Replacing Amavisd with Rspamd in ISPConfig 3.1 on Debian and Ubuntu

This tutorial describes the steps to replace amavis (amavisd-new) spam scanning software with Rspamd on an ISPConfig 3.1 server. The tutorial is written for Debian and Ubuntu Linux.

Prerequisites

  • Root access.
  • ISPConfig 3.1 must be installed. The ISPConfig version will be 3.1.15 or newer after this procedure.
  • The server uses Debian 9 - 10 or Ubuntu 18.04 on an x86_64 processor (64Bit Linux). Older Debian and Ubuntu versions might work too, but I did not test them.

All commands below are run as root user. Login as root user or use 'su -' on Debian or 'sudo -s' on Ubuntu to become root user before you continue with this guide.

Note: This procedure will reconfigure all mailboxes and aliases to write the Rspamd config for each account (similar to an ISPConfig Tools > resync run), this may take quite some time and resources on large mail servers.

Install Redis

The Rspamd setup for ISPConfig requires Redis, so we will install it first.

apt-get install redis-server lsb-release

Install Unbound if BIND is not installed

If your server has no local DNS server installed, then a local DNS resolver like unbound should be installed.

First, check if BIND is installed by using this command:

which named

if the command returns the path to the named binary:

[email protected]:/tmp# which named
/usr/sbin/named

then BIND is installed and you must skip this step. In case no path to named is returned, then install unbound:

apt-get install unbound

Install and Configure Rspamd

The first step to install Rspamd is to add the Rspamd Debian/Ubuntu package repository.

CODENAME=`lsb_release -c -s` 
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add - 
echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list 
echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list

Update the Package list:

apt-get update

And Install Rspamd with apt:

apt-get install rspamd

Activate Redis in Rspamd configuration.

echo 'servers = "127.0.0.1";' > /etc/rspamd/local.d/redis.conf

Increase the Rspamd history, enable compression and show the subject in the history. This step is optional.

echo "nrows = 2500;" > /etc/rspamd/local.d/history_redis.conf 
echo "compress = true;" >> /etc/rspamd/local.d/history_redis.conf
echo "subject_privacy = false;" >> /etc/rspamd/local.d/history_redis.conf

Then restart Rspamd.

systemctl restart rspamd

Update ISPConfig

ISPConfig needs to be updated to enable the Rspamd configuration. When the ISPConfig updater asks you if it shall reconfigure services, choose 'yes'.

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php

You will see the line "Configuring Rspamd" in the output of the update script when Rspamd is detected and configured.

Enable Rspamd in ISPConfig

The final step requires that you log into ISPConfig as 'admin' user.

Log into ISPConfig

In ISPConfig navigate to System > Server Config > Mail.

There you change the value of the field Content Filter from Amavisd to Rspamd and press the save button at the bottom of the page. ISPConfig will start to reconfigure all mailboxes for Rspamd now.

When you go back to System > Server Config > Mail, then you can see some new fields where you can read and set the Rspamd password.

Rspamd password

Make Rspamd Dashboard accessible from outside

The Rspamd dashboard is on port 11334 on localhost, so it can not be accessed from outside. In this chapter, we will create a website in ISPConfig and add a proxy configuration. The configuration differs between Apache and Nginx web server, use the chapter which matches your installed web server software.

Apache

Enable the Proxy Module and restart apache.

a2enmod proxy
systemctl restart apache2

Then log into ISPconfig and create a website which will get used to access the Rspamd GUI. You are free to choose the domain name, I will use rspamd.example.com here. You don't have to enable any programming language or other options in that site, just leave everything at the defaults. Enabling SSL and Let's encrypt is highly recommended though.

Add website for Rspamd GUI

Go to the Options tab of the website and enter the following configuration into the Apache Directives field. For Apache 2.2, use:

 <Location /rspamd>
 Order allow,deny
 Allow from all
 </Location>
 RewriteEngine On
 RewriteRule ^/rspamd$ /rspamd/ [R,L]
 RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]

For Apache 2.4, use this instead:

<Location /rspamd>
 Require all granted
 </Location>
 RewriteEngine On
 RewriteRule ^/rspamd$ /rspamd/ [R,L]
 RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]

Now you can access the Rspamd GUI with a web browser https://rspamd.example.com/rspamd. You will get asked for a password, use the password that you generated during Rspamd installation.

Nginx

Log into ISPconfig and create a website which will get used for accessing the Rspamd GUI. You are free to choose the domain name, I will use rspamd.example.com here. You don't have to enable any programming language or other options in that site, just leave everything at the defaults. Enabling SSL and Let's encrypt is highly recommended though.

