How to Install and integrate Rspamd postfix

Last update at 6/8/2020 by

Install and integrate Rspamd postfix

Install and integrate Rspamd postfix

We are going to go through the installation and configuration of the Rspamd postfix spam filtering system and its integration into our mail server, creating DKIM and DMARC DNS records.

Install and integrate Rspamd postfix

You may wonder why we have chosen to go with Rspamd and not Spamassassin. Rspamd is written in C, and it is much faster then Spamassassin, which is written in Perl, and also, Rspamd is more actively maintained. Another reason is that Rspamd comes with a DKIM signing module, so we will not have to use other software to sign our outgoing emails.
If you are not familiar with Rspamd, you can take a look at their official documentation here.
Also, here are a few hand-picked guides that must read next:

  1. How to speed up WordPress with Redis Caching
  2. Install and configure Dovecot and Postfix

Install Redis

Redis will be used as a storage and caching system by Rspamd. To install it, just run:

sudo apt install redis-server

Install Unbound

Unbound is a very secure validating, recursive, and caching DNS resolver.
The main purpose of installing this service is to reduce the number of external DNS requests. This step is optional and can be skipped.

sudo apt install unbound

The default settings should be sufficient for most servers.
Set unbound as your server’s primary DNS resolver:

sudo echo "nameserver" 
>> /etc/resolvconf/resolv.conf.d/head sudo resolvconf -u

If you are not using resolvconf, then you need to edit the /etc/resolv.conf file manually.

Install Rspamd

We will install the latest stable version of Rspamd from its official repository:

sudo apt install software-properties-common lsb-release
sudo apt install lsb-release wget
wget -O- | sudo apt-key add -
echo "deb $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list
sudo apt update
sudo apt install rspamd

Configure Rspamd

Instead of modifying the stock config files, we will create new files in the /etc/rspamd/local.d/local.d/ directory, which will overwrite the default setting.
By default, Rspamd’s normal worker, the worker that scans email messages, listens on all interfaces on port 11333. Create the following file to configure the Rspamd normal worker to listen only to localhost interface:

bind_socket = "";

The proxy worker listens on port 11332 and supports the milter protocol. In order for Postfix to communicate with Rspamd, we need to enable milter mode:

bind_socket = "";
milter = yes;
timeout = 120s;
upstream "local" {
  default = yes;
  self_scan = yes;

Next, we need to set up a password for the controller worker, which provides access to the Rspamd web interface. To generate an encrypted password, run:

rspamadm pw --encrypt -p P4ssvv0rD 

Don’t forget to change the password (P4ssvv0rD) to something more secure and paste it into the configuration file:

password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";

In order to access the web interface, we will later configure Nginx as a reverse proxy to the controller worker web server.
We will use Redis as a back-end for Rspamd statistics:

servers = "";
backend = "redis";

Set the milter headers:


You can find more information about the milter headers here.
Finally, restart the Rspamd service:

sudo systemctl restart rspamd

Configure Nginx

In the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives (the ones highlighted in yellow):

location /rspamd {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Reload the Nginx service for changes to take effect:

sudo systemctl reload nginx

Head over to and enter the password you previously generated with the rspamadm pw command. You will be presented with the Rspamd web interface.

Configure Postfix

We need to configure Postfix to use the Rspamd milter. Run the following command to update the Postfix main configuration file:

sudo postconf -e "milter_protocol = 6"
sudo postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"
sudo postconf -e "milter_default_action = accept"
sudo postconf -e "smtpd_milters = inet:"
sudo postconf -e "non_smtpd_milters = inet:"

Restart the Postfix service for changes to take effect:

sudo systemctl restart postfix

Configure Dovecot

We already installed and configured Dovecot in the second part of this series, and now we will install the sieve filtering module and integrate Dovecot with Rspamd.

sudo apt install dovecot-sieve dovecot-managesieved

Open the following files and edit the lines highlighted in yellow.

protocol lmtp {
  postmaster_address = [email protected]
  mail_plugins = $mail_plugins sieve
protocol imap {
  mail_plugins = $mail_plugins imap_quota imap_sieve
service managesieve-login {
  inet_listener sieve {
    port = 4190
service managesieve {
  process_limit = 1024
plugin {
    # sieve = file:~/sieve;active=~/.dovecot.sieve
    sieve_plugins = sieve_imapsieve sieve_extprograms
    sieve_before = /var/vmail/mail/sieve/global/spam-global.sieve
    sieve = file:/var/vmail/mail/sieve/%d/%n/scripts;active=/var/vmail/mail/sieve/%d/%n/active-script.sieve
    imapsieve_mailbox1_name = Spam
    imapsieve_mailbox1_causes = COPY
    imapsieve_mailbox1_before = file:/var/vmail/mail/sieve/global/report-spam.sieve
    imapsieve_mailbox2_name = *
    imapsieve_mailbox2_from = Spam
    imapsieve_mailbox2_causes = COPY
    imapsieve_mailbox2_before = file:/var/vmail/mail/sieve/global/report-ham.sieve
    sieve_pipe_bin_dir = /usr/bin
    sieve_global_extensions = +vnd.dovecot.pipe

