Hi,

We do not use (yet) rspamd as front filter for SmarterMail but we do use E.F.A. (https://efa-project.org/) and the implementation should be the same.

Short summary of what we did:

- Configure E.F.A as a front-end filter box for (could be rspamd).

- Set the MX of all domains to use this box, not SmarterMail

- Configure the filter to forward scanned mails to SmarterMail box

- Made E.F.A add custom headers to the mail that include spam score/severity

- Disabled all antispam/antivirus check on SmarterMail

- Added custom spam filters on SmarterMail to check the custom header added by E.F.A and set a SmarterMail spam weight based on this, so the users can still apply low/med/high actions preferences .

There is more details to it, but that's the idea and it works very well (way more efficient than SM built-in spam stuff) and also drastically lowered a lot the resources usage on SmarterMail as it does only a check on a specific header for classification.

We run this setup since 2-3 years and we have very low spam complaints from our customers.

Here is some statistics for 24hour volume:

Awesome, thanks for the info, I'll check that out!

I'm wondering about those headers you use on primary mail server. Do you use:

X-SmarterMail-SmartHostSpamWeight:

header? I'm just curious how do you pass score to primary server and how do you parse it on mail server (I don't think that there is some kind of regex which will allow to parse header for having certain mail score on pirmary server).

Currently I have 3 Free SmarterMail incoming gateways which perform some simple RBL tests and all of them connect to one SpamAssassin dedicated system for more complicated spam checks. It works but probably in future I would like to make gateways to perform their checks without any external connections.

It depends the headers added by your filtering gateway/appliance.

On EFA (probably rspamd too) you can customize the spam score header.

On our setup the EFA the gateway we add:

X-SwissCenter-MailGuard-SpamScore: ssssss 

(Where the amount of 's' is the severity)

ss = EFA spam score 2

ssssss = EFA spam core 6

Then in SmarterMail all SpamChecks are disabled and we add custom ones to set a weight depending the amount of 's'

Here is an extract of our spam config, showing the settings for these custom spam rules.

https://pastebin.com/tCTVSPi4 

SR

Thanks. I will check it out when I will have some free time. One thing makes me curious. How do you verify if user exists during message delivery? On gateway level or maybe after message is being passed to primary SmarterMail server?

Now I'm using WebService between primary SM and SM which is used as a gateway with enabled gateway mode (there is also SMTP verification but I had some issues where user existed on primary server but for some reason there was some No such user here bounces) and I'm wondering how it does work on EFA.

Do you use also outgoing gateways?

try to use the proxmox mail gateway, work's fine.

On your front-end device, enable Callout or LDAP verification.

For Callout:

For LDAP

We've been using it for about 2/3 months now. Works flawlessly. What exact questions do you have?

Our stats for the last 7 days. We've seen a massive drop in spam since implementing rSpamD in front of SmarterMail.

We use EFA for our gateways too.

We export our users from smartermail and import them to EFA.

Only allowing email from known users.  

We run greylisting and spamassasin on the gateways and give the emails a score.

then we use declude to handle the emails based on declude settings.

How do you export a user list from SmarterMail?  Is there a simpke method, or do I have to learn API programming?

We export using the API to the required postfix files.

We also use a python script I wrote to grab all user accounts from SmarterMail through API and generate all the postfix files (mainly transports and relay recipients).

Edit:

Here is the script, mostly coded with elbows, coming with no warranty, documentation or anything etc... Check the begining of the python scripts for configurable settings and requirements.

We use it successfully to import required data for postfix transport routing and allowed recipients to our E.F.A incoming gateways.

It can be used wit SmarterMail and Exchange servers as data sources.

I guess it would work with any incoming gateway using postfix.

If you are using postfix use the address verifcation. If address exists postfix receive the message othersize will reject in the front.

http://www.postfix.org/ADDRESS_VERIFICATION_README.html 

Would be nice if you didn't have to resort to using 3rd party tools, writing scripts, coding API, running import/export, etc. for good spam filtering.

Maybe some of these anti-spam tools could be built into SmarterMail? Seems like it would reduce the complexity and could take advantage of things like address verification, spam reporting, etc.

IDEA: Integrate rSpamD into SmarterMail like just like SpamAssassin.

I am a firm believer in using a front-end gateway.

Why rspamd or postfix over other alternatives as your gateway peoduct?

What are their particular strengths?

Having to use ixed lists instead of callout or ldap is a weakness.

Postfix is the MTA component used by most linux incoming gateway/mail servers (could be Exim or the old sendmail).

Rspamd is an antispam engine, a very efficient alternative for SpamAssassin.

We are using fixed lists that are periodically updated or updated on demand by our control panel

Because of this, the gateway does not need to query the backend servers every time a mail is processed to check if the recipient is valid and therefore avoid unecessary load on them.

This really makes a difference when there are a lot of incoming mails checked per second.

Another advantage is that if the backend server is temp. down, you can continue accept/reject mails that will stay in delivery queue until the backend is back..

You can configure postfix to do callouts or LDAP validation. It would be OK  when handling a reasonable flow of mails but can slow down or create unecessary load with thousands target domains.

If customers use a throwaway temporary email alias, this could cause problems for user verification at a filter gateway. Anyone have suggestions for that scenario? (Besides suggesting not to use throwaway aliases)

As long as you are using a dynamic lookup method (callout or LDAP), rather than a static list, sender verification will still work.