RSPAMD - Fast, free and open-source spam filtering system

KB 23536	Last updated on 2020-02-10	Last updated by Phoenix	0.00 (0 votes)	Verified in: ZCS 8.8 ZCS 8.7 ZCS 8.6
- This article is a Community contribution and may include unsupported customizations.

KB 23536	Last updated on 2020-02-10
0.00 (0 votes)
- This article is a Community contribution and may include unsupported customizations.

Introduction

I've been looking for a suitable replacement for DSPAM, a project that was good but died and became unmaintained then totally removed from Zimbra. In recent searches I came across Rspamd which does all that DSPAM did and more and it can completely replace spamassassin - it's lighter, more configurable and more performant than spamassassin. These notes are a brief explanation of how to easily integrate rspamd into a ZCS server and disable spamassassin completely.

You should make these changes on a test server and backup any ZCS & rspamd configuration files that you are going to modify before you modify them - when you're happy that it works you can try it on a live server but again, make sure you backup any modified configuration files.

These are notes for installing rspamd on ZCS 8.7.x (my current version is 8.7.11), I use CentOS and these instructions are for that distribution and the equivalent version of RHEL although installing rspamd on Ubuntu should not be that different.

NB: Rmilter from the Rspamd project and documented on their web site is deprecated and won't be available as a separate package in future, do not use it.

[EDIT] As of today (2017-09-06) I have updated my server to the latest ZCS 8.8.3GA release and these instructions work and are valid for that version as well.

I've been running various versions of Rspamd for the last eight months and have not had any ill effects, although I only run this on my home server there has been a huge reduction in CPU usage from 15-20% to less than 5% for the same levels of inbound/outbound email. I have also removed all DNS & Protocol checks from within the ZCS configuration and the Postscreen settings have been set to their default values – this leads to rspamd processing all inbound email and also further CPU usage reductions.

The current rspamd install now uses an inbuilt milter compatible process for the mail that's sent to it, the anti-spam etc. components of rspamd for processing the mail through it's various modules and pass it back to postfix via the milter process. Do note that this configuration still uses the ZCS inbuilt amavisd & clamav for anti-virus processing.

The multiple-milter function in Postfix is broken by ZCS and only allows one milter to be functional (bugzilla report 97706 ), although that bug seems to require a trivial fix it’s still languishing in bugzilla without any attention for the past two-plus years - please add your comments and vote if you feel it should be implemented.

Configuring Rspamd on the Zimbra Server

These instructions are for CentOS and you'll need to enable the rspamd & epel repositories, installing on various other flavours of Linux is also possible. This if fully described on the rspamd wiki including how to create the rspamd.repo file: https://rspamd.com/downloads.html

NB: the rspamd wiki mentions an Experimental branch, it's not advised to use that and all installs should be done from the stable repository.

If you're going to use Redis then you are advised that a more recent version should be installed than that available in the EPEL repository. The easiest thing to do is install the REMI repository and install the version of redis that's supplied there. Details for installing the repo are here: https://rpms.remirepo.net/

Install Rspamd on Red Hat Enterprise Linux

Once the repository has been created we can start the install:

yum install rspamd redis

Once you've tested and confirmed rspamd is running correctly you can activate redis as it's cache server is used as an efficient key-value storage by many Rspamd modules, further details on the Rspamd wiki.

An alternative introduction to rspamd configuration

I've included this blog at the beginning so it doesn't get lost at the end after you've installed and configured rspamd, it's worth reading this for a good overview of the function and configuration of rspamd modules and the blog is here:

https://www.0xf8.org/2018/05/an-alternative-introduction-to-rspamd-configuration-introduction/

Modify the ZCS and rspamd config files as shown below

We need to set some attributes in ZCS LDAP for rspamd (these changes will survive upgrades):

$ su - zimbra
$ zmprov ms $(zmhostname) zimbraMtaMilterDefaultAction accept
$ zmprov ms $(zmhostname) zimbraMtaSmtpdMilters "inet:localhost:11332, inet:[::1]:11332"
$ zmprov ms $(zmhostname) zimbraMtaNonSmtpdMilters "inet:localhost:11332, inet:[::1]:11332"

Check all the relevant settings:

