Replacing Amavisd with Rspamd in ISPConfig 3.1 on Debian and Ubuntu

This tutorial describes the steps to replace amavis (amavisd-new) spam scanning software with Rspamd on an ISPConfig 3.1 server. The tutorial is written for Debian and Ubuntu Linux.


  • Root access.
  • ISPConfig 3.1 must be installed. The ISPConfig version will be 3.1.15 or newer after this procedure.
  • The server uses Debian 9 - 10 or Ubuntu 18.04 on an x86_64 processor (64Bit Linux). Older Debian and Ubuntu versions might work too, but I did not test them.

All commands below are run as root user. Login as root user or use 'su -' on Debian or 'sudo -s' on Ubuntu to become root user before you continue with this guide.

Note: This procedure will reconfigure all mailboxes and aliases to write the Rspamd config for each account (similar to an ISPConfig Tools > resync run), this may take quite some time and resources on large mail servers.

Install Redis

The Rspamd setup for ISPConfig requires Redis, so we will install it first.

apt-get install redis-server lsb-release

Install Unbound if BIND is not installed

If your server has no local DNS server installed, then a local DNS resolver like unbound should be installed.

First, check if BIND is installed by using this command:

which named

if the command returns the path to the named binary:

[email protected]:/tmp# which named

then BIND is installed and you must skip this step. In case no path to named is returned, then install unbound:

apt-get install unbound

Install and Configure Rspamd

The first step to install Rspamd is to add the Rspamd Debian/Ubuntu package repository.

CODENAME=`lsb_release -c -s` 
wget -O- | apt-key add -
echo "deb [arch=amd64] $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64] $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list

Update the Package list:

apt-get update

And Install Rspamd with apt:

apt-get install rspamd

Activate Redis in Rspamd configuration.

echo 'servers = "";' > /etc/rspamd/local.d/redis.conf

Increase the Rspamd history, enable compression and show the subject in the history. This step is optional.

echo "nrows = 2500;" > /etc/rspamd/local.d/history_redis.conf 
echo "compress = true;" >> /etc/rspamd/local.d/history_redis.conf
echo "subject_privacy = false;" >> /etc/rspamd/local.d/history_redis.conf

Then restart Rspamd.

systemctl restart rspamd

Update ISPConfig

ISPConfig needs to be updated to enable the Rspamd configuration. When the ISPConfig updater asks you if it shall reconfigure services, choose 'yes'.

cd /tmp
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php

You will see the line "Configuring Rspamd" in the output of the update script when Rspamd is detected and configured.

Enable Rspamd in ISPConfig

The final step requires that you log into ISPConfig as 'admin' user.

Log into ISPConfig

In ISPConfig navigate to System > Server Config > Mail.

There you change the value of the field Content Filter from Amavisd to Rspamd and press the save button at the bottom of the page. ISPConfig will start to reconfigure all mailboxes for Rspamd now.

When you go back to System > Server Config > Mail, then you can see some new fields where you can read and set the Rspamd password.

Rspamd password

Make Rspamd Dashboard accessible from outside

The Rspamd dashboard is on port 11334 on localhost, so it can not be accessed from outside. In this chapter, we will create a website in ISPConfig and add a proxy configuration. The configuration differs between Apache and Nginx web server, use the chapter which matches your installed web server software.


Enable the Proxy Module and restart apache.

a2enmod proxy
systemctl restart apache2

Then log into ISPconfig and create a website which will get used to access the Rspamd GUI. You are free to choose the domain name, I will use here. You don't have to enable any programming language or other options in that site, just leave everything at the defaults. Enabling SSL and Let's encrypt is highly recommended though.

Add website for Rspamd GUI

Go to the Options tab of the website and enter the following configuration into the Apache Directives field. For Apache 2.2, use:

 <Location /rspamd>
Order allow,deny
Allow from all
RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*)$1 [P]

For Apache 2.4, use this instead:

<Location /rspamd>
Require all granted
RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*)$1 [P]

Now you can access the Rspamd GUI with a web browser You will get asked for a password, use the password that you generated during Rspamd installation.


