rspamd and PMG recommendations

heutger

Famous Member
Apr 25, 2018
885
259
108
Fulda, Hessen, Germany
www.heutger.net
Hi,

I'm ready for testing now. I'm just unsure, if it's a good idea to just add milter for rspamd to main.cf.in and do a sync (which would result in message will be going through postfix pregreet, then rbl, then milter and may be rejected there, then spamassassin with clamav and then get delivered) or to replace the content_filter settings on port 10023/10024 by milter (in main.cf.in and master.cf.in or only one of them?) and wonder, what's on port 10025 happening as set in master.cf.in.

Any suggestions? I won't believe, just adding will break my config, but replacing will for sure have any influence on the statistics, quite unsure which kind of influence (just missing the statistics?). Also having both will require to disable clamav either in rspamd or PMG, otherwise I will get too much delay in message scanning.

Regards,
Christian
 
Oh, and would be great to have any kind of help on pmgproxy, if there is the possibility to set some additional conf options. I was required to install an additional nginx server to proxy (with SSL) the rspamd interface. Would be much greater to have a subpath or proxy on another port with the existing pmxproxy, which should be a apache, nginx or lighttpd httpd server.
 
IMHO rspamd is a totally different product. I would use either PMG or rpamd, but using both is just a waste of resources.
 
Honestly I don‘t agree. PMG is a prepacked preconfigured but primary GUI to a well yet established software bundle to fight spam:

Postfix, SpamAssassin, ClamAV with Postgresql, Apache (or sth. similar), SPF policy daemon, KAM rules, Safe Browsing database, Razor2 plugin, ...

The big glue of PMG over other systems like MailWatch, EFA, Baruwa, MailCleaner (all Mailwatch UIs) is the full integrated, ready to use, full GUI customizable as well as suitable for common installations system (a very good job with some space for improvements) meanwhile all the other systems just focus on the content filter part, may or may not have a CLI routine to set a bit up, but also the GUI is then missing most up to all statistics, logs, setting options etc. from the parts beside the content filter, also content filter settings are often missing. The most near solution is Scrollout F1, but it’s far away from a nice GUI PMG has and does not look like a solution to be used in productive environments.

All other competitors I‘m aware of really built their own systems, but they are that way not such customizable or usable like PMG.

rspamd in comparison is no solution itself, it‘s an alternative part of an open source based approach, replacing SpamAssassin at all with better performance, maybe better quality (will find out on testing) as well as some more support like more antivirus scanners, DKIM already integrated, be able to have more decisions instead of spam and ham, be able to reject high score spam on smtp dialogue, so being legal against block without further notice, ... So I believe, if you would consider to replace SA by rspamd in future versions, it will push PMG once more again, maybe part of the statistics and views of the rspamd UI could be integrated in PMG such a way, that it will produce less effort than doing all by yourself as currently been done for SA.

For sure, it’s a waste of ressources to do all content filtering twice, once with rspamd, second with SA, especially if both will do a clamav scan, as Sophos DI isn’t available for free anymore, I would only use ClamAV, Avast I don’t like, had bad publicity in the past, if you would switch to rspamd a good idea (e.g. in conjunction with valuing up your subscription packaged) would be to get in touch with Avira to integrate in your solution, their scanner is available for OEM partners and products. However, in my current private setup, all mails additional go through two SaaS scanners after passing PMG via my Plesk Server until reaching my Exchange Mailbox, so I can compare quality of all scanners and honestly Greylisting takes more delay than some scanners. ;-)
 
OK, I put much work and energy in getting rspamd running in combination with PMG as well as in defending rspamd, but my tests for private currently show, that the optimized spamassassin works better. However, some missing features I try now to get into PMG as far as it's possible for me, e.g. I was now able to get the given from, to and subject also into PMG, just need a solution on how to show them directly.
 
I got recommendation to run rspamd via milter in combination with PMG would be the best choice, rspamd will get better over time and much more great addons in future. So will see. My how to on running both pipelined you can find at https://www.heutger.net/proxmox-mail-gateway-mit-rspamd/.

Hello heutger ,
According to your willing to merge Rspamd into PMG,
Well, I am with you , I think you completely right.
I already took a look at your blog (German) and translate it to English (so i can read it...)
My opinion is that the rspamd is must have add on to PMG (the plug-in approach is very refreshing...)
I think that the relation of Rspamd to Spamassassin is like the relation from apache to nginx.
The old tools are all good tools , but we can not lock our brain form Progressivism....
If Proxmox will not do it I thing I will do it for my self (base on your blog)
Because I find it never ending flexibility tool for Spam fighting.
and for me it is along time waiting tools in my war against spam.
I think that fighting spam is what basically we all do and for win that fight we
need the finest and sharped tools avail out there.