$ zmprov gs $(zmhostname) | grep -i milter 

That should give the following result:

zimbraMilterBindPort: 7026
zimbraMilterMaxConnections: 20000
zimbraMilterNumThreads: 100
zimbraMilterServerEnabled: FALSE
zimbraMtaMilterCommandTimeout: 30s
zimbraMtaMilterConnectTimeout: 30s
zimbraMtaMilterContentTimeout: 300s
zimbraMtaMilterDefaultAction: accept
zimbraMtaNonSmtpdMilters: inet:localhost:11332, inet:[::1]:11332
zimbraMtaSmtpdMilters: smtpd_milters=inet:localhost:11332

The LDAP attributes that we modified above survive an upgrade but the following one using postconf does not survive an upgrade and it needs to be reapplied after every upgrade. Run the following commands as the zimbra user:

$ su - zimbra

$ postconf smtpd_milters="inet:localhost:11332, inet:[::1]:11332"
$ postconf non_smtpd_milters="inet:localhost:11332, inet:[::1]:11332"

You can check the current status of the smtpd_milters entry with:

$ postconf | grep smtpd_milters

The aim is to not use spamassassin so we need to disable it (still as the zimbra user), check the current status of the enabled services:

[code]

$ zmprov gs $(zmhostname) | grep zimbraServiceEnabled[/code]

The above command will list all the services that are enabled on your server. Next, modify the antispam service with the following commands to disable and stop antispam service: [code]

$ zmprov ms $(zmhostname) -zimbraServiceEnabled antispam
$ zmantispamctl stop
$ zmprov gs $(zmhostname) | grep zimbraServiceEnabled[/code]

The antispam service should not now be shown in the list of enabled services.

These are the basic changes you need to get rspamd working and the only rspamd config files you should need to create and modify are the ones below (these are not set by default):

vi /etc/rspamd/local.d/worker-proxy.inc
 
    upstream "local" {
           self_scan = true;
       }

 vi /etc/rspamd/local.d/milter_headers.conf

 extended_spam_headers = true;

 use = ["spam-header"]
 
 routines {
         spam-header {
                 header = "X-Spam-Flag";
                 value = "YES";
                 remove = 0;
         }
 }

If you want extended headers in messages you need to add just one line to the config file to enable them:

vi /etc/rspamd/local.d/milter_headers.conf

   extended_spam_headers = true;

To send rspamd log message to a file we need to add a local file to the logging:

vi /etc/rspamd/local.d/logging.inc

# Included from top-level .conf file
# enable systemd & console logging
 
#   type = "console";
#   systemd = true;

   type  = "file";
   level = "info";
   filename = "$LOGDIR/rspamd.log";

Save and exit that file.

There is also a web ui available for monitoring and configuration of rspamd, check the web site for further documentation on this feature.

vi /etc/rspamd/local.d/worker-controller.inc

# Included from top-level .conf file
# all we need in here is the user and admin passwords
 
# password for normal user
password = "apassword";    # obviously, your password of choice
  
# password for 'admin'
enable_password = "a-secret-password";  # create this admin password with the rspamd utilities

At this point we can start the rspamd daemon:

systemctl restart rspamd ; systemctl status rspamd -l

Check the log in /var/log/rspamd/rspamd.log to verify all is well.

NB: because of the high number of RBL (and other) DNS lookups, it's advisable to have a caching namesever on your lan (either the ZCS dnscache or your own DNS server, I use PowerDNS), if you don't do this you may get your server IP blacklisted with the RBL sites.

To summarise, you should now have a working rspamd daemon running with your ZCS server and mail passing between them both for processing. The only modification you should need to make after each upgrade are the ones to the zmconfigd.cf file and the postconf command for setting the smtpd_milters socket.

Do not modify any of the config files in the /etc/rspamd directory, please read the Rspamd documentation on the web site for details on which files to modify and how to add config override files to make further modifications to the rspamd config.

What I haven't mentioned is the current feature set in Rspamd and the fact that some of it's other modules could also replace their ZCS equivalents, for more details take a look at the Rspamd web site features page:

Spam Training

Users will still be able to use the Junk & Not Junk button in the Web UI to train the antispam system, the messages in the Junk folder will be passed to rspamd by a slightly modified zmtrainsa script. I suggest that the modified zmtrainsa script is added as a new cron job for training ZCS otherwise you will have to replace the original ZCS supplied script after every update.

