Contents
Need an expert to help you with
" How to Install and integrate Rspamd postfix" ?

Get Help

How to Install and integrate Rspamd postfix

Install and integrate Rspamd postfix
Install and integrate Rspamd postfix
  We are going to go through the installation and configuration of the Rspamd postfix spam filtering system and its integration into our mail server, creating DKIM and DMARC DNS records.

Install and integrate Rspamd postfix

You may wonder why we have chosen to go with Rspamd and not Spamassassin. Rspamd is written in C, and it is much faster then Spamassassin, which is written in Perl, and also, Rspamd is more actively maintained. Another reason is that Rspamd comes with a DKIM signing module, so we will not have to use other software to sign our outgoing emails. If you are not familiar with Rspamd, you can take a look at their official documentation here. Also, here are a few hand-picked guides that must read next:
  1. How to speed up WordPress with Redis Caching
  2. Install and configure Dovecot and Postfix

Install Redis

Redis will be used as a storage and caching system by Rspamd. To install it, just run:
sudo apt install redis-server

Install Unbound

Unbound is a very secure validating, recursive, and caching DNS resolver. The main purpose of installing this service is to reduce the number of external DNS requests. This step is optional and can be skipped.
sudo apt install unbound
The default settings should be sufficient for most servers. Set unbound as your server’s primary DNS resolver:
sudo echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head

sudo resolvconf -u
If you are not using resolvconf, then you need to edit the /etc/resolv.conf file manually.

Install Rspamd

We will install the latest stable version of Rspamd from its official repository:
sudo apt install software-properties-common lsb-release

sudo apt install lsb-release wget

wget -O- https://rspamd.com/apt-stable/gpg.key | sudo apt-key add -

echo "deb http://rspamd.com/apt-stable/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list

sudo apt update

sudo apt install rspamd

Configure Rspamd

Instead of modifying the stock config files, we will create new files in the /etc/rspamd/local.d/local.d/ directory, which will overwrite the default setting. By default, Rspamd’s normal worker, the worker that scans email messages, listens on all interfaces on port 11333. Create the following file to configure the Rspamd normal worker to listen only to localhost interface:
/etc/rspamd/local.d/worker-normal.inc

bind_socket = "127.0.0.1:11333";
The proxy worker listens on port 11332 and supports the milter protocol. In order for Postfix to communicate with Rspamd, we need to enable milter mode:
/etc/rspamd/local.d/worker-proxy.inc

bind_socket = "127.0.0.1:11332";

milter = yes;

timeout = 120s;

upstream "local" {

  default = yes;

  self_scan = yes;

}
Next, we need to set up a password for the controller worker, which provides access to the Rspamd web interface. To generate an encrypted password, run:
rspamadm pw --encrypt -p P4ssvv0rD


$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb
Don’t forget to change the password (P4ssvv0rD) to something more secure and paste it into the configuration file:
/etc/rspamd/local.d/worker-controller.inc

password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";
In order to access the web interface, we will later configure Nginx as a reverse proxy to the controller worker web server. We will use Redis as a back-end for Rspamd statistics:
/etc/rspamd/local.d/classifier-bayes.conf

servers = "127.0.0.1";

backend = "redis";
Set the milter headers:
/etc/rspamd/local.d/milter_headers.conf
You can find more information about the milter headers here. Finally, restart the Rspamd service:
sudo systemctl restart rspamd

Configure Nginx

In the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives (the ones highlighted in yellow):
/etc/nginx/sites-enabled/mail.linuxize.com.conf

...

location /rspamd {

    proxy_pass http://127.0.0.1:11334/;

    proxy_set_header Host $host;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

...
Reload the Nginx service for changes to take effect:
sudo systemctl reload nginx
Head over to https://mail.linuxize.com/rspamd/ and enter the password you previously generated with the rspamadm pw command. You will be presented with the Rspamd web interface.

