Read in 8 minutes

last updated 

Install and integrate Rspamd

This is the third part of our Setting up and configuring a mail server and in this part we will go through the installation and configuration of the Rspamd spam filtering system and its integration into our mail server and creating DKIM and DMARC DNS records. You may ask why we choose to go with Rspamd and not with Spamassassin. Rspamd is written in C and it is much faster then Spamassassin which is written in Perl and also Rspamd is more actively maintained. Another reason is that Rspamd comes with a DKIM signing module so we will not have to use another software to sign our outgoing emails.

If you are not familiar with Rspamd you can check their official documentation here

Install Redis

Redis will be used as a storage and caching system by Rspamd, to install it just run:

sudo apt install redis-server

Install Unbound

Unbound is a very secure validating, recursive, and caching DNS resolver.

The main purpose of installing this service is to reduce the number of external DNS requests. This step is optional and can be skipped.

sudo apt install unbound

The default settings should be sufficient for most servers.

Set unbound as your server primary DNS resolver:

sudo echo "nameserver" >> /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u

If you are not using resolvconf then you need to edit the /etc/resolv.conf file manually.

Install Rspamd

We will install the lastest stable version of Rspamd from its official repository:

sudo apt install software-properties-common lsb-release
sudo apt install lsb-release wget
wget -O- | sudo apt-key add -
echo "deb $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list
sudo apt update
sudo apt install rspamd

Configure Rspamd

Instead of modifying the stock config files we will create new files in the /etc/rspamd/local.d/local.d/ directory which will overwrite the default setting.

By default Rspamd’s normal worker the worker that scans email messages listens on all interfaces on port 11333. Create the following file to configure the Rspamd normal worker to listen only to localhost interface:

bind_socket = "";

The proxy worker listens on port 11332 and supports milter protocol. In order for Postfix to communicate with Rspamd we need to enable milter mode:

bind_socket = "";
milter = yes;
timeout = 120s;
upstream "local" {
  default = yes;
  self_scan = yes;

Next we need to set up a password for the controller worker which provides access to the Rspamd web interface. To generate an encrypted pasword run:

rspamadm pw --encrypt -p P4ssvv0rD

Don’t forget to change the password (P4ssvv0rD) to something more secure.

and paste it into the configuration file:

password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";

In order to access the web interface we will later configure Nginx as a reverse proxy to the controller worker web server.

We will use Redis as a backend for Rspamd statistics:

servers = "";
backend = "redis";

Set the milter headers:

use = ["x-spamd-bar", "x-spam-level", "authentication-results"];

You can find more information about the milter headers here.

Finaly restart the Rspamd service:

sudo systemctl restart rspamd

Configure Nginx

In the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives, the ones highlighted in yellow:

location /rspamd {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Reload the Nginx service for changes to take effect:

sudo systemctl reload nginx

Head over to enter the password you previously generated with the rspamadm pw command and you will be presented with the Rspamd web interface.

Configure Postfix

We need to configure Postfix to use the Rspamd milter. Run the following command to update the Postfix main configuration file:

sudo postconf -e "milter_protocol = 6"
sudo postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"
sudo postconf -e "milter_default_action = accept"
sudo postconf -e "smtpd_milters = inet:"
sudo postconf -e "non_smtpd_milters = inet:"

Restart the Postfix service for changes to take effect:

sudo systemctl restart postfix

Configure Dovecot

We already installed and configured Dovecot in the second part of this series and now we will install the sieve filtering module and integrate Dovecot with Rspamd.

sudo apt install dovecot-sieve dovecot-managesieved

Open the following files and edit the lines highlighted in yellow.

protocol lmtp {
  postmaster_address = [email protected]
  mail_plugins = $mail_plugins sieve
protocol imap {
  mail_plugins = $mail_plugins imap_quota imap_sieve
service managesieve-login {
  inet_listener sieve {
    port = 4190
service managesieve {
  process_limit = 1024
plugin {
    # sieve = file:~/sieve;active=~/.dovecot.sieve
    sieve_plugins = sieve_imapsieve sieve_extprograms
    sieve_before = /var/vmail/mail/sieve/global/spam-global.sieve
    sieve = file:/var/vmail/mail/sieve/%d/%n/scripts;active=/var/vmail/mail/sieve/%d/%n/active-script.sieve

    imapsieve_mailbox1_name = Spam
    imapsieve_mailbox1_causes = COPY
    imapsieve_mailbox1_before = file:/var/vmail/mail/sieve/global/report-spam.sieve

    imapsieve_mailbox2_name = *
    imapsieve_mailbox2_from = Spam
    imapsieve_mailbox2_causes = COPY
    imapsieve_mailbox2_before = file:/var/vmail/mail/sieve/global/report-ham.sieve

    sieve_pipe_bin_dir = /usr/bin
    sieve_global_extensions = +vnd.dovecot.pipe

Create a directory for our sieve scripts:

mkdir -p /var/vmail/mail/sieve/global

Create a global sieve filter to move emails marked as spam to the Spam directory:

require ["fileinto","mailbox"];

if anyof(
    header :contains ["X-Spam-Flag"] "YES",
    header :contains ["X-Spam"] "Yes",
    header :contains ["Subject"] "*** SPAM ***"
    fileinto :create "Spam";