Best Regards
Koby Peleg Hen
 
Would be fine, if you could report about your experiences. As I wasn't able (or a bit of willing) to fine-tune rspamd similar to the SpamAssassin in PMG (e.g. converting KAM rules to rspamd, importing the other SA rules (after converting and set up an auto-conversion), optimizing the fuzzy logic by learning spam and ham etc.), my results were not as such good as I expected, however I saw the potential, especially for event-driven greylisting, rejecting in smtp dialogue, history with all details to recognize spam or ham easy etc. So maybe PMG will improve later-on by jumping on the train of rspamd instead of SpamAssassin so from old-established to new-improved, will see. However my setup done works well and I will still provide postfix backports for Debian Stretch as long as Debian Stretch is the last stable version and I have enough spare of time.
 
Would be fine, if you could report about your experiences. As I wasn't able (or a bit of willing) to fine-tune rspamd similar to the SpamAssassin in PMG (e.g. converting KAM rules to rspamd, importing the other SA rules (after converting and set up an auto-conversion), optimizing the fuzzy logic by learning spam and ham etc.), my results were not as such good as I expected, however I saw the potential, especially for event-driven greylisting, rejecting in smtp dialogue, history with all details to recognize spam or ham easy etc. So maybe PMG will improve later-on by jumping on the train of rspamd instead of SpamAssassin so from old-established to new-improved, will see. However my setup done works well and I will still provide postfix backports for Debian Stretch as long as Debian Stretch is the last stable version and I have enough spare of time.

I will try it out , As you say I do see the potential of the product in conj-action with PMG.
My willing is to merge the PMG with RspamD + additional rule and to make it PMG on steroids...
This is my long time awaiting for...
 
Please keep us informed. My pros and cons currently are:

- rspamd allows greylisting at particular level (so e.g. if spam level x reached, greylisting can be activated. That's really great as greylisting from my point of view does not help such good any more as in the past (about up to 10 years ago), but it could help, if possible spam is deferred by tempfail, on second try the spammers may already be on a dns relay blacklist without deferring valid mail, which could take then from minutes to hours to arrive (we do in our business a mass business with SLA response times, so delay is worst, which could happen and Proxmox idea of using SPF as an indicator not to greylist is not such a good idea as posted in the past, SPF is not such well deployed as expected, spammers also use SPF listed servers, so it's no good signal to disable greylisting for them, they also use DKIM, so also DMARC is no great option, they already learned and learned as first before server admins did to adjust their "how to get spam through" research, additional SPF would only be helpful, if it's also be usable for blocking and PMG requires SPF been activated (with blocking), if greylisting should be override by SPF, but it's like PGP/GPG and automatic fetching keys from the keyservers: some try out, don't see the advantage and forget about it, resulting in maybe already deleted keys still in the keyservers and unable to read encrypted mails as well as SPF records, which haven't been updated and anyone recognized
- rspamd allows learning ham or spam or fuzzy by posting the mails or fuzzy hash directly via GUI (much easier than doing it via CLI)
- rspamd has adjustable statistics (e.g. I still wonder, why PMG has Junk, Bounces and Viruses in their statistics but not spam and it's also not adjustable, however, this "complain to high heaven" (translation from dict.leo.org, should be in German "Jammern auf hohem Niveau")
- rspamd shows the from address as been shown in the mail client later-on as well as the subject in the statistics, so it's possible to determine, if spam handling is correct (as mails from service like Amazon SES, Mailchimp and many other so called ESPs are otherwise not determinable), I adjusted PMG to handle it similar, but I first need to open the log extract to check out and sometimes subject is BASE64-encoded, which makes it harder to check, Proxmox states that GDPR may be a show-stopper here, but as we are ISO 27001 as well as GDPR consultants, we see limited access here for admins, which also could check the mail archive etc., so if their have been rules established in the companies as required, that's no problem and if it should really be a problem, there could be an option to access details only in four eyes principle with the requirement to enter two passphrases to show details. However to check the measurement of anti-spam control working correct, there is no other way then accessing the details and for our employees, they are not allowed to use company mail for private mails, they can use web.de, gmx etc., which is not filtered or accessible by us, so we are "green" here
- rspamd shows the performed actions and spam scores directly in the "tracking center" (history) meanwhile in PMG this details are spread over several menu options (tracking center and statistics and last one also just in the view split by recipient, which is split by each recipient, so no e.g. domain wide access), so it's harder to get the full overview
- rspamd allows to reject mail at particular level via milter in the mail dialogue, so rejecting is legal e.g. in Germany instead of silently dropping
- rspamd has the option to integrate more antivirus engines, is shipped with DKIM support, more modern, much faster etc., which would make rspamd an optimal drop-in for SpamAssassin, but it also could be integrated with PMG and scorings could be taken to PMG SpamAssassin via regex to adjust their spam scores, also future development will focus on rspamd as there are many projects currently planning to provide addons for rspamd instead continue work for SpamAssassin
- rspamd has a mobile-friendly UI

