Deploying Rspamd For Use With SmarterMail

This article walks through the installation and configuration of the Rspamd spam filtering system and its subsequent integration with SmarterMail. This guide is being created against Ubuntu Server 20.04+ with a static assigned IPv4 address, disabled firewall (internal use only), and a single network interface. 

There are a few requirements that need to be in place to ensure the rest of the guide goes as planned:
  • You'll need an Ubuntu server.
  • You'll likely want a static IPv4 address. (Or addressing of your choice.)
  • You'll need a user account in Ubuntu with SU permissions.
Once these requirements are met you should be able to complete the steps, below, without issue.

Install Redis
Rspamd utilizes Redis as a storage and caching system for Bayesian filtering. To install it, type the following command into the Ubuntu terminal:
sudo apt install redis-server

Install Rspamd
Next, we'll use the official Rspamd repository to install the most recent, stable version. Before doing that, however, you'll need to install the required software. Use the following commands:
sudo apt install software-properties-common lsb-release
sudo apt install lsb-release wget
Once that's done, you'll need to use the weget command to add the repository's GPG key to your APT sources list. Use the following command:
wget -O- | sudo apt-key add -
Next, enable the Rspamd repository using this command:
echo "deb $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list 
Now that the repository is enabled, you'll need to update the package index with our new changes, install Rspamd, and configure it. Use the following commands:
sudo apt update
sudo apt install rspamd

Configure Rspamd
Instead of changing the default configuration files, you'll simply add new files to the /etc/rspamd/local.d/local.d/ directory. Any config files placed here are supplemental to the originals. If necessary, you can override and replace any existing files. 

The first modification will be to the worker that analyzes email messages for spam. By default, this worker listens on port 11333 on all interfaces. To ensure the normal worker listens on the appropriate address, you will want to manually configure its bind address. To do that, create the file, below, with the contents provided:

File to create: /etc/rspamd/local.d/
File contents: bind_socket = "*:11333";

Next, the controller worker, which grants access to the Rspamd web interface, has to have a password set up for it. To create an encrypted password, use the following command (replacing "P4ssvv0rD" with a password of your choosing): 
rspamadm pw --encrypt -p P4ssvv0rD
The output should look something like this:

Using the copy/paste functionality in terminal, copy the password and then put it in the following configuration file:

File: /etc/rspamd/local.d/
Contents: password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";

There are a couple of other additions for the file you’ll want to include.

File: /etc/rspamd/local.d/
secure_ip: “” – Replace the example IP with the IP address of your SmarterMail server. (You can add a comma-separated list if you have more than one SmarterMail server.)
allow_learn = "true" – enables the learnspam and learnham features.

IMPORTANT NOTE: It is strongly recommended that you deploy using a private IP address. Regardless, it is imperative that you evaluate all secure_ip and hosts directives against your chosen network configuration to ensure you are only opening traffic/scanning functionality to the servers you control.

Finally, you need to configure Rspamd to use redis as its Bayesian filtering caching and storage system. To do that, create the file, below, with the contents provided:

File to create: /etc/rspamd/local.d/classifier-bayes.conf
File contents:    servers = "";
                            backend = "redis";

Once the above is all completed, you'll need to restart Rspamd. To do that, use the following command:
sudo systemctl restart rspamd
Testing Things Out
To verify everything is set up properly you can try accessing the Rspamd HTTP endpoint via a browser with a URL like: (You will need modify the URL to use the IP you selected during server setup.) If everything is set up properly, you should receive a result like this one below, which indicates you are reaching the worker:
{"error":"invalid command","error_domain":"protocol-error"} 
To test out the /learnham and /learnspam submissions, try moving one or more sample messages to the junk mail folder, then issue the following command on your Linux server running Rspamd:

redis-cli keys "*"

Implementation and Usage
Next, we need to add the new server as an available Rspamd server in SmarterMail. To do that, do the following:
  1. Log on to SmarterMail as a system administrator
  2. Navigate to Settings > Antispam > Options
  3. On the Remote Rspamd Servers card, click New Server.
  4. Input the same HTTP test interface you verified above.
    Name: Use whatever you like. For example, Rspamd01
    Rspamd Server Address:
    Checkv2 Endpoint: /checkv2
    Learnspam Endpoint: /learnspam
    Learnham Endpoint: /learnham
  5. Save your changes.
Next, you'll want to move to the Options card and enable Send user spam to antispam providers. This ensures that when the "Move to Junk" and/or "Move to Inbox" buttons are used on a message, the messages are handled properly by Rspamd.

