Hi Everyone, Been learning rspamd to ensure I have adequate spam protection configured, and noticed that the RBLs (Runtime Black Lists) configured in rspamd for mailcow differ from the defaults enabled and documented for rspamd itself. I'm curious to learn why before potentially enabling more or even pulling down the default RBL configuration for rspamd. Is it because such inclusion by default falls under "commercial use" for mailcow and therefore cannot be included by default in this product? Defaults noted by rspamd, they call out 11 that have restricted use: https://rspamd.com/doc/quickstart.html#configuring-rbls Defaults found in rbl.conf, more than 11 in use, assuming others have unrestricted use (generally non-commercial use requirements): https://github.com/rspamd/rspamd/blob/master/conf/modules.d/rbl.conf rbl.conf for mailcow, has 3 RBLs enabled that are not found in the rspamd defaults, and no checks are enabled on them: https://github.com/mailcow/mailcow-dockerized/blob/master/data/conf/rspamd/local.d/rbl.conf RBL documentation: https://rspamd.com/doc/modules/rbl.html Thanks!

I stand corrected ... when I read the contents of the rbl.conf more closely, it states that local.d/rbl.conf (which is what mailcow has made available in data/conf/rspamd/local.d) will merge with the default list I of RBLs I originally linked. So in this case it appears mailcow is adding 3 additional RBLs, but I'm still confused why those RBL entries do not have checks enabled on them? Side note - Spamhaus DQS may be good RBL to add to mailcow after you setup an access key: https://github.com/spamhaus/rspamd-dqs You can see the default RBLs for yourself in rspamd: docker compose exec rspamd-mailcow /bin/bash cat /etc/rspamd/modules.d/rbl.conf

Any movement on this? I see with the current mailcow 2023_08 there's DQS support. Spamhaus has instructions on how to add the config to postfix - relatively easy - https://portal.spamhaus.com/dqs/#3.1.2 However, the idea of blocking entirely at smtp level seems harsh. I'd like the message received and flagged as spam. I'll decide later to keep or not. Is there a guide on adding spamhaus to rspamd for mailcow? Thank you

I use spamhaus via my internet providers DNS servers, so I don't need DQS.

Now it's working. [upl-image-preview url=https://community.mailcow.email/assets/files/2024-01-31/1706734539-727875-image.png] But: - zrd-dqs-ehlo - zrd-dqs-from - hbl-dqs-smtp-from - hbl-dqs-body-email-addr Still passing. I've used the DQS test. [upl-image-preview url=https://community.mailcow.email/assets/files/2024-01-31/1706734625-397176-image.png]

rspamd: RBLs configure for mailcow differ from rspamd defaults?

zx1100e1

After poking around some more I got spamhaus config to work with rspamd. It was actually easier than getting it to work with postscreen - fewer steps and files to edit.

1) After establishing a dqs account, go to https://github.com/spamhaus/rspamd-dqs#installation-instructions
2) As of this writing (20230906), mailcow is using rspamd 3.4
3) Follow the instructions with respect to getting the git to a local folder and inserting your DQS key

4) As the DQS key is not HBL enabled, we just need to integrate 2 files into the existing installation

5) View contents of the downloaded/modified rbl.conf. Copy in its entirety to clipboard
5a) open up data/conf/rspamd/local.d/rbl.conf in nano (make a backup copy first)
5b) At the very bottom, delete the last curly brace } then insert a few lines and paste the contents from #5.

6) Do the same for the downloaded/modified rbl_group.conf. Copy in its entirety to clipboard
6a) open up data/conf/rspamd/local.d/rbl_group.conf in nano (make backup copy first)
6b) At the very bottom, delete the last curly brace } then insert a few lines and paste the contents from #6.

7) Restart rspamd (docker compose restart rspamd-mailcow ) or reboot the system
8) Go to https://blt.spamhaus.com/ to run the tests.

In my testing, some of the messages were outright rejected, while others were soft rejected.

Disregard the right column, it’s a backup mx which is has very lenient spam filtering. Mailcow is on the left. Here’s the rspamd UI history result.

In reviewing the postfix log, there are several messages that were outright rejected at smtp level. Others flagged as spam and went into junk.

Junk folder:

This is the expected result. My ip gets very little junk in general. So far there’s no need to block it at smtp level (postscreen). Hope this helps someone.

DerLinkman

zx1100e1 Heyo, we’ll already thought about moving it from Postscreen to Rspamd instead so a PR would be great if you like to help.