Configure Postfix

We need to configure Postfix to use the Rspamd milter. Run the following command to update the Postfix main configuration file:
sudo postconf -e "milter_protocol = 6"

sudo postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"

sudo postconf -e "milter_default_action = accept"

sudo postconf -e "smtpd_milters = inet:127.0.0.1:11332"

sudo postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
Restart the Postfix service for changes to take effect:
sudo systemctl restart postfix

Configure Dovecot

We already installed and configured Dovecot in the second part of this series, and now we will install the sieve filtering module and integrate Dovecot with Rspamd.
sudo apt install dovecot-sieve dovecot-managesieved
Open the following files and edit the lines highlighted in yellow.
/etc/dovecot/conf.d/20-lmtp.conf

...

protocol lmtp {

  postmaster_address = [email protected]

  mail_plugins = $mail_plugins sieve

}

...

Copy

/etc/dovecot/conf.d/20-imap.conf

...

protocol imap {

  ...

  mail_plugins = $mail_plugins imap_quota imap_sieve

  ...

}

...
/etc/dovecot/conf.d/20-managesieve.conf

...

service managesieve-login {

  inet_listener sieve {

    port = 4190

  }

  ...

}

...

service managesieve {

  process_limit = 1024

}

...

Copy

/etc/dovecot/conf.d/90-sieve.conf

plugin {

    ...

    # sieve = file:~/sieve;active=~/.dovecot.sieve

    sieve_plugins = sieve_imapsieve sieve_extprograms

    sieve_before = /var/vmail/mail/sieve/global/spam-global.sieve

    sieve = file:/var/vmail/mail/sieve/%d/%n/scripts;active=/var/vmail/mail/sieve/%d/%n/active-script.sieve




    imapsieve_mailbox1_name = Spam

    imapsieve_mailbox1_causes = COPY

    imapsieve_mailbox1_before = file:/var/vmail/mail/sieve/global/report-spam.sieve




    imapsieve_mailbox2_name = *

    imapsieve_mailbox2_from = Spam

    imapsieve_mailbox2_causes = COPY

    imapsieve_mailbox2_before = file:/var/vmail/mail/sieve/global/report-ham.sieve

    sieve_pipe_bin_dir = /usr/bin

    sieve_global_extensions = +vnd.dovecot.pipe

    ....

}
Create a directory for our sieve scripts:
mkdir -p /var/vmail/mail/sieve/global
Create a global sieve filter to move emails marked as spam to the Spam directory:
/var/vmail/mail/sieve/global/spam-global.sieve

require ["fileinto","mailbox"];

if anyof(

    header :contains ["X-Spam-Flag"] "YES",

    header :contains ["X-Spam"] "Yes",

    header :contains ["Subject"] "*** SPAM ***"

    )

{

    fileinto :create "Spam";

    stop;

}
The following two sieve scripts will be triggered whenever you move an email in or out of the Spam directory:
/var/vmail/mail/sieve/global/report-spam.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];

pipe :copy "rspamc" ["learn_spam"];

/var/vmail/mail/sieve/global/report-ham.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];

pipe :copy "rspamc" ["learn_ham"];
Restart the Dovecot service for changes to take effect:
sudo systemctl restart dovecot
Compile sieve scripts and set the correct permissions:
sievec /var/vmail/mail/sieve/global/spam-global.sieve

sievec /var/vmail/mail/sieve/global/report-spam.sieve

sievec /var/vmail/mail/sieve/global/report-ham.sieve

sudo chown -R vmail: /var/vmail/mail/sieve/

Create DKIM keys

DomainKeys Identified Mail (DKIM) is an email authentication method which adds a cryptographic signature to outbound message headers. It allows the receiver to verify that an email claiming to originate from a specific domain was indeed authorized by the owner of that domain. The main purpose of this is to prevent forged email messages. We can have different DKIM keys for all our domains and even multiple keys for a single domain, but for the simplicity of this article, we’re going to use a single DKIM key which later can be used for all new domains. Create a new directory to store the DKIM key and generate a new DKIM keypair using the rspamadm utility:
mkdir /var/lib/rspamd/dkim/

rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key > /var/lib/rspamd/dkim/mail.pub
In the example above, we are using mail as a DKIM selector. You should now have two new files in the /var/lib/rspamd/dkim/ directory, mail.key which is our private key file, and mail.pub, a file which contains the DKIM public key. We will update our DNS zone records later. Set the correct ownership and permissions:
chown -R _rspamd: /var/lib/rspamd/dkim

chmod 440 /var/lib/rspamd/dkim/*
Now we need to tell Rspamd where to look for the DKIM key, the selector name, and the last line, which will enable DKIM signing for alias sender addresses. To do that, create a new file with the following contents:
/etc/rspamd/local.d/dkim_signing.conf

selector = "mail";

path = "/var/lib/rspamd/dkim/$selector.key";

allow_username_mismatch = true;

ARC

Rspamd also supports signing for Authenticated Received Chain (ARC) signatures. You can find more information about the ARC specification here. Rspamd uses the DKIM module for dealing with ARC signatures, so we can simply copy the previous configuration:
cp  /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
Restart the Rspamd service for changes to take effect.
sudo systemctl restart rspamd

DNS settings

We already created a DKIM key pair, and now we need to update our DNS zone. The DKIM public key is stored in the mail.pub file. The content of the file should look like this:
cat /var/lib/rspamd/dkim/mail.pub
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "

"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4yl"

"nVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"

) ;
  • If you are running your own Bind DNS server, you just need to copy and paste the record directly into your domain zone file.
  • If you are using a DNS web interface, then you need to create a new TXT record with mail._domainkey as a name, and for the value/content, you will need to remove the quotes and concatenate all three lines together.
  • In our case, the value/content of the TXT record should look like this:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB

Domain-based Message Authentication (DMARC)

  • We will also create a Domain-based Message Authentication (DMARC), which is designed to tell the receiving server whether or not to accept an email from a particular sender.
  • Basically, it will protect your domain against direct domain spoofing and improve your domain reputation.
  • If you have followed this series from the beginning, you should already have an SFP record for your domain.
  • To setup a DMARC record, the sending domain needs to have an SPF and DKIM record published. DMARC policy is published as a TXT record and defines how the receiver should treat the mail from your domain when validation fails.
In this article, we will implement the following DMARC policy:
_dmarc  IN  TXT  "v=DMARC1; p=none; adkim=r; aspf=r;"
Let’s break down the above DMARC record:
  • v=DMARC1 – This is the DMARC identifier
  • p=none – This tells the receiver what to do with messages that fail DMARC. In our case, it is set to none, which means take no action if a message fails DMARC. You can also use ‘reject’ or ‘quarantine’.
  • adkim=r and aspf=r – DKIM and SPF alignment, r for Relaxed and s for Strict – in our case, we are using Relaxed Alignment for both DKIM and SPF.
  • Same as before, if you are running your own Bind DNS server, you just need to copy and paste the record into your domain zone file, and if you are using another DNS provider, you need to create a TXT record with _dmarc as a name and v=DMARC1; p=none; adkim=r; aspf=r; as a value/content.
It may take a while for the DNS changes to propagate. You can check whether the records have propagated using the dig command:
dig mail._domainkey.linuxize.com TXT +short

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGa" "VuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFdepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"

dig _dmarc.linuxize.com TXT +short

"v=DMARC1; p=none; adkim=r; aspf=r;"
  You can also inspect your domain’s current DMARC policy or create your own DMARC policy here.

Conclusion

That’s it for this part of the tutorial. In the next part of this series, we will continue with RoundCube installation and configuration. Also Check out our Best VPS Hosting and WordPress hosting for scaling your cloud-based applications and processes. Thanks.  
Updated on 24 Jul 2018
0 Comments
Add a comment
Login for Comment