Log into ISPconfig and create a website which will get used for accessing the Rspamd GUI. You are free to choose the domain name, I will use here. You don't have to enable any programming language or other options in that site, just leave everything at the defaults. Enabling SSL and Let's encrypt is highly recommended though.

Add website on Nginx web server

Go to the Options tab of the website and enter the following configuration into the Nginx Directives field.

location / {
root /usr/share/rspamd/www/;
try_files $uri @proxy;

location @proxy {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

Now you can access the Rspamd GUI with a web browser You will get asked for a password, use the password that you have set for Rspamd in ISPConfig.

Rspamd GUI

Now you can access the Rspamd GUI with a browser and get detailed statistics about the spam filter rate and throughput.

ISPConfig has been reconfigured to use Rspamd instead of Amavis to scan for spam emails. Rspamd is also used for Dkim Signing.

Disable Amavis

Finally, we stop and disable amavisd service:

systemctl stop amavisd-new
systemctl disable amavisd-new


Rspamd is a modern high-performance spam scan software for Linux servers which delivers very accurate filter results. ISPConfig supports Rspamd as spam scan unit since version 3.1.15. This tutorial shows how to replace with Rspamd on an ISPConfig 3.1 server.

Share this page:

Suggested articles

66 Comment(s)

Add comment


By: felan at: 2019-09-10 17:16:23

Hmm. How would I go about getting the webinterface up on a multiserver setup, that does not have web enabled on the mail server?

By: till at: 2019-09-10 17:28:28

Put the Rspamd website on the master or on another web server node of your setup and use the IP of the mail server in the proxy snippet that goes into the apache or nginx directives field instead of On the mail server, edit the rspamd config like this:

nano /etc/rspamd/local.d/

# change or add line:
bind_socket = "<external IP of the mail server>:11334";
secure_ip = "<outgoing ip of master server>";

and replace the two IP placeholders with the correct IP addresses. Finally, restart Rspamd to apply the changes.

By: felan at: 2019-09-10 20:14:07

Excellent works perfectly!

By: Mccyberix at: 2019-10-24 11:53:46

Hello, I have a 3 node multiserver runing and have successfully switched to rspamd, but my problem is that I'm not able to ad more servers to the GUI. When I add the above lines I get a Serever Error: 503. I have also tried to add the neighbors list to the as described here but then it says: "cannot get server status, request failed". My cluster is on a public network not private! So does anyone have a clue how the implementation of other nodes to the rspamd-gui should be done?Thanks in advance!Mccyberix

By: 30uke at: 2019-09-10 20:21:40

This looks great! I will try this as soon as possible (probably this weekend or somehwere next week). Thanks for the tutorial. Very much appreciated :-)

By: 3|K at: 2019-09-11 07:17:23

Thanks alot for this!

By: Chriz! at: 2019-09-11 08:44:28

worked like a charm! Thanks!

By: Björn Hahnefeld at: 2019-09-11 10:14:02

Can this snippet also taken with existing domain:



<Location /rspamd>

Order allow,deny

Allow from all


RewriteEngine On

RewriteRule ^/rspamd$ /rspamd/ [R,L]

RewriteRule ^/rspamd/(.*)$1 [P]



For example ?


By: till at: 2019-09-11 10:21:07

> Can this snippet also taken with existing domain




> For example


That's not a website of an existing domain, it's the ispconfig vhost on port  8080. You can modify the ispconfig vhost by using this snippet, but this requires some more work and you have to create a custom config template etc.

By: Björn at: 2019-09-12 11:13:39

This host I added in ISPConfig. So it is existing as web.

By: Steini86 at: 2019-09-11 16:08:14

For Apache2.4 you should use 

<Location /rspamd>

Require all granted



I use it for my where the roundcube is located. Running nice. Thanks!

By: [email protected] at: 2019-09-12 11:17:22

I put directive in website->options in ispconfig. But I get this:


Not Found

The requested URL was not found on this server.


By: Alexandros at: 2019-09-13 07:05:00

Hi, i have the same issue (404 error) in one of my server with exact same setup while others are working ok...