Add website on Nginx web server

Go to the Options tab of the website and enter the following configuration into the Nginx Directives field.

location / {
 root /usr/share/rspamd/www/;
 try_files $uri @proxy;
}

location @proxy {
 proxy_pass http://127.0.0.1:11334;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header Host $http_host;
}

Now you can access the Rspamd GUI with a web browser https://rspamd.example.com/. You will get asked for a password, use the password that you have set for Rspamd in ISPConfig.

Rspamd GUI

Now you can access the Rspamd GUI with a browser and get detailed statistics about the spam filter rate and throughput.

ISPConfig has been reconfigured to use Rspamd instead of Amavis to scan for spam emails. Rspamd is also used for Dkim Signing.

Disable Amavis

Finally, we stop and disable amavisd service:

systemctl stop amavisd-new
systemctl disable amavisd-new

Conclusion

Rspamd is a modern high-performance spam scan software for Linux servers which delivers very accurate filter results. ISPConfig supports Rspamd as spam scan unit since version 3.1.15. This tutorial shows how to replace amavisd.new with Rspamd on an ISPConfig 3.1 server.

Share this page:

Suggested articles

74 Comment(s)

Add comment

Comments

By: felan
Reply  

Hmm. How would I go about getting the webinterface up on a multiserver setup, that does not have web enabled on the mail server?

By: till
Reply  

Put the Rspamd website on the master or on another web server node of your setup and use the IP of the mail server in the proxy snippet that goes into the apache or nginx directives field instead of 127.0.0.1. On the mail server, edit the rspamd config like this:

nano /etc/rspamd/local.d/worker-controller.inc

# change or add line:
bind_socket = "<external IP of the mail server>:11334";
secure_ip = "<outgoing ip of master server>";

and replace the two IP placeholders with the correct IP addresses. Finally, restart Rspamd to apply the changes.

By: felan
Reply  

Excellent works perfectly!

By: Mccyberix
Reply  

Hello, I have a 3 node multiserver runing and have successfully switched to rspamd, but my problem is that I'm not able to ad more servers to the GUI. When I add the above lines I get a Serever Error: 503. I have also tried to add the neighbors list to the options.inc as described here but then it says: "cannot get server status, request failed". My cluster is on a public network not private! So does anyone have a clue how the implementation of other nodes to the rspamd-gui should be done?Thanks in advance!Mccyberix

By: 30uke
Reply  

This looks great! I will try this as soon as possible (probably this weekend or somehwere next week). Thanks for the tutorial. Very much appreciated :-)

By: 3|K
Reply  

Thanks alot for this!

By: Chriz!
Reply  

worked like a charm! Thanks!

By: Björn Hahnefeld
Reply  

Can this snippet also taken with existing domain:

 

--

<Location /rspamd>

Order allow,deny

Allow from all

</Location>

RewriteEngine On

RewriteRule ^/rspamd$ /rspamd/ [R,L]

RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]

--

 

For example https://server.domain.de:8080 ?

 

By: till
Reply  

> Can this snippet also taken with existing domain

 

yes

 

> For example https://server.domain.de:8080

 

That's not a website of an existing domain, it's the ispconfig vhost on port  8080. You can modify the ispconfig vhost by using this snippet, but this requires some more work and you have to create a custom config template etc.

By: Björn
Reply  

This host I added in ISPConfig. So it is existing as web.

By: Steini86
Reply  

For Apache2.4 you should use 

<Location /rspamd>

Require all granted

 </Location>

 

I use it for my mail.domain.org where the roundcube is located. Running nice. Thanks!

By: [email protected]
Reply  

I put directive in website->options in ispconfig. But I get this:

--

Not Found

The requested URL was not found on this server.

--

By: Alexandros
Reply  

Hi, i have the same issue (404 error) in one of my server with exact same setup while others are working ok...

If you find a solution please tell us ;)

By: IceManXS
Reply  

Hello,

when I use your nginx config to make Rspamd accessible from outside I get the dashbord just as text, no grafix and no password prompt. It is unuseable.

If I enter the following configuration, copied from the Rspamd-Site, into the Nginx Directives field it works perfectly. And you can use just https://rspamd.example.com instead of https://rspamd.example.com/rspamd:

location / { root /usr/share/rspamd/www/; try_files $uri @proxy; } location @proxy { proxy_pass http://127.0.0.1:11334; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; }

 

By: Neptun
Reply  

Debian 10 & nginx - perfect working

Just one question - why amavisd-new pkgs will not be removed ? is it still anywhere needed ?

thanks for the great job

By: till
Reply  

You can remove them if you want. I just wanted to keep the ability to switch it back on easily and it does not use that much hard disk space, so it should not really matter if you remove it or not.

