Anyone using Rspamd with SmarterMail?
Question asked by Colin M - 3/25/2020 at 8:47 AM
Unanswered
Is anyone using Rspamd with SmarterMail? If so, what were your integration steps and overall experiences?

Thanks!
Colin

18 Replies

Reply to Thread
1
Sébastien Riccio Replied
Hi,

We do not use (yet) rspamd as front filter for SmarterMail but we do use E.F.A. (https://efa-project.org/) and the implementation should be the same.

Short summary of what we did:
- Configure E.F.A as a front-end filter box for (could be rspamd).
- Set the MX of all domains to use this box, not SmarterMail
- Configure the filter to forward scanned mails to SmarterMail box
- Made E.F.A add custom headers to the mail that include spam score/severity
- Disabled all antispam/antivirus check on SmarterMail
- Added custom spam filters on SmarterMail to check the custom header added by E.F.A and set a SmarterMail spam weight based on this, so the users can still apply low/med/high actions preferences .

There is more details to it, but that's the idea and it works very well (way more efficient than SM built-in spam stuff) and also drastically lowered a lot the resources usage on SmarterMail as it does only a check on a specific header for classification.

We run this setup since 2-3 years and we have very low spam complaints from our customers.

Here is some statistics for 24hour volume:


Sébastien Riccio
System & Network Admin

0
Colin M Replied
Awesome, thanks for the info, I'll check that out!
0
Webio Replied
I'm wondering about those headers you use on primary mail server. Do you use:

X-SmarterMail-SmartHostSpamWeight:

header? I'm just curious how do you pass score to primary server and how do you parse it on mail server (I don't think that there is some kind of regex which will allow to parse header for having certain mail score on pirmary server).

Currently I have 3 Free SmarterMail incoming gateways which perform some simple RBL tests and all of them connect to one SpamAssassin dedicated system for more complicated spam checks. It works but probably in future I would like to make gateways to perform their checks without any external connections.
0
Sébastien Riccio Replied
It depends the headers added by your filtering gateway/appliance.

On EFA (probably rspamd too) you can customize the spam score header.
On our setup the EFA the gateway we add:

X-SwissCenter-MailGuard-SpamScore: ssssss 
(Where the amount of 's' is the severity)

ss = EFA spam score 2
ssssss = EFA spam core 6

Then in SmarterMail all SpamChecks are disabled and we add custom ones to set a weight depending the amount of 's'

Here is an extract of our spam config, showing the settings for these custom spam rules.

SR




Sébastien Riccio
System & Network Admin

0
Webio Replied
Thanks. I will check it out when I will have some free time. One thing makes me curious. How do you verify if user exists during message delivery? On gateway level or maybe after message is being passed to primary SmarterMail server?

Now I'm using WebService between primary SM and SM which is used as a gateway with enabled gateway mode (there is also SMTP verification but I had some issues where user existed on primary server but for some reason there was some No such user here bounces) and I'm wondering how it does work on EFA.

Do you use also outgoing gateways?
0
CLEBER SAAD Replied
try to use the proxmox mail gateway, work's fine.
0
Douglas Foster Replied
On your front-end device, enable Callout or LDAP verification.

For Callout:
  • If SmarterMail 17 or later is your gateway, you enable callout verification from System Administration... Gateway/Failover... Options (section)... SMTP User Verification (button) enabled.   Prior versions do not have this feature.
     
  • On a third-party front-end gateway such as Rspamd, you will have to check your documentation.   Nothing needs to be done on the SmarterMail server itself.

  • If you have multiple spam filters configured in sequence, callout needs to be enabled at each device.  The callout is repeated by each device until the mail server is reached and a result is returned.  Then the result is passed backward to the initial requester.

For LDAP
  • You need a front-end gateway system that can send the query, plus login credentials for a privileged account for it to use when connecting to the mail server.  A filter rule of (mail=matchstring) has worked for me.  The front end application needs to replace "matchstring" with the recipient email address.

  • You need the newest version of SmarterMail on your mail server, to correct some issues that I discovered and which Sophos has fixed during the MAPI Beta development effort.

  • In a configuration with multiple inbound email filters, LDAP allows you to connect directly from the front-end gateway to the back-end mail server, bypassing any intermediate systems.


0
echoDreamz Replied
We've been using it for about 2/3 months now. Works flawlessly. What exact questions do you have?


Our stats for the last 7 days. We've seen a massive drop in spam since implementing rSpamD in front of SmarterMail.
0
Heimir Eidskrem Replied
We use EFA for our gateways too.
We export our users from smartermail and import them to EFA.
Only allowing email from known users.  
We run greylisting and spamassasin on the gateways and give the emails a score.
then we use declude to handle the emails based on declude settings.


0
Douglas Foster Replied
How do you export a user list from SmarterMail?  Is there a simpke method, or do I have to learn API programming?
0
echoDreamz Replied
We export using the API to the required postfix files.
0
Sébastien Riccio Replied
We also use a python script I wrote to grab all user accounts from SmarterMail through API and generate all the postfix files (mainly transports and relay recipients).

Edit:
Here is the script, mostly coded with elbows, coming with no warranty, documentation or anything etc... Check the begining of the python scripts for configurable settings and requirements.


We use it successfully to import required data for postfix transport routing and allowed recipients to our E.F.A incoming gateways.
It can be used wit SmarterMail and Exchange servers as data sources.

I guess it would work with any incoming gateway using postfix.

Sébastien Riccio
System & Network Admin

0
CLEBER SAAD Replied
If you are using postfix use the address verifcation. If address exists postfix receive the message othersize will reject in the front.



3
kevind Replied
Would be nice if you didn't have to resort to using 3rd party tools, writing scripts, coding API, running import/export, etc. for good spam filtering.

Maybe some of these anti-spam tools could be built into SmarterMail? Seems like it would reduce the complexity and could take advantage of things like address verification, spam reporting, etc.

IDEA: Integrate rSpamD into SmarterMail like just like SpamAssassin.
0
Douglas Foster Replied
I am a firm believer in using a front-end gateway.

Why rspamd or postfix over other alternatives as your gateway peoduct?
What are their particular strengths?

Having to use ixed lists instead of callout or ldap is a weakness.
1
Sébastien Riccio Replied
Postfix is the MTA component used by most linux incoming gateway/mail servers (could be Exim or the old sendmail).
Rspamd is an antispam engine, a very efficient alternative for SpamAssassin.

We are using fixed lists that are periodically updated or updated on demand by our control panel
Because of this, the gateway does not need to query the backend servers every time a mail is processed to check if the recipient is valid and therefore avoid unecessary load on them.

This really makes a difference when there are a lot of incoming mails checked per second.

Another advantage is that if the backend server is temp. down, you can continue accept/reject mails that will stay in delivery queue until the backend is back..

You can configure postfix to do callouts or LDAP validation. It would be OK  when handling a reasonable flow of mails but can slow down or create unecessary load with thousands target domains.

Sébastien Riccio
System & Network Admin

0
Seph Parshall Replied
If customers use a throwaway temporary email alias, this could cause problems for user verification at a filter gateway. Anyone have suggestions for that scenario? (Besides suggesting not to use throwaway aliases)
0
Douglas Foster Replied
As long as you are using a dynamic lookup method (callout or LDAP), rather than a static list, sender verification will still work.

Reply to Thread