Deploying Rspamd For Use With SmarterMail

This article walks through the installation and configuration of the Rspamd spam filtering system and its subsequent integration with SmarterMail. This guide is being created against Ubuntu Server 20.04+ with a static assigned IPv4 address, disabled firewall (internal use only), and a single network interface. 

There are a few requirements that need to be in place to ensure the rest of the guide goes as planned:
  • You'll need an Ubuntu server.
  • You'll likely want a static IPv4 address. (Or addressing of your choice.)
  • You'll need a user account in Ubuntu with SU permissions.
Once these requirements are met you should be able to complete the steps, below, without issue.

Install Redis
Rspamd utilizes Redis as a storage and caching system for Bayesian filtering. To install it, type the following command into the Ubuntu terminal:
sudo apt install redis-server

Install Rspamd
Next, we'll use the official Rspamd repository to install the most recent, stable version. Before doing that, however, you'll need to install the required software. Use the following commands:
sudo apt install software-properties-common lsb-release
sudo apt install lsb-release wget
Once that's done, you'll need to use the weget command to add the repository's GPG key to your APT sources list. Use the following command:
wget -O- | sudo apt-key add -
Next, enable the Rspamd repository using this command:
echo "deb $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list 
Now that the repository is enabled, you'll need to update the package index with our new changes, install Rspamd, and configure it. Use the following commands:
sudo apt update
sudo apt install rspamd

Configure Rspamd
Instead of changing the default configuration files, you'll simply add new files to the /etc/rspamd/local.d/local.d/ directory. Any config files placed here are supplemental to the originals. If necessary, you can override and replace any existing files. 

The first modification will be to the worker that analyzes email messages for spam. By default, this worker listens on port 11333 on all interfaces. To ensure the normal worker listens on the appropriate address, you will want to manually configure its bind address. To do that, create the file, below, with the contents provided:

File to create: /etc/rspamd/local.d/
File contents: bind_socket = ":11333";

Next, the controller worker, which grants access to the Rspamd web interface, has to have a password set up for it. To create an encrypted password, use the following command (replacing "P4ssvv0rD" with a password of your choosing): 
rspamadm pw --encrypt -p P4ssvv0rD
The output should look something like this:

Using the copy/paste functionality in terminal, copy the password and then put it in the following configuration file:

File: /etc/rspamd/local.d/
Contents: password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";

There are a couple of other additions for the file you’ll want to include.

File: /etc/rspamd/localld/
secure_ip: “” – Replace the example IP with the IP address of your SmarterMail server. (You can add a comma-separated list if you have more than one SmarterMail server.)
allow_learn = "true" – enables the learnspam and learnham features.

IMPORTANT NOTE: It is strongly recommended that you deploy using a private IP address. Regardless, it is imperative that you evaluate all secure_ip and hosts directives against your chosen network configuration to ensure you are only opening traffic/scanning functionality to the servers you control.

Finally, you need to configure Rspamd to use redis as its Bayesian filtering caching and storage system. To do that, create the file, below, with the contents provided:

File to create: /etc/rspamd/local.d/classifier-bayes.conf
File contents:    servers = "";
                            backend = "redis";

Once the above is all completed, you'll need to restart Rspamd. To do that, use the following command:
sudo systemctl restart rspamd
Testing Things Out
To verify everything is set up properly you can try accessing the Rspamd HTTP endpoint via a browser with a URL like: (You will need modify the URL to use the IP you selected during server setup.) If everything is set up properly, you should receive a result like this one below, which indicates you are reaching the worker:
{"error":"invalid command","error_domain":"protocol-error"} 
To test out the /learnham and /learnspam submissions, try moving one or more sample messages to the junk mail folder, then issue the following command on your Linux server running Rspamd:

redis-cli keys "*"

Implementation and Usage
Next, we need to add the new server as an available Rspamd server in SmarterMail. To do that, do the following:
  1. Log on to SmarterMail as a system administrator
  2. Navigate to Settings > Antispam > Options
  3. On the Remote Rspamd Servers card, click New Server.
  4. Input the same HTTP test interface you verified above.
    Name: Use whatever you like. For example, Rspamd01
    Rspamd Server Address:
    Checkv2 Endpoint: /checkv2
    Learnspam Endpoint: /learnspam
    Learnham Endpoint: /learnham
  5. Save your changes.
Next, you'll want to move to the Options card and enable Send user spam to antispam providers. This ensures that when the "Move to Junk" and/or "Move to Inbox" buttons are used on a message, the messages are handled properly by Rspamd.

Finally, enable the Rspamd spam check under Settings > Antispam > Spam Checks

To confirm Rspamd scanning is taking place, check the Raw Content of a message and look for Rspamd spam check results. For example (bold for emphasis):

X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, Cyren [Unknown]: 0, _REMOTERSPAMD: 0:0, SPF [Pass]: 0, DKIM [Pass]: 0, Spamhaus: 0, SpamCop: 0, SORBS - Recent: 0, SORBS - No Mail: 0, SORBS - No Server: 0, SORBS: 0, SEM - Black: 0, MailSpike: 0, HostKarma: 0, URIBL: 0, SEM-URI: 0, SURBL: 0  


If you don't see any results in a message's header, a good first step is to check the Delivery Logs in SmarterMail for signs of errors like these:

[2022.12.06] 09:42:48.837 [63422013] Unable to run remote Rspamd spam checks on server : System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond [2022.12.06] at MailService.Spam.RspamdClient.<ExternalCheck>d__19.MoveNext()  

[2022.12.06] 10:07:48.566 [63422014] Unable to run remote Rspamd spam checks on server : No Rspamd servers available

Generally, that means there's a misconfiguration somewhere: the IP is incorrect, maybe an internal firewall is blocking access, etc. 

Other good troubleshooting sources are the Rspamd dashboard and History page. You access it via the URL for the HTTP endpoint mentioned above, and may need the password noted in the /etc/rspamd/ file if accessing the UI from a machine not listed in the secure_ip fields. It should help confirm whether or not messages are being scanned. 

If you start setting Rspamd scanning failing or stalling after a few messages are scanned, it's likely your default Rspamd settings are the cause. Check the /etc/rspamd/ file and modify the following values to higher counts:

  • Anywhere there is a secure_ip value present in an Rspamd configuration file a specific list of IPs should be used rather than an asterisk. Rspamd will support the asterisk (for all) in bind_address statements, but does not support them here. This ends up looking like this: 
secure_ip = ",,";
  • Anywhere there is a bind_socket statement in an Rspamd configuration file we need to change to an asterisk to ensure its listening on all IPs: 
  • If you are already performing greylisting on your SmarterMail server you can disable this check (and any others you don’t need) by adding a file called greylisting.conf under /etc/rspamd/local.d with the following line in it: 
enabled = false;