By: reset
Reply  

How long the conversion process? I see the spinning bars for more than half hour. The system have 800-900 mailboxes.

By: till
Reply  

Depends on the speed of your server, so thats fully system dependent. You can see in ISPConfig how many tasks are left, stop the time, count how many items got processed, then you know when it's finished.

By: Jay
Reply  

Thanks for the tut.

One Question: After following this tutorial, I noticed, that in "ISPConfig -> System -> Server Configuration -> Mail" the DKIM-Path is still "/var/lib/amavis/dkim". Shouldn't this be changed?

Cheers

By: till
Reply  

No, the path should remain as it is.

By: egaldoch
Reply  

I left the path as it is, but for DKIM signing to work I had to change the user and group of the directory and restart rspamd

"chown -R _rspamd:_rspamd /var/lib/amavis/dkim && service rspamd restart"

By: André
Reply  

Don't do this. Simply ensure that the user "_rspamd" is part of the group "amavis". This is the default and allows access to the required files.

By: Alexandros
Reply  

Hello, and for Centos / Rhel systems some info since i sucesfully made the alterations :)

 

 

yum install redis

systemctl start redis

systemctl enable redis

 

#test redis – correct feedback is PONG

redis-cli ping

 

#install rspamd

 

curl http://rspamd.com/rpm-stable/centos-7/rspamd.repo > /etc/yum.repos.d/rspamd.repo

rpm --import http://rspamd.com/rpm-stable/gpg.key

yum update

yum install rspamd

 

#monit setup

 

check process rspamd

    matching 'rspamd: main process'

    start program = "/bin/systemctl start rspamd.service"

    stop program = "/bin/systemctl stop rspamd.service"

 

   if cpu is greater than 40% for 2 cycles then alert

   if cpu > 60% for 5 cycles then alert

   if memory > 80% for 4 cycles then alert

   if totalmem > 512 MB for 5 cycles then alert

 

 

Usefull links:

 

https://forum.centos-webpanel.com/how-to/(howto)-install-rspamd/

https://github.com/rspamd/rspamd/issues/2166

 

By: Steini86
Reply  

Might be the wrong place to ask:

rspamd now rejects mails which I get from an outside account via fetchmail. This does not work, I get an undelivered message error, to [email protected] How can I set rspamd, such that mails coming from fetchmail are only marked, not rejected (outside mails via delivery should be rejected if spam)

By: Frost
Reply  

how can you enable ssl for its web interface?

By: till
Reply  

Enable ssl for the website where you added the config snippet.

By: Frost
Reply  

I did that but it redirects me to non-secure url due to the rewrite rule

RewriteRule ^/rspamd/(.*) http://mailserver:11334/$1 [P]

By: till
Reply  

That's a proxy, not a redirect, so the browser connection stays on the secured SSL link. If you want to enable SSL on the connection between web- and mail server too, then you might have to install a minimal nginx server on the mail system and enable SSL for it and let it connect to Rspamd on localhost.

By: nicolas
Reply  

got this error "redis_cache_cb received error: Connexion refused", any idea ? it works anyway

By: newan
Reply  

Same problem here

By: till
Reply  

Most likely Redis is not started on your system when you get this message. Start it with 'systemctl start redis' or you had Redis installed before and configured it to reject connections. if you need further help, please post in the forum.

By: Milkki
Reply  

The problem appears to be that localhost sometimes resolves to ipv6 address and Redis is listening to ipv4 out-of-the-box. 

Change /etc/rspamd/local.d/redis.conf to:

read_servers = "127.0.0.1:6379";write_servers = "127.0.0.1:6379";

Source: https://github.com/rspamd/rspamd/issues/2490

By: Alexandros
Reply  

Hello again,

I would like to share one thing i noticed.

On web GUI i noticed that on history - greylist i get some errors that contain the following message format.

cannot load dkim key /var/lib/rspamd/dkim/mydomain.com.dkim.key: cannot stat private key

/var/lib/rspamd/dkim/mydomain.com.dkim.key: No such file or directory

Where mydomain.com of course there are multiple such errors with Internal domains hosted in the server.

Is it something worth investigating, what do you think?

 

By: till
Reply  

Please make a post in the ISPConfig support forum here at howtoforge.

By: Lionheart82
Reply  
By: orlovnv
Reply  

2019-09-16 16:48:11 #20450(normal) <sqaezx>; lua; lua_redis.lua:1145: cannot upload script to 127.0.0.1: connection refused 

how to solve it?

