Rspamd is a "fast, free and open-source spam filtering system". DMS integrates Rspamd like any other service. We provide a very simple but easy to maintain setup of Rspamd.
If you want to have a look at the default configuration files for Rspamd that DMS packs, navigate to
target/rspamd/ inside the repository. Please consult the section "The Default Configuration" section down below for a written overview.
AMD64 vs ARM64
We are currently doing a best-effort installation of Rspamd for ARM64 (from the Debian backports repository for Debian 11). The current version difference as of 23rd Apr 2023: AMD64 is at version 3.5 | ARM64 is at version 3.4.
The following environment variables are related to Rspamd:
With these variables, you can enable Rspamd itself and you can enable / disable certain features related to Rspamd.
DMS does not set a default password for the controller worker. You may want to do that yourself. In setups where you already have an authentication provider in front of the Rspamd webpage, you may want to set the
secure_ip option to
"0.0.0.0/0" for the controller worker to disable password authentication inside Rspamd completely.
When Rspamd is enabled, we implicitly also start an instance of Redis in the container. Redis is configured to persist it's data via RDB snapshots to disk in the directory
/var/lib/redis (which is a symbolic link to
ONE_DIR=1 and a volume is mounted to
/var/mail-state/). With the volume mount the snapshot will restore the Redis data across container restarts, and provide a way to keep backup.
/etc/redis/redis.conf for configuration. We adjust this file when enabling the internal Redis service. If you have an external instance of Redis to use, the internal Redis service can be opt-out via setting the ENV
ENABLE_RSPAMD_REDIS=0 (link also details required changes to the DMS rspamd config).
Rspamd provides a web interface, which contains statistics and data Rspamd collects. The interface is enabled by default and reachable on port 11334.
DMS does not supply custom values for DNS servers to Rspamd. If you need to use custom DNS servers, which could be required when using DNS-based black/whitelists, you need to adjust
Making DNS Servers Configurable
If you want to see an environment variable (like
RSPAMD_DNS_SERVERS) to support custom DNS servers for Rspamd being added to DMS, please raise a feature request issue.
While we do not provide values for custom DNS servers by default, we set
soft_reject_on_timeout = true; by default. This setting will cause a soft reject if a task (presumably a DNS request) timeout takes place.
This setting is enabled to not allow spam to proceed just because DNS requests did not succeed. It could deny legitimate e-mails to pass though too in case your DNS setup is incorrect or not functioning properly.
You can find the Rspamd logs at
/var/log/mail/rspamd.log, and the corresponding logs for Redis, if it is enabled, at
/var/log/supervisor/rspamd-redis.log. We recommend inspecting these logs (with
docker exec -it <CONTAINER NAME> less /var/log/mail/rspamd.log) in case Rspamd does not work as expected.
You can find a list of all Rspamd modules on their website.
DMS disables certain modules (clickhouse, elastic, neural, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and they would otherwise needlessly use system resources.
You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable
The RBL module is enabled by default. As a consequence, Rspamd will perform DNS lookups to a variety of blacklists. Whether an RBL or a DNSBL is queried depends on where the domain name was obtained: RBL servers are queried with IP addresses extracted from message headers, DNSBL server are queried with domains and IP addresses extracted from the message body [source].
Rspamd and DNS Block Lists
When the RBL module is enabled, Rspamd will do a variety of DNS requests to (amongst other things) DNSBLs. There are a variety of issues involved when using DNSBLs. Rspamd will try to mitigate some of them by properly evaluating all return codes. This evaluation is a best effort though, so if the DNSBL operators change or add return codes, it may take a while for Rspamd to adjust as well.
If you want to use DNSBLs, try to use your own DNS resolver and make sure it is set up correctly, i.e. it should be a non-public & recursive resolver. Otherwise, you might not be able (see this Spamhaus post) to make use of the block lists.
DMS brings sane default settings for Rspamd. They are located at
/etc/rspamd/local.d/ inside the container (or
target/rspamd/local.d/ in the repository).
