the Apache Directives field. For Apache 2.2, use:

 <Location /rspamd>
Order allow,deny
Allow from all
</Location>
RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]

For Apache 2.4, use this instead:

<Location /rspamd>
Require all granted
</Location>
RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]

Now you can access the Rspamd GUI with a web browser https://rspamd.example.com/rspamd. You will get asked for a password, use the password that you generated during Rspamd installation.

Nginx

Log into ISPconfig and create a website which will get used for accessing the Rspamd GUI. You are free to choose the domain name, I will use rspamd.example.com here. You don't have to enable any programming language or other options in that site, just leave everything at the defaults. Enabling SSL and Let's encrypt is highly recommended though.

Add website on Nginx web server

Go to the Options tab of the website and enter the following configuration into the Nginx Directives field.

location / {
root /usr/share/rspamd/www/;
try_files $uri @proxy;
}

location @proxy {
proxy_pass http://127.0.0.1:11334;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}

Now you can access the Rspamd GUI with a web browser https://rspamd.example.com/. You will get asked for a password, use the password that you have set for Rspamd in ISPConfig.

Rspamd GUI

Now you can access the Rspamd GUI with a browser and get detailed statistics about the spam filter rate and throughput.

ISPConfig has been reconfigured to use Rspamd instead of Amavis to scan for spam emails. Rspamd is also used for Dkim Signing.

Disable Amavis

Finally, we stop and disable amavisd service:

systemctl stop amavisd-new
systemctl disable amavisd-new

Conclusion

Rspamd is a modern high-performance spam scan software for Linux servers which delivers very accurate filter results. ISPConfig supports Rspamd as spam scan unit since version 3.1.15. This tutorial shows how to replace amavisd.new with Rspamd on an ISPConfig 3.1 server.

Share this page:

Suggested articles

35 Comment(s)

Add comment

Comments

By: felan at: 2019-09-10 17:16:23

Hmm. How would I go about getting the webinterface up on a multiserver setup, that does not have web enabled on the mail server?

By: till at: 2019-09-10 17:28:28

Put the Rspamd website on the master or on another web server node of your setup and use the IP of the mail server in the proxy snippet that goes into the apache or nginx directives field instead of 127.0.0.1. On the mail server, edit the rspamd config like this:

nano /etc/rspamd/local.d/worker-controller.inc

# change or add line:
bind_socket = "<external IP of the mail server>:11334";
secure_ip = "<outgoing ip of master server>";

and replace the two IP placeholders with the correct IP addresses. Finally, restart Rspamd to apply the changes.

By: felan at: 2019-09-10 20:14:07

Excellent works perfectly!

By: 30uke at: 2019-09-10 20:21:40

This looks great! I will try this as soon as possible (probably this weekend or somehwere next week). Thanks for the tutorial. Very much appreciated :-)

By: 3|K at: 2019-09-11 07:17:23

Thanks alot for this!

By: Chriz! at: 2019-09-11 08:44:28

worked like a charm! Thanks!

By: Björn Hahnefeld at: 2019-09-11 10:14:02

Can this snippet also taken with existing domain:

 

--

<Location /rspamd>

Order allow,deny

Allow from all

</Location>

RewriteEngine On

RewriteRule ^/rspamd$ /rspamd/ [R,L]

RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]

--

 

For example https://server.domain.de:8080 ?

 

By: till at: 2019-09-11 10:21:07

> Can this snippet also taken with existing domain

 

yes

 

> For example https://server.domain.de:8080

 

That's not a website of an existing domain, it's the ispconfig vhost on port  8080. You can modify the ispconfig vhost by using this snippet, but this requires some more work and you have to create a custom config template etc.

By: Björn at: 2019-09-12 11:13:39

This host I added in ISPConfig. So it is existing as web.

By: Steini86 at: 2019-09-11 16:08:14

For Apache2.4 you should use 

<Location /rspamd>

Require all granted

 </Location>

 

I use it for my mail.domain.org where the roundcube is located. Running nice. Thanks!

By: [email protected] at: 2019-09-12 11:17:22

I put directive in website->options in ispconfig. But I get this:

--

Not Found

The requested URL was not found on this server.

--

By: Alexandros at: 2019-09-13 07:05:00

Hi, i have the same issue (404 error) in one of my server with exact same setup while others are working ok...

If you find a solution please tell us ;)

By: IceManXS at: 2019-09-11 13:37:01

Hello,

when I use your nginx config to make Rspamd accessible from outside I get the dashbord just as text, no grafix and no password prompt. It is unuseable.

If I enter the following configuration, copied from the Rspamd-Site, into the Nginx Directives field it works perfectly. And you can use just https://rspamd.example.com instead of https://rspamd.example.com/rspamd:

location / { root /usr/share/rspamd/www/; try_files $uri @proxy; } location @proxy { proxy_pass http://127.0.0.1:11334; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; }

 

By: Neptun at: 2019-09-11 16:38:51

Debian 10 & nginx - perfect working

Just one question - why amavisd-new pkgs will not be removed ? is it still anywhere needed ?

thanks for the great job

By: till at: 2019-09-11 16:40:45

You can remove them if you want. I just wanted to keep the ability to switch it back on easily and it does not use that much hard disk space, so it should not really matter if you remove it or not.

