Rspamd: Fast, free and open-source spam filtering system

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
phoenix
Ambassador
Ambassador
Posts: 27262
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by phoenix »

yeeP6rai wrote:How to stop scan messages from my local network?[/quoote]You'd want to keep it doing that in case any of your outbound mail is from a compromised account.
yeeP6rai wrote:rspamd marks system messages from local servers as spam.
You'd be far better finding out why your email is marked as spam, that isn't normal.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
yeeP6rai
Posts: 41
Joined: Mon Feb 12, 2018 10:16 am

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by yeeP6rai »

For example:

Code: Select all

BAYES_HAM(-3.00)[100.00%];
NEURAL_SPAM(2.37)[0.790];
Who is right from them? :)
You'd be far better finding out why your email is marked as spam, that isn't normal.
I'm disagree with you. For example if my servers generates over 1000 system email messages per hour for some purposes, why spam system should check it? It's not right. I think it should be bypass such messages without spam checks. I'm admin this servers and I know there couldn't be spam emails.
yeeP6rai
Posts: 41
Joined: Mon Feb 12, 2018 10:16 am

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by yeeP6rai »

May be this configuration should be added to fully exclude local network from spam scans?

http://www.postfix.org/MILTER_README.html#per-client
yeeP6rai
Posts: 41
Joined: Mon Feb 12, 2018 10:16 am

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by yeeP6rai »

yeeP6rai wrote:May be this configuration should be added to fully exclude local network from spam scans?

http://www.postfix.org/MILTER_README.html#per-client
I've tested excluding internal network from rspamd checking and it's seems works for me. Messages from internal network does not contain rspamd headers, but messages from other networks was checked by rspamd.

Code: Select all

zmlocalconfig -e postfix_smtpd_milter_maps=/opt/zimbra/common/conf/smtpd_milter_map
zmcontrol restart
zmlocalconfig |grep smtpd_milter
postfix_smtpd_milter_maps = /opt/zimbra/common/conf/smtpd_milter_map
cat /opt/zimbra/common/conf/smtpd_milter_map
!93.18.0.4/32 DISABLE #it's my external smtp relay. Zimbra send/receive messages via it. Messages from it will checked by rspamd
192.168.0.0/16 DISABLE # Messages from this servers not checked by rspamd
172.16.0.0/12 DISABLE # Messages from this servers not checked by rspamd
93.18.0.0/23 DISABLE # it's my network with servers in my administrative control. Messages from this servers not checked by rspamd
upd-1. something wrong. testing in progress
upd-2. oops:

Code: Select all

smtpd_milter_maps (default: empty)
....
This feature is available in Postfix 3.2 and later.

Code: Select all

rpm -qi zimbra-postfix|grep -i version
Version     : 3.1.1
lowhigh
Posts: 36
Joined: Wed Feb 08, 2017 5:14 pm

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by lowhigh »

Sorry for my mistake!
strengthandmind
Posts: 10
Joined: Fri Jul 17, 2020 1:29 pm

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by strengthandmind »

Hi Phoenix,

Firstly thank you for writing a great wiki article :)

Am new to rspamd and have just installed it on my ZCS9 server and appears to be working.

On inspection of a test email I do still see in the headers

Code: Select all

X-Spam-Status: No, score=-0.799 required=6.6 tests=[DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
	DMARC_PASS_NONE=-0.6, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
	RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
	autolearn=ham autolearn_force=no
and further down the email

Code: Select all

X-Rspamd-Queue-Id: E86E4DDA67
X-Spamd-Result: default: False [-0.50 / 15.00];
	 RCVD_TLS_ALL(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025];
	 FROM_HAS_DN(0.00)[];
	 FREEMAIL_FROM(0.00)[gmail.com];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	 TO_DN_NONE(0.00)[];
	 PREVIOUSLY_DELIVERED(0.00)[support@stratusmission.cloud];
	 RCPT_COUNT_ONE(0.00)[1];
	 R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
	 DKIM_TRACE(0.00)[gmail.com:+];
	 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	 RCVD_COUNT_TWO(0.00)[2];
	 R_PARTS_DIFFER(0.50)[100.0%];
	 RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.219.180:from]
is that what you would expect ? to me it seems like SA is still being called.

TIA
strengthandmind
Posts: 10
Joined: Fri Jul 17, 2020 1:29 pm

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by strengthandmind »

Well rspamd appears to be working very indeed :D just deciding now whether to externalise ClamAV to make upgrades easier :idea: Then wish to start looking at pulling the metrics into Prometheus :geek:
phoenix
Ambassador
Ambassador
Posts: 27262
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by phoenix »

Sorry, I seem to have missed this post. :(

I run a 'cluster' of Rspamd servers and on the second test server I do have Clam A/V running as a service and I'm going to be removing (or rather disabling) the amavisd & clam A/V services on the live server. As I just have a private mail server those services never caused me a problem as Rspamd reduced the load on my server by about 15-20%

Thanks for your feedback. :) I'd be interested to see how you get on with getting the metrics into Prometheus, I was thinking of using that myself but haven't really had the time recently do any investigation.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
strengthandmind
Posts: 10
Joined: Fri Jul 17, 2020 1:29 pm

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by strengthandmind »

Hi Bill,

I have removed all AV/AS/DKIM from ZCS now and switched it over fully to RSPAMD and it certainly is tagging items well :D

With respect to AV configuration, specifically CLAMAV, may I ask how you have it set please? I just have a simple configuration for testing using

Code: Select all

clamav {
   message = '${SCANNER}: virus found: "${VIRUS}"';
   type = "clamav";
   log_clean = true;
   servers = "/run/clamd.scan/clamd.sock";
   patterns {
   symbol_name = "pattern";
      JUST_EICAR = '^Eicar-Test-Signature$';
   }
}
and emails are being tagged

Code: Select all

X-Spamd-Result: default: False [0.09 / 15.00];
	 R_SPF_ALLOW(-0.20)[+ip4:52.142.218.128:c];
	 HAS_ATTACHMENT(0.00)[];
	 ARC_SIGNED(0.00)[i=1];
	 TO_DN_NONE(0.00)[];
	 MIME_BASE64_TEXT_BOGUS(1.00)[];
	 CLAMAV(0.00)[SecuriteInfo.com.JS.Obfus-1906.UNOFFICIAL];
	 RCVD_IN_DNSWL_MED(-0.20)[52.142.218.128:from];
	 CTYPE_MIXED_BOGUS(1.00)[];
but am unsure of how to reject if a virus or just increase the score based on a pattern. Would appreciate your help.
lozair
Posts: 1
Joined: Fri Mar 26, 2021 10:58 am

Re: Rspamd: A replacement for Spamassassin & Postscreen

Post by lozair »

Hi,

We setup rspamd with our local ZCs server Zimbra 8.8.15_GA_3968 following your post.
All seems to work but we had a question about messages returned to Zimbra users.

Our users use Zimbra web UI or Outlook ZCO plugin.
When a user use the ZimbraWebUI and send too much messages, the rspamd ratelimit module fire a softreject to Zimbra postfix.
The "problem" is the message presented by the ZimbraWebUI to our user which contain a generic SMTP ERROR (mail.SEND_FAIL) which seems to indicate a technical problem.

Anyone already had this "problem" (perhaps something misconfigured here)?
Is there any method to present to Zimbra user the rspamd cause of the non-delivery.

Thanks for your help

Regards
Post Reply