The initial zmtrainsa script was modified to remove (some of) the SA & DSPAM, I've added a section for training the rspamd system from the same spam/ham accounts in ZCS so users can continue using the 'Spam' & 'Not Spam' function in the ZCS Web UI.

This is the modified zmtrainsa script which I am now using, I've removed all the extraneous bits of it relating to SA & DSPAM and have also given it the same functionality as the original in that it will train Rspamd from a user account Junk or Inbox for spam/ham.

/opt/zimbra/bin/zmtrainsa --help - will get you the format for training using the user account.

 #!/bin/bash
#
# ***** BEGIN LICENSE BLOCK *****
# Zimbra Collaboration Suite Server
# Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2013, 2014, 2015, 2016 Synacor, Inc.
#
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software Foundation,
# version 2 of the License.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License along with this program.
# If not, see < gnu dot org /licenses/>.
# ***** END LICENSE BLOCK *****
#
 
# This section trains the system ham/spam accounts
#
autoTrainSystem() {    

# This is the section for extracting the email to a
# couple of temp directories for spam & ham
 timestampit "Starting spam/ham extraction from system accounts."
  spamdir=`mktmpdir spam`
  hamdir=`mktmpdir ham`
 /opt/zimbra/libexec/zmspamextract ${spam_account} -o ${spamdir}
 /opt/zimbra/libexec/zmspamextract ${ham_account} -o ${hamdir}
 timestampit "Finished extracting spam/ham from system accounts." 

# This is the actual section for rspamd training
 timestampit "Starting rspamd system accounts training."

# Let's do a test here to see if rspamc is doing it's thing!
# List some stats before training
# the passwords for these rspamc commands need to be changed for your server

  timestampit "List rspam stats before training."
  /usr/bin/rspamc -h 127.0.0.1:11334 -P password# stat

# do the spam directory
  /usr/bin/rspamc -h 127.0.0.1:11334 -P password# learn_spam  ${spamdir}

# do the ham directory
  /usr/bin/rspamc -h 127.0.0.1:11334 -P password# learn_ham  ${hamdir}

# List some stats after training
  timestampit "List rspam stats after training."
  /usr/bin/rspamc -h 127.0.0.1:11334 -P password# stat
  timestampit "Finished rspamd training."
# End of the rspamd training section for system ham/spam accounts

 /bin/rm -rf ${spamdir} ${hamdir} 

}

# The following is the section that trains rspamd for the user $FOLDER (ham or spam)
#
trainAccountFolder() {

timestampit  "Starting rspamd user accounts training"

tempdir=`mktmpdir ${MODE}`
 if [ "x${MODE}" = "xspam" ]; then
     FOLDER=${FOLDER:=junk}
   elif [ "x${MODE}" = "xham" ]; then
     FOLDER=${FOLDER:=inbox}
 fi

# extract the user ham/spam and train rspamd 
timestampit  "Starting rspamd $MODE training for $USER using folder $FOLDER"
 /opt/zimbra/libexec/zmspamextract -r -m $USER -o ${tempdir} -q in:${FOLDER}
  
 if [ "x${MODE}" = "xspam" ]; then
   /usr/bin/rspamc -h 127.0.0.1:11334 -P password# learn_spam ${tempdir} || exit 1
   FOLDER=${FOLDER:=junk}
 elif [ "x${MODE}" = "xham" ]; then
   /usr/bin/rspamc -h 127.0.0.1:11334 -P password# learn_ham ${tempdir} || exit 1
   FOLDER=${FOLDER:=inbox}
  fi
timestampit  "Finished rspamd $MODE training for $USER using folder $FOLDER"
 
 /bin/rm -rf ${tempdir}

}

mktmpdir() {
 mktemp -d "${zmtrainsa_tmp_directory:-${zimbra_tmp_directory}}/trainrspamd.$$.$1.XXXXXX" || exit 1
}

timestampit() {
  SIMPLE_DATE=`date +%Y%m%d%H%M%S`
  echo "$SIMPLE_DATE $1"
}

usage() {
  echo "Usage: $0 <user> <spam|ham> [folder]"
  exit 1
}

if [ x`whoami` != xzimbra ]; then
    echo Error: must be run as zimbra user
  exit 1
fi