By: till
Reply  

Might be related to the boot order, or you do not have Redis installed yet and started as described in the tutorial above. Restart rspamd and if it does not solve it, restart redis first and then rspamd. See also here: https://github.com/rspamd/rspamd/issues/2186

If you need further help, post in the ISPConfig support forum here at howtoforge.

By: Thiago
Reply  

I was able to install rspamd following its walkthrough, but I can't log in (access) the GUI. Returns request failed / undefined error

 

Any tips to fix this?thks!

By: dmgeurts
Reply  

I'm having the same issue for rspamd sites on a different server to the one the proxy domain is on. Weird enough I one server which is working and one that isn't...

By: dmgeurts
Reply  

For me it turned out to be as simple as a missing trailing slash.

By: Tom
Reply  

Hello,

 

a few days ago we used this howto to migrate to rspamd, and we are quite satisfied with it. Thanks for that!

Now we would like to whitelist some sender addresses, but the spamfilter whitelist editor of ISPConfig doesn't seem to work here.

Can anyone tell us how we can best do this?

 

Thanks a lot!

Regards, Tom

By: till
Reply  

The spamfilter white- and blacklist is implemented for rspamd as well. But that's out of the scope of this guide, if you have such detailed questions, please use the forum.

By: Matt
Reply  

Hi till, thanks a lot, this helps soo much. One question: Is it possible or even recommended to remove postgrey and let rspamd handle greylisting? I'm not sure whether I understand the process correctly, but I think having both can lead to long time waiting for some mail. However so far I did not succeed in removing postgrey and end up in breaking postfix when trying to remove the lines:

smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023

Should postgrey stay? If not, does anyone know how to remove it correctly?

Thanks!

By: dmgeurts
Reply  

I think you're on to something here. It's not as easy as commenting out greylisting in main.cf as that results in emails being dropped!

By: Jesse Norell
Reply  

Rspamd greylists based on a score threshhold, whereas postgrey forces mail to use greylisting for configured addresses; you may want both, or just to use rspamd.

 

To remove postgrey, in addition to those two changes, you need to remove 'check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf' from smtpd_recipient_restrictions.  Be sure to put your changes in a conf-custom file so they survive future updates.

 

Or as an alternative, leave those settings alone and change the query in mysql-virtual_policy_greylist.cf to something like `select 'permit' from server where FALSE;` (and be sure to save that in a conf-custom template).

By: chaosad
Reply  

Has anyone a working nginx config for example.com/rspamd?

thank you

By: Omahd
Reply  

Hello Till,

I have followed this guide, however I'm getting a 404 error when trying to access the Rspamd GUI (on Ubuntu 18.04, with the Apache 2.4 option) I can browse to "https://rspamd.example.com/" but https://rspamd.example.com/rspamd returns a 404. any ideas how to troubleshoot this would be much appreciated.

By: ChristosG
Reply  

While not the best place to ask, but.. Are there any "Perfect Server" tutorials that include rspamd by "default"

By: 30uke
Reply  

Thank you Till! This tutorial is great. It has helped me to install spamd with ease. Thanks :-)

By: dmgeurts
Reply  

Great tutorial and fantastic idea about proxy config, have adapted it to have the haproxy admin/monitoring page under the same domain.

Now, that I've done this on a test server, I'm looking at updating our documentation. I (used to) run amavisd with spamassassin. Sorry if this is a silly question but rspamd replaces both, right? If so I should remove/disable spamassassin in addition to disabling amavisd...

By: till
Reply  

Yes, it replaces amavis and spamassassin.

By: dmgeurts
Reply  

Thank you. And clamav...?

By: dmgeurts
Reply  

Are there special considerations for those of us who run ISPConfig clusters. It would be great if slave servers sync their Rspamd filters etc with their masters and vice versa.

By: Jon
Reply  

So we could add:

systemctl stop spamassassin systemctl disable spamassassin

?

By: MikySal78
Reply  

in http://rspamd.mydomain.com/rspamd/ history i have this error:

local > Cannot receive history: {"error": "Connessione rifiutata"}

because?thanks.

By: adam.noise
Reply  

Hey. Is thera any chance to rspamd learn spam from "junk" folder?

By: Jesse Norell
Reply  

You can use rspamc from the command line, eg. `rspamc learn_spam /var/vmail/domain.tld/user/Maildir/.Junk`

 

You might also see https://doc.dovecot.org/configuration_manual/howto/antispam_with_sieve/ and https://rspamd.com/doc/tutorials/feedback_from_users_with_IMAPSieve.html for imap-based training.

By: Danny
Reply  

I have MAILSERVER1 and i want MAILSERVER2 in my MAILSERVER1 GUI. How can i proceed with this?

