Page 20 of 20

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Mon Feb 10, 2020 11:36 am
by phoenix
yeeP6rai wrote:How to stop scan messages from my local network?[/quoote]You'd want to keep it doing that in case any of your outbound mail is from a compromised account.

yeeP6rai wrote:rspamd marks system messages from local servers as spam.
You'd be far better finding out why your email is marked as spam, that isn't normal.

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Mon Feb 10, 2020 11:51 am
by yeeP6rai
For example:

Code: Select all

BAYES_HAM(-3.00)[100.00%];
NEURAL_SPAM(2.37)[0.790];

Who is right from them? :)
You'd be far better finding out why your email is marked as spam, that isn't normal.

I'm disagree with you. For example if my servers generates over 1000 system email messages per hour for some purposes, why spam system should check it? It's not right. I think it should be bypass such messages without spam checks. I'm admin this servers and I know there couldn't be spam emails.

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Mon Feb 10, 2020 12:09 pm
by yeeP6rai
May be this configuration should be added to fully exclude local network from spam scans?

http://www.postfix.org/MILTER_README.html#per-client

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Mon Feb 10, 2020 8:45 pm
by yeeP6rai
yeeP6rai wrote:May be this configuration should be added to fully exclude local network from spam scans?

http://www.postfix.org/MILTER_README.html#per-client


I've tested excluding internal network from rspamd checking and it's seems works for me. Messages from internal network does not contain rspamd headers, but messages from other networks was checked by rspamd.

Code: Select all

zmlocalconfig -e postfix_smtpd_milter_maps=/opt/zimbra/common/conf/smtpd_milter_map
zmcontrol restart
zmlocalconfig |grep smtpd_milter
postfix_smtpd_milter_maps = /opt/zimbra/common/conf/smtpd_milter_map
cat /opt/zimbra/common/conf/smtpd_milter_map
!93.18.0.4/32 DISABLE #it's my external smtp relay. Zimbra send/receive messages via it. Messages from it will checked by rspamd
192.168.0.0/16 DISABLE # Messages from this servers not checked by rspamd
172.16.0.0/12 DISABLE # Messages from this servers not checked by rspamd
93.18.0.0/23 DISABLE # it's my network with servers in my administrative control. Messages from this servers not checked by rspamd


upd-1. something wrong. testing in progress
upd-2. oops:

Code: Select all

smtpd_milter_maps (default: empty)
....

This feature is available in Postfix 3.2 and later.

Code: Select all

rpm -qi zimbra-postfix|grep -i version
Version     : 3.1.1

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Wed Apr 08, 2020 4:29 pm
by lowhigh
Sorry for my mistake!

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Thu Jul 23, 2020 1:43 pm
by strengthandmind
Hi Phoenix,

Firstly thank you for writing a great wiki article :)

Am new to rspamd and have just installed it on my ZCS9 server and appears to be working.

On inspection of a test email I do still see in the headers

Code: Select all

X-Spam-Status: No, score=-0.799 required=6.6 tests=[DKIM_SIGNED=0.1,
   DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
   DMARC_PASS_NONE=-0.6, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
   RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
   autolearn=ham autolearn_force=no

and further down the email

Code: Select all

X-Rspamd-Queue-Id: E86E4DDA67
X-Spamd-Result: default: False [-0.50 / 15.00];
    RCVD_TLS_ALL(0.00)[];
    ARC_NA(0.00)[];
    R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025];
    FROM_HAS_DN(0.00)[];
    FREEMAIL_FROM(0.00)[gmail.com];
    TO_MATCH_ENVRCPT_ALL(0.00)[];
    MIME_GOOD(-0.10)[multipart/alternative,text/plain];
    TO_DN_NONE(0.00)[];
    PREVIOUSLY_DELIVERED(0.00)[support@stratusmission.cloud];
    RCPT_COUNT_ONE(0.00)[1];
    R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
    DKIM_TRACE(0.00)[gmail.com:+];
    DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
    FROM_EQ_ENVFROM(0.00)[];
    MIME_TRACE(0.00)[0:+,1:+,2:~];
    FREEMAIL_ENVFROM(0.00)[gmail.com];
    ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
    RCVD_COUNT_TWO(0.00)[2];
    R_PARTS_DIFFER(0.50)[100.0%];
    RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.219.180:from]

is that what you would expect ? to me it seems like SA is still being called.

TIA

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Fri Jul 24, 2020 12:30 pm
by strengthandmind
Well rspamd appears to be working very indeed :D just deciding now whether to externalise ClamAV to make upgrades easier :idea: Then wish to start looking at pulling the metrics into Prometheus :geek:

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Fri Jul 24, 2020 12:44 pm
by phoenix
Sorry, I seem to have missed this post. :(

I run a 'cluster' of Rspamd servers and on the second test server I do have Clam A/V running as a service and I'm going to be removing (or rather disabling) the amavisd & clam A/V services on the live server. As I just have a private mail server those services never caused me a problem as Rspamd reduced the load on my server by about 15-20%

Thanks for your feedback. :) I'd be interested to see how you get on with getting the metrics into Prometheus, I was thinking of using that myself but haven't really had the time recently do any investigation.

Re: Rspamd: A replacement for Spamassassin & Postscreen

Posted: Fri Jul 24, 2020 2:38 pm
by strengthandmind
Hi Bill,

I have removed all AV/AS/DKIM from ZCS now and switched it over fully to RSPAMD and it certainly is tagging items well :D

With respect to AV configuration, specifically CLAMAV, may I ask how you have it set please? I just have a simple configuration for testing using

Code: Select all

clamav {
   message = '${SCANNER}: virus found: "${VIRUS}"';
   type = "clamav";
   log_clean = true;
   servers = "/run/clamd.scan/clamd.sock";
   patterns {
   symbol_name = "pattern";
      JUST_EICAR = '^Eicar-Test-Signature$';
   }
}

and emails are being tagged

Code: Select all

X-Spamd-Result: default: False [0.09 / 15.00];
    R_SPF_ALLOW(-0.20)[+ip4:52.142.218.128:c];
    HAS_ATTACHMENT(0.00)[];
    ARC_SIGNED(0.00)[i=1];
    TO_DN_NONE(0.00)[];
    MIME_BASE64_TEXT_BOGUS(1.00)[];
    CLAMAV(0.00)[SecuriteInfo.com.JS.Obfus-1906.UNOFFICIAL];
    RCVD_IN_DNSWL_MED(-0.20)[52.142.218.128:from];
    CTYPE_MIXED_BOGUS(1.00)[];
but am unsure of how to reject if a virus or just increase the score based on a pattern. Would appreciate your help.