User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
email:mailscanner [2025/06/16 08:08] – created - external edit 127.0.0.1email:mailscanner [2026/04/13 14:52] (current) – [Web interface] willy
Line 1: Line 1:
-====== N) Mail Scanner ======+====== N) Spam filtering ======
  
-The DNS (Domain Name Service) plays a critical role in email deliveryYou need to create set of DNS records to make sure that your email can be delivered and that email can be delivered to you as well.+[[https://github.com/rspamd/rspamd|RSpamD]] is an advanced spam filtering system and email processing framework that allows evaluation of messages by number of rules including regular expressions, statistical analysis and custom services such as URL black lists. Each message is analysed by Rspamd and given a verdict that might be used by MTA for further processing (e.g. to reject a message, or add a special header indicating spam) along with other information, such as possible DKIM signature or modifications suggested for a message.
  
-The basic record to setup is the MX record, which tells the email servers //which server(s)// handle email for your domain. 
  
-This page will make a general overview of all the needed records, more details are presented in each configuration section later on.+===== Installation =====
  
-Please __note__ that you will need **more** that the records defined in this page for a domain to operate properly: this is only for email.+My VPS is pretty ancient and the CPU does not support sse4_2, instructions, so i had to disable **hyperscan** use flag by writing the following **/etc/portage/package.use/rspamd** file: 
 +<file - rspamd> 
 +mail-filter/rspamd  -hyperscan 
 +</file>
  
 +Now simply emerge it:
 +<code bash>
 +emerge -vp rspamd dev-db/redis
 +</code>
  
-===== Reverse DNS =====+rspamd requires redis, but somehow it doesn't pull it directly.
  
-A reverse DNS setup is how you translate an IP to a DNS name. This is the //opposite// of DNS, where you translate a domain to an IP. 
  
-This is important to be properly set, and is usually defined aside from your actual DNS management panel of your provider.+===== Configure rspamd =====
  
-If you cannot set it, some providers don't support it, it's okBetter set it up, if possibleWhen set, it will help email deliverability.+Create **/etc/rspamd/local.d/actions.conf**: 
 +<file - actions.conf> 
 +# Basic action thresholds 
 +reject = 15;        # Reject obvious spam 
 +add_header = 6;     # Add spam headers 
 +greylist = 4;       # Temporary delay suspicious mail 
 +</file>
  
 +Configure redis **/etc/rspamd/local.d/redis.conf**:
 +<file redis.conf>
 +# Redis connection for statistics and caching
 +servers = "127.0.0.1:6379";
 +</file>
  
-===== MX record =====+Setup a controller password for the web interface: 
 +<code bash> 
 +rspamadm pw 
 +</code>
  
-An **MX** record (mandatory) tells who manages emails for your domainYou can have more than one, to build a chain of backup servers, but that is outside the scope of this guideI assume your MX record points to **mail.mydomain.com**.+Create **/etc/rspamd/local.d/worker-controller.inc**
 +<file - worker-controller.inc> 
 +# Replace with your generated password 
 +password = "$2$your_generated_password_here"; 
 +</file>
  
-Please note that this implies as well the existence of an **A** record for //mail.mydomain.com//. 
  
-Example: +===== Configure redis =====
-<code> +
-mail.mydomain.com.    x.y.w.z             1800 A +
-webmail.mydomain.com. mail.mydomain.com.    1800 CNAME +
-@               10 mail.mydomain.com. 3600 MX +
-</code>+
  
 +Setup redis at least in a basic and secure way **/etc/redis/redis.conf**:
 +<file - redis.conf>
 +# Bind only to localhost for security
 +bind 127.0.0.1 ::1
 +# Set memory limit
 +maxmemory 500mb
 +maxmemory-policy volatile-ttl
 +</file>
  
-===== SPF record ===== 
  
-For SPF to work, you need to setup a proper TXT record like the following: +===== Configure postfix link =====
-<code> +
-@ v=spf1 mx a -all 3600 TXT +
-</code> +
- +
- +
-===== DKIM record =====+
  
-The DKIM record contains the public part of your domain DKIM keys:+Add milter integration to your Postfix configuration in **/etc/postfix/main.cf**:
 <code> <code>
-mydomain.com._domainkey. "v=DKIM1; k=rsa; p=<< mykey >>" 3600 TXT          +# Enable Rspamd milter 
 +smtpd_milters inet:localhost:11332 
 +milter_default_action accept 
 +milter_protocol 6
 </code> </code>
  
-In the above example //<< mykey >>// is a very long random characters string.+Configure Rspamd proxy worker in **/etc/rspamd/local.d/worker-proxy.inc**: 
 +<file - worker-proxy.inc> 
 +# Enable milter mode for Postfix integration 
 +milter = yes; 
 +timeout = 120s; 
 +upstream "local"
 +  default = yes; 
 +  self_scan = yes;  # Scan messages directly 
 +
 +</file>
  
  
-===== DMARC record =====+===== Startup =====
  
-The DMARC record is used to publish your domain DMARC strategy  +Ensure all the services are running and setup to start on boot: 
-<code> +<code bash
-_dmarc.mydomain.com. "v=DMARC1; p=reject; rua=mailto:postmaster@mydomain.com;" 3600 TXT +for i in rspamd redis postfix 
-_smtp_tls.mydomain.com. """v=TLSRPTv1; rua=mailto:postmaster@mydomain.com""" 3600 TXT+do 
 + rc-update add $i default 
 + /etc/init.d/$i restart 
 +done
 </code> </code>
  
  
-===== Discoverability records =====+===== Web interface =====
  
-The following set of SRV records facilitate mail clients to discover your IMAP and SMTP servers:+By default rspamd web interface is exposed on **http://127.0.0.1:11334/** but of course, you must slap NGINX in front of it. I choose to expose it as **https://mail.mydomain.com/rspamd/** so add the following to your NGINX setup for **mail.mydomain.com**:
 <code> <code>
-_imaps._tcp.mail.mydomain.com. 0 1 993 mail.mydomain.com. 3600 SRV +        location /rspamd/ { 
-_submissions._tcp.mail.mydomain.com. 0 1 465 mail.mydomain.com. 3600 SRV +                proxy_pass http://127.0.0.1:11334/; 
-_imap._tcp.mail.mydomain.com. 0 143 mail.mydomain.com. 3600 SRV +                proxy_redirect    default; 
-_submission._tcp.mail.mydomain.com. 0 1 587 mail.mydomain.com. 3600 SRV+                proxy_set_header  Host $host; 
 +                proxy_set_header  X-Real-IP $remote_addr; 
 +                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for; 
 +                proxy_set_header  X-Forwarded-Host $server_name; 
 +                proxy_set_header  X-Forwarded-Proto $scheme; 
 +        }
 </code> </code>
 +