Create a directory for our sieve scripts:

mkdir -p /var/vmail/mail/sieve/global

Create a global sieve filter to move emails marked as spam to the Spam directory:

require ["fileinto","mailbox"];
if anyof(
    header :contains ["X-Spam-Flag"] "YES",
    header :contains ["X-Spam"] "Yes",
    header :contains ["Subject"] "*** SPAM ***"
    fileinto :create "Spam";

The following two sieve scripts will be triggered whenever you move an email in or out of the Spam directory:

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];

Restart the Dovecot service for changes to take effect:

sudo systemctl restart dovecot

Compile sieve scripts and set the correct permissions:

sievec /var/vmail/mail/sieve/global/spam-global.sieve
sievec /var/vmail/mail/sieve/global/report-spam.sieve
sievec /var/vmail/mail/sieve/global/report-ham.sieve
sudo chown -R vmail: /var/vmail/mail/sieve/

Create DKIM keys

DomainKeys Identified Mail (DKIM) is an email authentication method which adds a cryptographic signature to outbound message headers. It allows the receiver to verify that an email claiming to originate from a specific domain was indeed authorized by the owner of that domain. The main purpose of this is to prevent forged email messages.
We can have different DKIM keys for all our domains and even multiple keys for a single domain, but for the simplicity of this article, we’re going to use a single DKIM key which later can be used for all new domains.
Create a new directory to store the DKIM key and generate a new DKIM keypair using the rspamadm utility:

mkdir /var/lib/rspamd/dkim/
rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key > /var/lib/rspamd/dkim/

In the example above, we are using mail as a DKIM selector.
You should now have two new files in the /var/lib/rspamd/dkim/ directory, mail.key which is our private key file, and, a file which contains the DKIM public key. We will update our DNS zone records later.
Set the correct ownership and permissions:

chown -R _rspamd: /var/lib/rspamd/dkim 
chmod 440 /var/lib/rspamd/dkim/*

Now we need to tell Rspamd where to look for the DKIM key, the selector name, and the last line, which will enable DKIM signing for alias sender addresses. To do that, create a new file with the following contents:

selector = "mail";
path = "/var/lib/rspamd/dkim/$selector.key";
allow_username_mismatch = true;


Rspamd also supports signing for Authenticated Received Chain (ARC) signatures. You can find more information about the ARC specification here. Rspamd uses the DKIM module for dealing with ARC signatures, so we can simply copy the previous configuration:

cp  /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf

Restart the Rspamd service for changes to take effect.

sudo systemctl restart rspamd

DNS settings

We already created a DKIM key pair, and now we need to update our DNS zone. The DKIM public key is stored in the file. The content of the file should look like this:

cat /var/lib/rspamd/dkim/
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4yl" "nVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB" ) ;
  • If you are running your own Bind DNS server, you just need to copy and paste the record directly into your domain zone file.
  • If you are using a DNS web interface, then you need to create a new TXT record with mail._domainkey as a name, and for the value/content, you will need to remove the quotes and concatenate all three lines together.
  • In our case, the value/content of the TXT record should look like this:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB

Domain-based Message Authentication (DMARC)

  • We will also create a Domain-based Message Authentication (DMARC), which is designed to tell the receiving server whether or not to accept an email from a particular sender.
  • Basically, it will protect your domain against direct domain spoofing and improve your domain reputation.
  • If you have followed this series from the beginning, you should already have an SFP record for your domain.
  • To setup a DMARC record, the sending domain needs to have an SPF and DKIM record published. DMARC policy is published as a TXT record and defines how the receiver should treat the mail from your domain when validation fails.

In this article, we will implement the following DMARC policy:

_dmarc  IN  TXT  "v=DMARC1; p=none; adkim=r; aspf=r;"

Let’s break down the above DMARC record:

  • v=DMARC1 - This is the DMARC identifier
  • p=none - This tells the receiver what to do with messages that fail DMARC. In our case, it is set to none, which means take no action if a message fails DMARC. You can also use ‘reject’ or ‘quarantine’.
  • adkim=r and aspf=r - DKIM and SPF alignment, r for Relaxed and s for Strict - in our case, we are using Relaxed Alignment for both DKIM and SPF.
  • Same as before, if you are running your own Bind DNS server, you just need to copy and paste the record into your domain zone file, and if you are using another DNS provider, you need to create a TXT record with _dmarc as a name and v=DMARC1; p=none; adkim=r; aspf=r; as a value/content.

It may take a while for the DNS changes to propagate. You can check whether the records have propagated using the dig command:

dig TXT +short
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGa" "VuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFdepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"
dig TXT +short
"v=DMARC1; p=none; adkim=r; aspf=r;"

You can also inspect your domain’s current DMARC policy or create your own DMARC policy here.


That’s it for this part of the tutorial. In the next part of this series, we will continue with RoundCube installation and configuration.

No comments right now... Feel free to be the first one

Was this tutorial helpful?