If you find a solution please tell us ;)

By: IceManXS at: 2019-09-11 13:37:01


when I use your nginx config to make Rspamd accessible from outside I get the dashbord just as text, no grafix and no password prompt. It is unuseable.

If I enter the following configuration, copied from the Rspamd-Site, into the Nginx Directives field it works perfectly. And you can use just instead of

location / { root /usr/share/rspamd/www/; try_files $uri @proxy; } location @proxy { proxy_pass; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; }


By: Neptun at: 2019-09-11 16:38:51

Debian 10 & nginx - perfect working

Just one question - why amavisd-new pkgs will not be removed ? is it still anywhere needed ?

thanks for the great job

By: till at: 2019-09-11 16:40:45

You can remove them if you want. I just wanted to keep the ability to switch it back on easily and it does not use that much hard disk space, so it should not really matter if you remove it or not.

By: reset at: 2019-09-11 17:25:45

How long the conversion process? I see the spinning bars for more than half hour. The system have 800-900 mailboxes.

By: till at: 2019-09-11 17:37:38

Depends on the speed of your server, so thats fully system dependent. You can see in ISPConfig how many tasks are left, stop the time, count how many items got processed, then you know when it's finished.

By: Jay at: 2019-09-12 12:29:28

Thanks for the tut.

One Question: After following this tutorial, I noticed, that in "ISPConfig -> System -> Server Configuration -> Mail" the DKIM-Path is still "/var/lib/amavis/dkim". Shouldn't this be changed?


By: till at: 2019-09-12 12:31:33

No, the path should remain as it is.

By: egaldoch at: 2019-09-13 19:05:00

I left the path as it is, but for DKIM signing to work I had to change the user and group of the directory and restart rspamd

"chown -R _rspamd:_rspamd /var/lib/amavis/dkim && service rspamd restart"

By: André at: 2020-03-28 17:50:34

Don't do this. Simply ensure that the user "_rspamd" is part of the group "amavis". This is the default and allows access to the required files.

By: Alexandros at: 2019-09-12 12:52:24

Hello, and for Centos / Rhel systems some info since i sucesfully made the alterations :)



yum install redis

systemctl start redis

systemctl enable redis


#test redis – correct feedback is PONG

redis-cli ping


#install rspamd


curl > /etc/yum.repos.d/rspamd.repo

rpm --import

yum update

yum install rspamd


#monit setup


check process rspamd

    matching 'rspamd: main process'

    start program = "/bin/systemctl start rspamd.service"

    stop program = "/bin/systemctl stop rspamd.service"


   if cpu is greater than 40% for 2 cycles then alert

   if cpu > 60% for 5 cycles then alert

   if memory > 80% for 4 cycles then alert

   if totalmem > 512 MB for 5 cycles then alert



Usefull links:


By: Steini86 at: 2019-09-12 16:21:55

Might be the wrong place to ask:

rspamd now rejects mails which I get from an outside account via fetchmail. This does not work, I get an undelivered message error, to [email protected] How can I set rspamd, such that mails coming from fetchmail are only marked, not rejected (outside mails via delivery should be rejected if spam)

By: Frost at: 2019-09-13 07:42:23

how can you enable ssl for its web interface?

By: till at: 2019-09-13 08:04:32

Enable ssl for the website where you added the config snippet.

By: Frost at: 2019-09-13 09:01:22

I did that but it redirects me to non-secure url due to the rewrite rule

RewriteRule ^/rspamd/(.*) http://mailserver:11334/$1 [P]

By: till at: 2019-09-16 10:47:09

That's a proxy, not a redirect, so the browser connection stays on the secured SSL link. If you want to enable SSL on the connection between web- and mail server too, then you might have to install a minimal nginx server on the mail system and enable SSL for it and let it connect to Rspamd on localhost.

By: nicolas at: 2019-09-14 12:08:38

got this error "redis_cache_cb received error: Connexion refused", any idea ? it works anyway

By: newan at: 2019-10-09 09:55:48

Same problem here

By: till at: 2019-10-09 10:00:52

Most likely Redis is not started on your system when you get this message. Start it with 'systemctl start redis' or you had Redis installed before and configured it to reject connections. if you need further help, please post in the forum.