If not it’s ok 🙂

NukeDev

Hello, i’ve confgured rspamd as it shown.
But when i run the spamhaus test alla the emails seems to not scanned.
I’ve added my DQS key and copied the content of rbl.conf and rbl_groups.conf of rspamd-dqs repo.

Anyone can help me?
I can give you more details if needed.
Thanks.

zx1100e1

^^ Did you add your DQS key to the SPAMHAUS_DQS_KEY field in mailcow.conf? That’s necessary for it to set up other parameters in postfix.

In practical use, I don’t think I’ve ever seen an entry in rspamd for actual spamhaus blocks. They all seem to happen at the postscreen level, before anything is actually received. ymmv

NukeDev

zx1100e1 Thanks. Added the key to the config file. But still passing.

Why i can’t see the specific entry into rspamd analysis?

In this case, with other RBL is working…

zx1100e1

Restart mailcow after the change? Or maybe it was more involved - shut it down, then start up again. I can’t recall.

NukeDev

Now it’s working.

But:

zrd-dqs-ehlo
zrd-dqs-from
hbl-dqs-smtp-from
hbl-dqs-body-email-addr

Still passing. I’ve used the DQS test.

smares

I did the changes to the Rspamd configuration files, restarted the container, even restarted everything with docker compose down && docker compose up -d but when I run the Spamhaus test, all mails are delivered.

What is also weird: if I expand the mails in the Mailcow Rspamd log viewer, the mails from the Spamhaus test have absolutely no symbol.

smares

I think there are no symbols because the mail address used is an alias. Just checked other mails for that address and they all show up with no symbol.

I re-did the test with Spamhaus using a mailbox address, and while symbols do show up, I get weird results. Most DQS mails are being rejected due to greylisting. The non-DQS tests on the other hand delivers all mails.

BAD_REP_POLICIES (2)
MX_INVALID (0.5) []
BAYES_SPAM (0.394528) [73.76%]
MIME_GOOD (-0.1) [text/plain]
IP_REPUTATION_HAM (-0.003294) [asn: 54054(0.00), country: US(-0.00), ip: 199.168.89.86(0.00)]
MISSING_XM_UA (0)
FROM_EQ_ENVFROM (0)
R_DKIM_NA (0)
R_SPF_ALLOW (0) [+ip4:199.168.89.86/32]
MID_RHS_MATCH_FROMTLD (0)
RCPT_COUNT_ONE (0) [1]
ARC_NA (0)
RCPT_MAILCOW_DOMAIN (0) [smares.it]
TO_MATCH_ENVRCPT_ALL (0)
BCC (0)
DMARC_NA (0) [spamhaus.net]
ASN (0) [asn:54054, ipnet:199.168.88.0/22, country:US]
TO_DN_NONE (0)
FROM_HAS_DN (0)
RCVD_COUNT_ZERO (0) [0]
MIME_TRACE (0) [0:+]
ARC_SIGNED (0) [smares.it:s=dkim:i=1]

So they only have a spam score of 2.79.

And is it normal that I don’t see symbols for mails having an alias address as destination?

zx1100e1

My understanding is one should use the DQS test when using DQS, otherwise use the standard tests.

Suffice to say, with it set up the way I did above, I can’t recall the last piece of actual spam received via mailcow. Also very rare greylisting.

I have my rspamd thresholds set as follows.

Sorry, I can’t remember why I set them this way.

KaiserN

if u have DQS problems, please check https://community.mailcow.email/d/2854-need-help-setting-up-spamhaus/18

zx1100e1

DerLinkman

One of the benefits of keeping it in postfix/postscreen is fewer log lines. Otherwise there’s the whole postfix smtp exchange + rspamd logging.

I suppose one option would be to give the user a choice, based on a configuration flag. For example, 1 option keep it as is now, option 2, bring it to rspamd. That should satisfy both camps.

Thoughts?

NukeDev

Still having issues. Why?
SPAMHAUS_ZRD_FAIL (0) [so254-23.mailgun.net:server fail] SPAMHAUS_SBL_URL_FAIL (0) [fonts.googleapis.com:server fail] RBL_VIRUSFREE_UNKNOWN_FAIL (0) [198.61.254.23:server fail]

NewCow

I am using Mailcow version 2024.2 and rspamd version 3.7.5. Rspamd does not seem to be “ready” for DQS. If I follow the instructions above to get it working, will that affect when new versions of Mailcow come out and I use update.sh?