By: reset at: 2019-09-11 17:25:45

How long the conversion process? I see the spinning bars for more than half hour. The system have 800-900 mailboxes.

By: till at: 2019-09-11 17:37:38

Depends on the speed of your server, so thats fully system dependent. You can see in ISPConfig how many tasks are left, stop the time, count how many items got processed, then you know when it's finished.

By: Jay at: 2019-09-12 12:29:28

Thanks for the tut.

One Question: After following this tutorial, I noticed, that in "ISPConfig -> System -> Server Configuration -> Mail" the DKIM-Path is still "/var/lib/amavis/dkim". Shouldn't this be changed?

Cheers

By: till at: 2019-09-12 12:31:33

No, the path should remain as it is.

By: egaldoch at: 2019-09-13 19:05:00

I left the path as it is, but for DKIM signing to work I had to change the user and group of the directory and restart rspamd

"chown -R _rspamd:_rspamd /var/lib/amavis/dkim && service rspamd restart"

By: Alexandros at: 2019-09-12 12:52:24

Hello, and for Centos / Rhel systems some info since i sucesfully made the alterations :)

 

 

yum install redis

systemctl start redis

systemctl enable redis

 

#test redis – correct feedback is PONG

redis-cli ping

 

#install rspamd

 

curl http://rspamd.com/rpm-stable/centos-7/rspamd.repo > /etc/yum.repos.d/rspamd.repo

rpm --import http://rspamd.com/rpm-stable/gpg.key

yum update

yum install rspamd

 

#monit setup

 

check process rspamd

    matching 'rspamd: main process'

    start program = "/bin/systemctl start rspamd.service"

    stop program = "/bin/systemctl stop rspamd.service"

 

   if cpu is greater than 40% for 2 cycles then alert

   if cpu > 60% for 5 cycles then alert

   if memory > 80% for 4 cycles then alert

   if totalmem > 512 MB for 5 cycles then alert

 

 

Usefull links:

 

https://forum.centos-webpanel.com/how-to/(howto)-install-rspamd/

https://github.com/rspamd/rspamd/issues/2166

 

By: Steini86 at: 2019-09-12 16:21:55

Might be the wrong place to ask:

rspamd now rejects mails which I get from an outside account via fetchmail. This does not work, I get an undelivered message error, to [email protected] How can I set rspamd, such that mails coming from fetchmail are only marked, not rejected (outside mails via delivery should be rejected if spam)

By: Frost at: 2019-09-13 07:42:23

how can you enable ssl for its web interface?

By: till at: 2019-09-13 08:04:32

Enable ssl for the website where you added the config snippet.

By: Frost at: 2019-09-13 09:01:22

I did that but it redirects me to non-secure url due to the rewrite rule

RewriteRule ^/rspamd/(.*) http://mailserver:11334/$1 [P]

By: till at: 2019-09-16 10:47:09

That's a proxy, not a redirect, so the browser connection stays on the secured SSL link. If you want to enable SSL on the connection between web- and mail server too, then you might have to install a minimal nginx server on the mail system and enable SSL for it and let it connect to Rspamd on localhost.

By: nicolas at: 2019-09-14 12:08:38

got this error "redis_cache_cb received error: Connexion refused", any idea ? it works anyway

By: Alexandros at: 2019-09-16 09:58:35

Hello again,

I would like to share one thing i noticed.

On web GUI i noticed that on history - greylist i get some errors that contain the following message format.

cannot load dkim key /var/lib/rspamd/dkim/mydomain.com.dkim.key: cannot stat private key

/var/lib/rspamd/dkim/mydomain.com.dkim.key: No such file or directory

Where mydomain.com of course there are multiple such errors with Internal domains hosted in the server.

Is it something worth investigating, what do you think?

 

By: till at: 2019-09-16 10:45:05

Please make a post in the ISPConfig support forum here at howtoforge.

By: Lionheart82 at: 2019-09-16 11:50:18
By: orlovnv at: 2019-09-16 11:48:57

2019-09-16 16:48:11 #20450(normal) <sqaezx>; lua; lua_redis.lua:1145: cannot upload script to 127.0.0.1: connection refused 

how to solve it?

By: till at: 2019-09-16 11:52:55

Might be related to the boot order, or you do not have Redis installed yet and started as described in the tutorial above. Restart rspamd and if it does not solve it, restart redis first and then rspamd. See also here: https://github.com/rspamd/rspamd/issues/2186

If you need further help, post in the ISPConfig support forum here at howtoforge.

By: Thiago at: 2019-09-17 19:38:31

I was able to install rspamd following its walkthrough, but I can't log in (access) the GUI. Returns request failed / undefined error

 

Any tips to fix this?thks!

By: Tom at: 2019-09-18 08:20:27

Hello,

 

a few days ago we used this howto to migrate to rspamd, and we are quite satisfied with it. Thanks for that!

Now we would like to whitelist some sender addresses, but the spamfilter whitelist editor of ISPConfig doesn't seem to work here.

Can anyone tell us how we can best do this?

 

Thanks a lot!

Regards, Tom

By: till at: 2019-09-18 08:26:56

The spamfilter white- and blacklist is implemented for rspamd as well. But that's out of the scope of this guide, if you have such detailed questions, please use the forum.