Update u_e-rspamd.md
4,6 KiB
Rspamd is used for AV handling, DKIM signing and SPAM handling. It's a powerful and fast filter system. For a more in-depth documentation on Rspamd please visit its own documentation.
Learn Spam & Ham
Rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash. This is achieved by using the Dovecot plugin "antispam" and a simple parser script.
Rspamd also auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning)
The bayes statistics are written to Redis as keys BAYES_HAM
and BAYES_SPAM
.
You can also use Rspamd's web UI to learn ham and / or spam or to adjust certain settings of Rspamd.
Learn Spam or Ham from existing directory
You can use a one-liner to learn mail in plain-text (uncompressed) format:
# Ham
for file in /my/folder/cur/*; do docker exec -i $(docker-compose ps -q rspamd-mailcow) rspamc learn_ham < $file; done
# Spam
for file in /my/folder/.Junk/cur/*; do docker exec -i $(docker-compose ps -q rspamd-mailcow) rspamc learn_spam < $file; done
Consider attaching a local folder as new volume to rspamd-mailcow
in docker-compose.yml
and learn given files inside the container. This can be used as workaround to parse compressed data with zcat. Example:
for file in /data/old_mail/.Junk/cur/*; do rspamc learn_spam < zcat $file; done
Reset learned data
You need to delete keys in Redis to reset learned mail, so create a copy of your Redis database now:
Backup database
# It is better to stop Redis before you copy the file.
cp /var/lib/docker/volumes/mailcowdockerized_redis-vol-1/_data/dump.rdb /root/
Reset Bayes data
docker-compose exec redis-mailcow sh -c 'redis-cli --scan --pattern BAYES_* | xargs redis-cli del'
docker-compose exec redis-mailcow sh -c 'redis-cli --scan --pattern RS* | xargs redis-cli del'
If it complains about...
(error) ERR wrong number of arguments for 'del' command
...the key pattern was not found and thus no data is available to delete.
CLI tools
docker-compose exec rspamd-mailcow rspamc --help
docker-compose exec rspamd-mailcow rspamadm --help
Disable Greylisting
You can disable rspamd's greylisting server-wide by editing:
{mailcow-dir}/data/conf/rspamd/local.d/greylist.conf
Simply add the line:
enabled = false;
Save the file and then restart the rspamd container.
Custom reject messages
The default spam reject message can be changed by adding a new file data/conf/rspamd/override.d/worker-proxy.custom.inc
with the following content:
reject_message = "My custom reject message";
Save the file and restart Rspamd: docker-compose restart rspamd-mailcow
.
While the above works for rejected mails with a high spam score, global maps (as found in "Global filter maps" in /admin) will ignore this setting. For these maps, the multimap module in Rspamd needs to be adjusted:
-
Open
{mailcow-dir}/data/conf/rspamd/local.d/multimap.conf
and find the desired map symbol (e.g.GLOBAL_SMTP_FROM_BL
). -
Add your custom message as new line:
GLOBAL_SMTP_FROM_BL {
type = "from";
message = "Your domain is blacklisted, contact postmaster@your.domain to resolve this case.";`
map = "$LOCAL_CONFDIR/custom/global_smtp_from_blacklist.map";
regexp = true;
prefilter = true;
action = "reject";
}
- Save the file and restart Rspamd:
docker-compose restart rspamd-mailcow
.
Whitelist specific ClamAV signatures
You may find that legitimate (clean) mail is being blocked by ClamAV (Rspamd will flag the mail with VIRUS_FOUND
). For instance, interactive PDF form attachments are blocked by default because the embedded Javascript code may be used for nefarious purposes. Confirm by looking at the clamd logs, e.g.:
docker-compose logs clamd-mailcow | grep "FOUND"
This line confirms that such was identified:
clamd-mailcow_1 | Sat Sep 28 07:43:24 2019 -> instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND
To whitelist this particular signature (and enable sending this type of file attached), add it to the ClamAV signature whitelist file:
echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' >> data/conf/clamav/whitelist.ign2
Then restart the clamd-mailcow service container in the mailcow UI, or using docker-compose:
docker-compose restart clamd-mailcow