As this are the pros, rspamd also has some cons:
- rspamd is really new, so it still has some bugs, changing designs etc., so in the short timeframe I tested it, some bugs arise, which would prevent me from using rspamd in productive environments
- rspamd showed not such good scores for me as expected, so it would require additional adjustments then the ones, I did with setup, e.g. I could import the lists I use for PMG, Pyzor and Razor is missing and I would primary need to learn rspamd similar to SpamAssassin bayes. For the first test it looked much worser than PMG in the beginning with no adjustments and as I already did a few adjustments, it did not got such better as PMG did with my customizations, so I focussed on PMG
- rspamd together with PMG also took some more system requirements than PMG only (for sure, and less than expected, but e.g. for my private installation it would require me to take a bigger environment, I don't want to pay for, as mentioned in my private blog post, it's a luxury problem, that I use a PMG in front of my private mail services, as private mail get filtered afterwards already by two antispam SaaS services, one free and another already included in my hosted exchange environment)
- rspamd together with PMG requires a newer postfix, which needs to be backported
- PMG shows good values currently with my adjustments, so no need to focus on another solution, just the only thing left, rejecting high score spam, still "makes me stupid", but I yet found a solution therefor, I will post about it lateron
- PMG has a very good GUI with access rights, LDAP integration etc., rspamd has a very restricted GUI with only one possible password. However, I won't expect rspamd to replace PMG but replacing SpamAssassin through rspamd, so both GUI should be integrated then

Sorry, if my text is a bit long or maybe confusing (ask me and I will explain). I had been often interrupted and need to rethink, what I planned to write. Who knows me private could consider, why I have been interrupted. ;-)
 
It seems to me that now (year and half later), the rspamd might be a vital upgrade to proxmox, replacing the classic spamassasin stack.
ISPconfig (another WebUI for configuring mailserver) now has this option enabled by default.
 
It seems to me that now (year and half later), the rspamd might be a vital upgrade to proxmox, replacing the classic spamassasin stack.
ISPconfig (another WebUI for configuring mailserver) now has this option enabled by default.

I'm afraid, rspamd's fuzzy results still won't fit "my spam and ham". Also with PMG 6.1 introducing the pre-queue filtering, it's much better not to be in need to have another miltered "double-setup".
 
@heutger hello. I came to this forum post after seeing your blog post. I haven't translated to read it yet but there's enough info here too. I am currently running a pretty customized virtual host setup with postfix+dovecot where MailScanner (spamassassin) is doing the tagging of spam. I am having a bunch of issues with it and found to my surpise that the spamassassin documentation is less than stellar. (Horrribly lacking is another word I thought of first).

I am weighing my options now. I am liking what I see with rspamd but I'd like to take this opportunity to also add a GATEWAY in front of the local mta/mda stuff and frankly don't want to have to install postfix again.

On the other hand, proxmox mail gateway (though it doesn't seem to have wide adoption) seems like a nice overall solution. Especially having tried their virtualization platform for a few days now.

Would you say it's worth installing PMG today and making the effort to gut out spamassassin and replacing it with rspamd? What PMG functionality would be lost if any?

Cheers
 
@heutger hello. I came to this forum post after seeing your blog post. I haven't translated to read it yet but there's enough info here too. I am currently running a pretty customized virtual host setup with postfix+dovecot where MailScanner (spamassassin) is doing the tagging of spam. I am having a bunch of issues with it and found to my surpise that the spamassassin documentation is less than stellar. (Horrribly lacking is another word I thought of first).

I am weighing my options now. I am liking what I see with rspamd but I'd like to take this opportunity to also add a GATEWAY in front of the local mta/mda stuff and frankly don't want to have to install postfix again.

On the other hand, proxmox mail gateway (though it doesn't seem to have wide adoption) seems like a nice overall solution. Especially having tried their virtualization platform for a few days now.

Would you say it's worth installing PMG today and making the effort to gut out spamassassin and replacing it with rspamd? What PMG functionality would be lost if any?

Cheers

From my current point of view, PMG is one of the best solutions for antispam and antivirus on the market. The gateway is easy to install and administer, however, to get better quality, some adjustments need to be done, which may include options to be set via shell. However, Proxmox tries to improve their solution continuously, so if you're not familiar with the shell, you can also run a somehow good setup out of the box.

If it comes to rspamd, it has been promoted very much, so I had a look at and tried to replace spamassassin through rspamd, but I couldn't agree to the euphoria on rspamd. I got many false-positives and false-negatives, much more than with the native PMG setup and for sure more than with the adjusted PMG. So I went back to PMG with native spamassassin built in and tried to optimize it more and more.