If you want to overwrite the default settings and / or provide your own settings, you can place files at
docker-data/dms/config/rspamd/override.d/. Files from this directory are copied to
/etc/rspamd/override.d/ during startup. These files forcibly override Rspamd and DMS default settings.
Note that when also using the
custom-commands.conf file, files in
override.d may be overwritten in case you adjust them manually and with the help of the file.
DMS provides the ability to do simple adjustments to Rspamd modules with the help of a single file. Just place a file called
docker-data/dms/config/rspamd/. If this file is present, DMS will evaluate it. The structure is very simple. Each line in the file looks like this:
COMMAND ARGUMENT1 ARGUMENT2 ARGUMENT3
COMMAND can be:
disable-module: disables the module with name
enable-module: explicitly enables the module with name
set-option-for-module: sets the value for option
set-option-for-controller: set the value of option
ARGUMENT2for the controller worker
set-option-for-proxy: set the value of option
ARGUMENT2for the proxy worker
set-common-option: set the option
ARGUMENT1that defines basic Rspamd behaviour to value
add-line: this will add the complete line after
ARGUMENT1(with all characters) to the file
An Example Is Shown Down Below
File Names & Extensions
For command 1 - 3, we append the
.conf suffix to the module name to get the correct file name automatically. For commands 4 - 6, the file name is fixed (you don't even need to provide it). For command 7, you will need to provide the whole file name (including the suffix) yourself!
You can also have comments (the line starts with
#) and blank lines in
custom-commands.conf - they are properly handled and not evaluated.
Adjusting Modules This Way
These simple commands are meant to give users the ability to easily alter modules and their options. As a consequence, they are not powerful enough to enable multi-line adjustments. If you need to do something more complex, we advise to do that manually!
You want to start using Rspamd? Rspamd is disabled by default, so you need to set the following environment variables:
ENABLE_RSPAMD=1 ENABLE_OPENDKIM=0 ENABLE_OPENDMARC=0 ENABLE_POLICYD_SPF=0 ENABLE_AMAVIS=0 ENABLE_SPAMASSASSIN=0
This will enable Rspamd and disable services you don't need when using Rspamd.
Rspamd is running, but you want or need to adjust it? First, create a file named
docker-data/dms/config/rspamd (which translates to
/tmp/docker-mailserver/rspamd/ inside the container). Then add you changes:
- Say you want to be able to easily look at the frontend Rspamd provides on port 11334 (default) without the need to enter a password (maybe because you already provide authorization and authentication). You will need to adjust the controller worker:
set-option-for-controller secure_ip "0.0.0.0/0".
- You additionally want to enable the auto-spam-learning for the Bayes module? No problem:
set-option-for-module classifier-bayes autolearn true.
- But the chartable module gets on your nerves? Easy:
What Does the Result Look Like?
Here is what the file looks like in the end:
# See 1. # ATTENTION: this disables authentication on the website - make sure you know what you're doing! set-option-for-controller secure_ip "0.0.0.0/0" # See 2. set-option-for-module classifier-bayes autolearn true # See 3. disable-module chartable
There is a dedicated section for setting up DKIM with Rspamd in our documentation.
This subsection gives information about the integration of Abusix, "a set of blocklists that work as an additional email security layer for your existing mail environment". The setup is straight-forward and well documented:
- Create an account
- Retrieve your API key
- Navigate to the "Getting Started" documentation for Rspamd and follow the steps described there
- Make sure to change
<APIKEY>to your private API key
We recommend mounting the files directly into the container, as they are rather big and not manageable with the modules script. If mounted to the correct location, Rspamd will automatically pick them up.
While Abusix can be integrated into Postfix, Postscreen and a multitude of other software, we recommend integrating Abusix only into a single piece of software running in your mail server - everything else would be excessive and wasting queries. Moreover, we recommend the integration into suitable filtering software and not Postfix itself, as software like Postscreen or Rspamd can properly evaluate the return codes and other configuration.