source `dirname $0`/zmshutil || exit 1 
zmsetvars 

amavis_dspam_enabled=`/opt/zimbra/bin/zmprov -l gs ${zimbra_server_hostname} zimbraAmavisDSPAMEnabled | grep zimbraAmavisDSPAMEnabled: | awk  '{print $2}'`
amavis_dspam_enabled=$(echo $amavis_dspam_enabled | tr A-Z a-z)
antispam_mysql_enabled=$(echo $antispam_mysql_enabled | tr A-Z a-z)
zmtrainsa_cleanup_host=$(echo $zmtrainsa_cleanup_host | tr A-Z a-z)

if [ "x${zimbra_spam_externalIsSpamAccount}" = "x" ]; then
  spam_account="-s"
else
  spam_account="-m ${zimbra_spam_externalIsSpamAccount}"
fi

if [ "x${zimbra_spam_externalIsNotSpamAccount}" = "x" ]; then
  ham_account="-n"
else
  ham_account="-m ${zimbra_spam_externalIsNotSpamAccount}"
fi
 
# No argument mode uses zmspamextract for auto-training.
if [ x$1 = "x" ]; then
  autoTrainSystem
  exit
fi

if [ x$1 = "x--cleanup" ]; then
  if [ x${zmtrainsa_cleanup_host} = "xtrue" ]; then
    timestampit "Starting spam/ham cleanup"
# changes for bug 107462
#    mydir=`mktemp -d -t cleanup.XXXXXX` || exit 1
    mydir=`mktmpdir cleanup`
    /opt/zimbra/libexec/zmspamextract ${spam_account} -o ${mydir} -d
    /opt/zimbra/libexec/zmspamextract ${ham_account} -o ${mydir} -d
    /bin/rm -rf ${mydir}
    timestampit "Finished spam/ham cleanup"
  else
    timestampit "Cleanup skipped: $zimbra_server_hostname is not a spam/ham cleanup host."
 fi
  exit
fi
 
USER=$1 
MODE=`echo $2 | tr A-Z a-z` 
FOLDER=$3
 
if [ "x${MODE}" != "xspam" -a "x${MODE}" != "xham" ]; then
  usage
fi

if [ "x${USER}" = "x" ]; then
 usage
fi
 
trainAccountFolder
 
exit 0

[edit] 2017-11-28 - The zmtrainsa script has been modified to change the location of the temporary files as it may cause notification problems with systems that have large spam extraction as mentioned in ZCS bug report 107462

You can take a look at the processing of this script by installing the modified version above (make a copy of your original file first) then running the following command:

sh -x /opt/zimbra/bin/zmtrainsa &>>/opt/zimbra/log/zmtrainsa_test.log  <-- check the output to see if it's working correctly.

ZCS Upgrades

After each upgrade of ZCS we need to check the following as some of our modifications get overwritten, do the following:

verify the ldap setting is OK (it should be):

zmprov gs $(hostname) zimbraMtaSmtpdMilters 

You should see the following output:

zimbraMtaSmtpdMilters: smtpd_milters=inet:localhost:11332

Remove the configd settings that overwrite our changes from the following file:

vi /opt/zimbra/conf/zmconfigd.cf

Remove these four lines:

POSTCONF smtpd_milters
if VAR zimbraMtaSmtpdMilters
    POSTCONF smtpd_milters VAR zimbraMtaSmtpdMilters
fi

Check to see if the settings are correct:

postconf | grep smtpd_milters 
non_smtpd_milters =
smtpd_milters = smtpd_milters=inet:localhost:11332

If the above settings have remained unchanged then the following file should be ok, if they are wrong then this file needs changing as mentioned in the initial installation settings:

vi /opt/zimbra/common/conf/main.cf

The zmtrainsa will also need to be replaced by the modified version for rspamd, I keep a copy of the zmtrainsascript in the /opt/zimbra/bin directory:

cp /opt/zimbra/bin/zmtrainsa.rspamd_version /opt/zimbra/bin/zmtrainsa

Feedback

Feedback on your experience with rspamd, tweaks, configuration of rspamd itself and any questions/problems are always welcome in the forum thread on this topic.

If you think this is a worthwhile change for Zimbra then feel free to add you comments and votes to the RFE I've filed for removing spamassassin and adding this as a replacement in ZCS: bugzilla id 108168