Finally, enable the Rspamd spam check under Settings > Antispam > Spam Checks

To confirm Rspamd scanning is taking place, check the Raw Content of a message and look for Rspamd spam check results. For example (bold for emphasis):

X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, Cyren [Unknown]: 0, _REMOTERSPAMD: 0:0, SPF [Pass]: 0, DKIM [Pass]: 0, Spamhaus: 0, SpamCop: 0, SORBS - Recent: 0, SORBS - No Mail: 0, SORBS - No Server: 0, SORBS: 0, SEM - Black: 0, MailSpike: 0, HostKarma: 0, URIBL: 0, SEM-URI: 0, SURBL: 0  


If you don't see any results in a message's header, a good first step is to check the Delivery Logs in SmarterMail for signs of errors like these:

[2022.12.06] 09:42:48.837 [63422013] Unable to run remote Rspamd spam checks on server : System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond [2022.12.06] at MailService.Spam.RspamdClient.<ExternalCheck>d__19.MoveNext()  

[2022.12.06] 10:07:48.566 [63422014] Unable to run remote Rspamd spam checks on server : No Rspamd servers available

Generally, that means there's a misconfiguration somewhere: the IP is incorrect, maybe an internal firewall is blocking access, etc. 

Other good troubleshooting sources are the Rspamd dashboard and History page. You access it via the URL for the HTTP endpoint mentioned above, and may need the password noted in the /etc/rspamd/ file if accessing the UI from a machine not listed in the secure_ip fields. It should help confirm whether or not messages are being scanned. 

If you start setting Rspamd scanning failing or stalling after a few messages are scanned, it's likely your default Rspamd settings are the cause. Check the /etc/rspamd/ file and modify the following values to higher counts:

  • Anywhere there is a secure_ip value present in an Rspamd configuration file a specific list of IPs should be used rather than an asterisk. Rspamd will support the asterisk (for all) in bind_address statements, but does not support them here. This ends up looking like this: 
secure_ip = ",,";
  • Anywhere there is a bind_socket statement in an Rspamd configuration file we need to change to an asterisk to ensure its listening on all IPs: 
  • If you are already performing greylisting on your SmarterMail server you can disable this check (and any others you don’t need) by adding a file called greylisting.conf under /etc/rspamd/local.d with the following line in it: 
enabled = false;


Why is the 11333 port used when setting things up but 11334 used when testing and calling it?
David O'Leary (12/27/2023 at 2:07 PM)
Hi David! 11333 is the service port for Rspamd, which you use to make sure Rspamd is working. However, once its working, you pass all your requests through port 11334 because that is its proxy port which handles everything from standard scanning to HAM/SPAM training.
Andrea Free (12/27/2023 at 2:51 PM)
Another typo: /etc/rspamd/local.d/local.d/
should be: /etc/rspamd/local.d/

David O'Leary (12/29/2023 at 11:01 AM)
I got an error that the key is stored in a legacy keyring. I fixed that with advice from:

The correct way to get the key can be found:

wget -O- | gpg --dearmor | sudo tee /etc/apt/keyrings/rspamd.gpg > /dev/null

Also worth noting I did not have to download the repository, sudo apt install rspamd worked like a charm.

I am NOT a linux guy.

Patrick Jeski (5/17/2024 at 11:11 AM)
"I am NOT a linux guy."

That makes your feedback even more important, especially for other "non-Linux" people. Thanks, Patrick.

Derek Curtis (5/20/2024 at 7:23 AM)
Another possible typo:
File to create: /etc/rspamd/local.d/
File contents: bind_socket = ":11333";

Should be: File contents: bind_socket = "*:11333";

Patrick Jeski (5/17/2024 at 1:35 PM)
Thanks, Patrick. The correction was made.
Derek Curtis (5/20/2024 at 7:22 AM)