By: Angelos
Reply  

Yes, 

Both are working for themselfs (not cluster) but i would love to have my second mailserver in my first mailservers GUI.

By: André
Reply  

I want to share this insight for people using DKIM and e-mail aliases. In this case the FROM address might be different form the smtp auth address and thus default rspamd config refuses to sign outgoing mails. Simply solve creating the files:

/etc/rspamd/override.d/dkim_signing.conf:

# apply dkim signing for alias domains

allow_username_mismatch = true;

 

And for more privacy:

/etc/rspamd/override.d/milter_headers.conf:

 

# don't show smpt auth user in header

routines {

   authentication-results {

       add_smtp_user = false;

   }

}

 

Hope this helps!

By: José
Reply  

Hello, 

In the interface, "History", section "Errors", show the message: cannot resolve maps.rspamd.com: query refused

How to resolve this issue?

By: Spaetzle
Reply  

HiIf I do a new installation following the "The Perfect Server - Ubuntu 18.04 (Bionic Beaver) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1" but I want to use rspamd. Can I do the Installation without installing Amavisd-new and SpamAssassin or are thos two packages needed for other functions?Is it a problem if those packages are installed and running?Stay healthyBernd

By: Taleman
Reply  

I installed on a virtual host where processor was the default kvm64. This results in:

This CPU lacks support for the Supplemental Streaming SIMD Extensions 3   ? 

 ? (SSSE3) instruction set that is required to execute programs linked       ? 

 ? against hyperscan.                                                        ? 

 ?                                                                           ? 

 ? Really install package? 

So I answerd "no"  to abort rspamd install, shutdown the virtual host, changed CPU of virtual host to better, and turned the virtual host back on. The command

apt --fix-broken install

finished installing rspamd. 

By: Taleman
Reply  

When starting to use rspamd, would it make sense to not reject any e-mails? My experience is it rejects some legitimate e-mails, especially reports that logwatch sends. Rejected e-mails disappear, just marking them as spam would allow me to still see them in SPAM folder. 

By: vinc
Reply  

hello

i have the same Problem like @Taleman   Rejected mails are just Lost and i can't teach the system (rspamd) to be HAM

have a nice dayvinc 

By: Gaston Girardi
Reply  

Has anyone had a problem that Rspamd GUI doesn't open on the web page?, with the message that the page can't be found?

By: ledufakademy
Reply  

the how to not working with multiserver setup.

firewall=>web=>mail

By: ledufakademy
Reply  

For multiserver setup woth dedicated server (web, db, mail)

the snipets , code for nginx rproxy: must be :

 

location /rspamd/ {  proxy_pass       http://<internal_ip_mailserver>:11334/;  proxy_set_header Host      $host;  proxy_set_header X-Real-IP $remote_addr;  proxy_set_header X-Forwarded-For "";}

 

And :

 

# Included from top-level .conf filetype = "controller";count = 1;password = "a1db108c79834e1d9102452b";bind_socket = "<mail_server_ip>:11334";secure_ip = "<web_server_ip(rproxy server)>";secure_ip = "::1";static_dir = "${WWWDIR}";

By: Olivier BOUMATI
Reply  

Hello,I thought I could remove the amavisd-new packages but this is a real problem since the DKIM signing keys were stored in the /var/lib/amavis/dkim folder !Removing the amavisd-new package with the "dpkg --purge amavisd-new" command therefore removed all DKIM keys.How should we proceed ?Could the keys not be saved in a folder independent of amavisd-new ?

By: till
Reply  

Restore the missing folders from a backup. In general, you can remove the amavis package, but do not purge it! Or better, follow the guide above without altering the steps, then everything works out of the box. ISPConfig allows you to switch between amavis and Rspamd, so you can't purge the amavis folders without breaking your setup.

By: Curtis Maurand
Reply  

The document needs the instruction about integration with Postfix

By: till
Reply  

That's not the case, there is nothing missing. ISPConfig takes care of the integration Rspamd in Postfix automatically, all you have to do is to follow the instructions in chapter "Enable Rspamd in ISPConfig" in the above guide.

By: kameleon1er
Reply  

Thanks Till.

By: George
Reply  

Hello, I made the switch exactly as instructed and rspamd scans outgoing mail but does not scan incoming mail.I have also enabled adding headers to mail (in override.d/milter_headers.conf), but there are no headers at all for incoming mail and the rspamd log does not record incoming mail at all.I am running a multiserver installation with two mail servers with one being a mirror of the other. Incoming mail is not scanned on either. Is there any more settings in ISPConfig that need to be adjusted besides changing the Content Filter to rspamd ?

Does anyone have any ideas ?

Thank you