There are just some few lessons, which PMG could learn from rspamd, e.g. showing the subject line, showing the from address (and not only the sender address, which may be an administrative address e.g. from the major ESPs to detect bounces), trigger greylisting only for "may-be-spam" to use greylisting in a different, state of the art, manner (as greylisting doesn't work well any more just to be a first line of defense, that was back years ago and doesn't help as much any more but frustrates the users by delaying legit mail as well) to add an extra loop to possible spam to hopefully have real spam listed on RBL on the second try. Latest a mobile friendly GUI and some more insights, learning spam and ham via GUI are some few improvements, I would like to see in PMG as well.

If you're familiar with dovecot, maybe you could also do the coding with sieve to invoke sa-learn on spam and ham by user actions in their mailboxes, which I wasn't able to perform yet.
 
  • Like
Reactions: guletz
@heutger Thank you for your quick and detailed response.

I think it's worth at least checking out PMG on its own for a bit. I never had a separate mail gateway before and the only time I tried to with the community version of Mailcleaner I found it to be broken even as a ready made virtual image. My current solution is not going to be sustainable for long. Even now I have a problem with spamassasssin not hitting URI lists and everything is completely silent. I don't even know when it started or if it ever worked at this point. It will be nice to have a central view of the whole thing.

Regarding dovecot and sieves. My setup doesn't have a lot of false positives so I just quarantine flagged messages and check them out every once in a while with mailwatch. Letting some real spam pass is not a huge issue but sender spoofing is becoming a huge pain. Some emails look so legit that I have to even open the attachments sometimes. We've had a few instances where the email was actually legit for all intents and purposes, except the other party's account was hacked. (They find the passwords and search old mail for strings like "invoice", then send emails claiming to provide new bank account details). All this to say I haven't needed much sieve operations but it would be nice to look into for sure.

Thanks again.

EDIT: I am checking out your other post regarding advancing PMG. It will be a good next step for me.
 
@heutger Thank you for your quick and detailed response.

I think it's worth at least checking out PMG on its own for a bit. I never had a separate mail gateway before and the only time I tried to with the community version of Mailcleaner I found it to be broken even as a ready made virtual image. My current solution is not going to be sustainable for long. Even now I have a problem with spamassasssin not hitting URI lists and everything is completely silent. I don't even know when it started or if it ever worked at this point. It will be nice to have a central view of the whole thing.

Regarding dovecot and sieves. My setup doesn't have a lot of false positives so I just quarantine flagged messages and check them out every once in a while with mailwatch. Letting some real spam pass is not a huge issue but sender spoofing is becoming a huge pain. Some emails look so legit that I have to even open the attachments sometimes. We've had a few instances where the email was actually legit for all intents and purposes, except the other party's account was hacked. (They find the passwords and search old mail for strings like "invoice", then send emails claiming to provide new bank account details). All this to say I haven't needed much sieve operations but it would be nice to look into for sure.

Thanks again.

EDIT: I am checking out your other post regarding advancing PMG. It will be a good next step for me.

Just give it a try and also consider to adjust it a bit with my Advancing PMG thread.
 
  • Like
Reactions: oktay
I've been playing with PMG since yesterday. It looks nice enough but I have kind of been disillusioned when I started to need documentation. The admin guide seems more like a list of config options and parameters than a functional document.

As far as I can tell it doesn't address that some settings need to even be made on the internal mail server too. It does not have a basic working setup sample (there's a video of this) and it doesn't say which options must be set at a minimum. I think people who've been using Postfix in a gateway setup would feel at home but the rest would feel pretty lost. It might just be that I am not the target audience of course.

I am tempted to take back what I said about spamassassin documentation. Not the best start but I'll keep at it for a while.

I guess you could say I am surprised more than anything. The Virtual Environment documents are better.
 
I've been playing with PMG since yesterday. It looks nice enough but I have kind of been disillusioned when I started to need documentation. The admin guide seems more like a list of config options and parameters than a functional document.

As far as I can tell it doesn't address that some settings need to even be made on the internal mail server too. It does not have a basic working setup sample (there's a video of this) and it doesn't say which options must be set at a minimum. I think people who've been using Postfix in a gateway setup would feel at home but the rest would feel pretty lost. It might just be that I am not the target audience of course.

I am tempted to take back what I said about spamassassin documentation. Not the best start but I'll keep at it for a while.

I guess you could say I am surprised more than anything. The Virtual Environment documents are better.

You're welcome to improve the documentation. It's finally an open source product right now, so users should be aware of what they do or should purchase a subscription to get support. The getting started tutorials and videos are good enough to start with, however, as mentioned earlier, feel free to give something back, e.g. by improving the documentation, writing tutorials etc. ;-)
 
  • Like
Reactions: flames
@heutger I hear you. I've used a lot of open source products. Actually exclusively. I think you're the same. I'll figure this out for sure and I might put together something regarding my setup later. Thanks.
 
  • Like
Reactions: heutger

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!