By: Milkki at: 2019-11-14 15:26:53

The problem appears to be that localhost sometimes resolves to ipv6 address and Redis is listening to ipv4 out-of-the-box. 

Change /etc/rspamd/local.d/redis.conf to:

read_servers = "";write_servers = "";


By: Alexandros at: 2019-09-16 09:58:35

Hello again,

I would like to share one thing i noticed.

On web GUI i noticed that on history - greylist i get some errors that contain the following message format.

cannot load dkim key /var/lib/rspamd/dkim/ cannot stat private key

/var/lib/rspamd/dkim/ No such file or directory

Where of course there are multiple such errors with Internal domains hosted in the server.

Is it something worth investigating, what do you think?


By: till at: 2019-09-16 10:45:05

Please make a post in the ISPConfig support forum here at howtoforge.

By: Lionheart82 at: 2019-09-16 11:50:18
By: orlovnv at: 2019-09-16 11:48:57

2019-09-16 16:48:11 #20450(normal) <sqaezx>; lua; lua_redis.lua:1145: cannot upload script to connection refused 

how to solve it?

By: till at: 2019-09-16 11:52:55

Might be related to the boot order, or you do not have Redis installed yet and started as described in the tutorial above. Restart rspamd and if it does not solve it, restart redis first and then rspamd. See also here:

If you need further help, post in the ISPConfig support forum here at howtoforge.

By: Thiago at: 2019-09-17 19:38:31

I was able to install rspamd following its walkthrough, but I can't log in (access) the GUI. Returns request failed / undefined error


Any tips to fix this?thks!

By: dmgeurts at: 2019-11-16 01:33:20

I'm having the same issue for rspamd sites on a different server to the one the proxy domain is on. Weird enough I one server which is working and one that isn't...

By: dmgeurts at: 2019-11-16 17:40:08

For me it turned out to be as simple as a missing trailing slash.

By: Tom at: 2019-09-18 08:20:27



a few days ago we used this howto to migrate to rspamd, and we are quite satisfied with it. Thanks for that!

Now we would like to whitelist some sender addresses, but the spamfilter whitelist editor of ISPConfig doesn't seem to work here.

Can anyone tell us how we can best do this?


Thanks a lot!

Regards, Tom

By: till at: 2019-09-18 08:26:56

The spamfilter white- and blacklist is implemented for rspamd as well. But that's out of the scope of this guide, if you have such detailed questions, please use the forum.

By: Matt at: 2019-10-01 20:47:18

Hi till, thanks a lot, this helps soo much. One question: Is it possible or even recommended to remove postgrey and let rspamd handle greylisting? I'm not sure whether I understand the process correctly, but I think having both can lead to long time waiting for some mail. However so far I did not succeed in removing postgrey and end up in breaking postfix when trying to remove the lines:

smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:

Should postgrey stay? If not, does anyone know how to remove it correctly?


By: dmgeurts at: 2020-02-07 12:21:09

I think you're on to something here. It's not as easy as commenting out greylisting in as that results in emails being dropped!

By: chaosad at: 2019-10-03 13:08:16

Has anyone a working nginx config for

thank you

By: Omahd at: 2019-10-11 12:16:54

Hello Till,

I have followed this guide, however I'm getting a 404 error when trying to access the Rspamd GUI (on Ubuntu 18.04, with the Apache 2.4 option) I can browse to "" but returns a 404. any ideas how to troubleshoot this would be much appreciated.

By: ChristosG at: 2019-10-30 20:59:29

While not the best place to ask, but.. Are there any "Perfect Server" tutorials that include rspamd by "default"

By: 30uke at: 2019-11-02 22:14:35

Thank you Till! This tutorial is great. It has helped me to install spamd with ease. Thanks :-)

By: dmgeurts at: 2019-11-15 13:37:59

Great tutorial and fantastic idea about proxy config, have adapted it to have the haproxy admin/monitoring page under the same domain.

Now, that I've done this on a test server, I'm looking at updating our documentation. I (used to) run amavisd with spamassassin. Sorry if this is a silly question but rspamd replaces both, right? If so I should remove/disable spamassassin in addition to disabling amavisd...