The following two sieve scripts will be triggered whenever you move an email in or out of the Spam directory:

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];

Restart the Dovecot service for changes to take effect:

sudo systemctl restart dovecot

Compile sieve scripts and set the correct permissions:

sievec /var/vmail/mail/sieve/global/spam-global.sieve
sievec /var/vmail/mail/sieve/global/report-spam.sieve
sievec /var/vmail/mail/sieve/global/report-ham.sieve
sudo chown -R vmail: /var/vmail/mail/sieve/

Create DKIM keys

DomainKeys Identified Mail (DKIM) is an email authentication method which adds a cryptographic signature to the outbound message headers. It allows the receiver to verify that an email claiming to originate from a specific domain was indeed authorized by the owner of that domain. The main purpose of this is to prevent forged email messages.

We can have different DKIM keys for all our domains and even a multiple keys for a single domain but for simplicity of this article we’re gonna use a single DKIM key which later can be used for all new domains.

Create a new directory to store the DKIM key and generate a new DKIM keypair using the rspamadm utility:

mkdir /var/lib/rspamd/dkim/
rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key > /var/lib/rspamd/dkim/

In the example above we are using mail as a DKIM selector.

You should now have a two new files in the /var/lib/rspamd/dkim/ directory, mail.key which is our private key file and a file which contains the DKIM public key. We will update our DNS zone records later.

Set the correct ownership and permissions:

chown -R _rspamd: /var/lib/rspamd/dkim
chmod 440 /var/lib/rspamd/dkim/*

Now we need to tell Rspamd where to look for the DKIM key, the selector name and the last line will enable DKIM signing for alias sender addresses. To do that create a new file with the following contents:

selector = "mail";
path = "/var/lib/rspamd/dkim/$selector.key";
allow_username_mismatch = true;

Rspamd also supports signing for Authenticated Received Chain (ARC) signatures. You can find more information about the ARC specification here. Rspamd is using the dkim module for dealing with ARC signatures so we can simply copy the previous configuration:

cp  /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf

Restart the Rspamd service for changes to take effect.

sudo systemctl restart rspamd

DNS settings

We already created a DKIM key pair and now we need to update our DNS zone. DKIM public key is stored in the file. The content of the file should look like this:

cat /var/lib/rspamd/dkim/
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
) ;

If you are running your own Bind DNS server you just need to copy and paste the record directly into your domain zone file. If you are using a DNS web interface, then you need to create a new TXT record with mail._domainkey as a name and for the value/content you will need to remove the quotes an concatenate all three lines together. In our case the value/content of the TXT record should look like this:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB

We will also create a Domain-based Message Authentication (DMARC) which is designed to tell the receiving server whether or not to accept an email from a particular sender. Basically it will protect your domain against direct domain spoofing and improve your domain reputation.

If you followed the series from the beginning you should already have a SFP record for your domain. To setup a DMARC record, the sending domain needs to have an SPF and DKIM record published. DMARC policy is published as a TXT record, and defines how the receiver should treat the mails from your domain when validations fail.

In this article we will implement the following DMARC policy:

_dmarc  IN  TXT  "v=DMARC1; p=none; adkim=r; aspf=r;"

Let’s break down the above DMARC record:

  • v=DMARC1 - This is the DMARC identifier
  • p=none - This tells the receiver what to do with messages that fail DMARC. In our case it is set to none which means take no action if a message fails DMARC. You can also use ‘reject’ or quarantine
  • adkim=r and aspf=r - DKIM and SPF alignment, r for Relaxed and s for Strict, in our case we are using Relaxed Alignment for both DKIM and SPF.

Same as before if you are running your own Bind DNS server you just need to copy and paste the record into your domain zone file, and if you are using another DNS provider you need to create a TXT record with _dmarc as a name and v=DMARC1; p=none; adkim=r; aspf=r; as a value/content.

It may take a while for the DNS changes to propagate. You can check whether the records have propagated using the dig command:

dig TXT +short
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGa" "VuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFdepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"
dig TXT +short
"v=DMARC1; p=none; adkim=r; aspf=r;"

You can also inspect your domain current DMARC policy or create your own DMARC policy here.


That’s it for this part of the tutorial. In the next part of this series, we will continue with RoundCube installation and configuration.

This is a post in the Setting up and configuring a mail server series.
Other posts in this series:

Install and integrate Rspamd