Rspamd: Fast, free and open-source spam filtering system

[phoenix]

How to stop scan messages from my local network?[/quoote]You'd want to keep it doing that in case any of your outbound mail is from a compromised account.

rspamd marks system messages from local servers as spam.

You'd be far better finding out why your email is marked as spam, that isn't normal.

[yeeP6rai]

For example:

Code: Select all

BAYES_HAM(-3.00)[100.00%];
NEURAL_SPAM(2.37)[0.790];

Who is right from them?

You'd be far better finding out why your email is marked as spam, that isn't normal.

I'm disagree with you. For example if my servers generates over 1000 system email messages per hour for some purposes, why spam system should check it? It's not right. I think it should be bypass such messages without spam checks. I'm admin this servers and I know there couldn't be spam emails.

[yeeP6rai]

May be this configuration should be added to fully exclude local network from spam scans?

http://www.postfix.org/MILTER_README.html#per-client

[yeeP6rai]

May be this configuration should be added to fully exclude local network from spam scans?

http://www.postfix.org/MILTER_README.html#per-client

I've tested excluding internal network from rspamd checking and it's seems works for me. Messages from internal network does not contain rspamd headers, but messages from other networks was checked by rspamd.

Code: Select all

zmlocalconfig -e postfix_smtpd_milter_maps=/opt/zimbra/common/conf/smtpd_milter_map
zmcontrol restart
zmlocalconfig |grep smtpd_milter
postfix_smtpd_milter_maps = /opt/zimbra/common/conf/smtpd_milter_map
cat /opt/zimbra/common/conf/smtpd_milter_map
!93.18.0.4/32 DISABLE #it's my external smtp relay. Zimbra send/receive messages via it. Messages from it will checked by rspamd
192.168.0.0/16 DISABLE # Messages from this servers not checked by rspamd
172.16.0.0/12 DISABLE # Messages from this servers not checked by rspamd
93.18.0.0/23 DISABLE # it's my network with servers in my administrative control. Messages from this servers not checked by rspamd

upd-1. something wrong. testing in progress
upd-2. oops:

Code: Select all

smtpd_milter_maps (default: empty)
....

This feature is available in Postfix 3.2 and later.

Code: Select all

rpm -qi zimbra-postfix|grep -i version
Version     : 3.1.1

[lowhigh]

Sorry for my mistake!

[strengthandmind]

Hi Phoenix,

Firstly thank you for writing a great wiki article

Am new to rspamd and have just installed it on my ZCS9 server and appears to be working.

On inspection of a test email I do still see in the headers

Code: Select all

X-Spam-Status: No, score=-0.799 required=6.6 tests=[DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
	DMARC_PASS_NONE=-0.6, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
	RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
	autolearn=ham autolearn_force=no

and further down the email

Code: Select all

X-Rspamd-Queue-Id: E86E4DDA67
X-Spamd-Result: default: False [-0.50 / 15.00];
	 RCVD_TLS_ALL(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025];
	 FROM_HAS_DN(0.00)[];
	 FREEMAIL_FROM(0.00)[gmail.com];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	 TO_DN_NONE(0.00)[];
	 PREVIOUSLY_DELIVERED(0.00)[support@stratusmission.cloud];
	 RCPT_COUNT_ONE(0.00)[1];
	 R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
	 DKIM_TRACE(0.00)[gmail.com:+];
	 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	 RCVD_COUNT_TWO(0.00)[2];
	 R_PARTS_DIFFER(0.50)[100.0%];
	 RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.219.180:from]

is that what you would expect ? to me it seems like SA is still being called.

TIA

[strengthandmind]

Well rspamd appears to be working very indeed just deciding now whether to externalise ClamAV to make upgrades easier Then wish to start looking at pulling the metrics into Prometheus

[phoenix]

Sorry, I seem to have missed this post.

I run a 'cluster' of Rspamd servers and on the second test server I do have Clam A/V running as a service and I'm going to be removing (or rather disabling) the amavisd & clam A/V services on the live server. As I just have a private mail server those services never caused me a problem as Rspamd reduced the load on my server by about 15-20%

Thanks for your feedback. I'd be interested to see how you get on with getting the metrics into Prometheus, I was thinking of using that myself but haven't really had the time recently do any investigation.

[strengthandmind]

Hi Bill,

I have removed all AV/AS/DKIM from ZCS now and switched it over fully to RSPAMD and it certainly is tagging items well

With respect to AV configuration, specifically CLAMAV, may I ask how you have it set please? I just have a simple configuration for testing using

Code: Select all

clamav {
   message = '${SCANNER}: virus found: "${VIRUS}"';
   type = "clamav";
   log_clean = true;
   servers = "/run/clamd.scan/clamd.sock";
   patterns {
   symbol_name = "pattern";
      JUST_EICAR = '^Eicar-Test-Signature$';
   }
}

and emails are being tagged

Code: Select all

X-Spamd-Result: default: False [0.09 / 15.00];
	 R_SPF_ALLOW(-0.20)[+ip4:52.142.218.128:c];
	 HAS_ATTACHMENT(0.00)[];
	 ARC_SIGNED(0.00)[i=1];
	 TO_DN_NONE(0.00)[];
	 MIME_BASE64_TEXT_BOGUS(1.00)[];
	 CLAMAV(0.00)[SecuriteInfo.com.JS.Obfus-1906.UNOFFICIAL];
	 RCVD_IN_DNSWL_MED(-0.20)[52.142.218.128:from];
	 CTYPE_MIXED_BOGUS(1.00)[];

but am unsure of how to reject if a virus or just increase the score based on a pattern. Would appreciate your help.

[lozair]

Hi,

We setup rspamd with our local ZCs server Zimbra 8.8.15_GA_3968 following your post.
All seems to work but we had a question about messages returned to Zimbra users.

Our users use Zimbra web UI or Outlook ZCO plugin.
When a user use the ZimbraWebUI and send too much messages, the rspamd ratelimit module fire a softreject to Zimbra postfix.
The "problem" is the message presented by the ZimbraWebUI to our user which contain a generic SMTP ERROR (mail.SEND_FAIL) which seems to indicate a technical problem.

Anyone already had this "problem" (perhaps something misconfigured here)?
Is there any method to present to Zimbra user the rspamd cause of the non-delivery.

Thanks for your help

Regards