By: till at: 2019-11-15 13:45:09

Yes, it replaces amavis and spamassassin.

By: dmgeurts at: 2019-11-15 14:42:38

Thank you. And clamav...?

By: dmgeurts at: 2019-11-16 18:11:53

Are there special considerations for those of us who run ISPConfig clusters. It would be great if slave servers sync their Rspamd filters etc with their masters and vice versa.

By: Jon at: 2019-12-03 18:33:13

So we could add:

systemctl stop spamassassin systemctl disable spamassassin


By: MikySal78 at: 2019-12-15 17:44:38

in history i have this error:

local > Cannot receive history: {"error": "Connessione rifiutata"}


By: adam.noise at: 2020-02-13 14:54:19

Hey. Is thera any chance to rspamd learn spam from "junk" folder?

By: Danny at: 2020-02-28 17:26:13

I have MAILSERVER1 and i want MAILSERVER2 in my MAILSERVER1 GUI. How can i proceed with this?

By: Angelos at: 2020-05-22 11:23:01


Both are working for themselfs (not cluster) but i would love to have my second mailserver in my first mailservers GUI.

By: André at: 2020-03-28 17:54:13

I want to share this insight for people using DKIM and e-mail aliases. In this case the FROM address might be different form the smtp auth address and thus default rspamd config refuses to sign outgoing mails. Simply solve creating the files:


# apply dkim signing for alias domains

allow_username_mismatch = true;


And for more privacy:



# don't show smpt auth user in header

routines {

   authentication-results {

       add_smtp_user = false;




Hope this helps!

By: José at: 2020-04-23 19:05:24


In the interface, "History", section "Errors", show the message: cannot resolve query refused

How to resolve this issue?

By: Spaetzle at: 2020-04-25 14:29:39

HiIf I do a new installation following the "The Perfect Server - Ubuntu 18.04 (Bionic Beaver) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1" but I want to use rspamd. Can I do the Installation without installing Amavisd-new and SpamAssassin or are thos two packages needed for other functions?Is it a problem if those packages are installed and running?Stay healthyBernd

By: Taleman at: 2020-05-22 10:23:05

I installed on a virtual host where processor was the default kvm64. This results in:

This CPU lacks support for the Supplemental Streaming SIMD Extensions 3   ? 

 ? (SSSE3) instruction set that is required to execute programs linked       ? 

 ? against hyperscan.                                                        ? 

 ?                                                                           ? 

 ? Really install package? 

So I answerd "no"  to abort rspamd install, shutdown the virtual host, changed CPU of virtual host to better, and turned the virtual host back on. The command

apt --fix-broken install

finished installing rspamd. 

By: Taleman at: 2020-06-27 08:16:53

When starting to use rspamd, would it make sense to not reject any e-mails? My experience is it rejects some legitimate e-mails, especially reports that logwatch sends. Rejected e-mails disappear, just marking them as spam would allow me to still see them in SPAM folder. 

By: vinc at: 2020-06-29 13:51:17


i have the same Problem like @Taleman   Rejected mails are just Lost and i can't teach the system (rspamd) to be HAM

have a nice dayvinc 

By: Gaston Girardi at: 2020-08-10 02:34:25

Has anyone had a problem that Rspamd GUI doesn't open on the web page?, with the message that the page can't be found?

By: ledufakademy at: 2020-09-04 16:27:27

the how to not working with multiserver setup.


By: ledufakademy at: 2020-09-04 16:58:28

For multiserver setup woth dedicated server (web, db, mail)

the snipets , code for nginx rproxy: must be :


location /rspamd/ {  proxy_pass       http://<internal_ip_mailserver>:11334/;  proxy_set_header Host      $host;  proxy_set_header X-Real-IP $remote_addr;  proxy_set_header X-Forwarded-For "";}


And :


# Included from top-level .conf filetype = "controller";count = 1;password = "a1db108c79834e1d9102452b";bind_socket = "<mail_server_ip>:11334";secure_ip = "<web_server_ip(rproxy server)>";secure_ip = "::1";static_dir = "${WWWDIR}";