Hello everyone,
Apologies as I am sure this is quite basic, but I am new to Postfix-rspamd integration and I could not find an answer so far. How do you tell postfix to scan all incoming mail with rspamd, precisely, in opnSense of course?
Both Postfix and rspamd are up and running, but they appear not to be talking to each other.
I can confirm that Postfix is successfully receiving mail and sending it to my internal mail-server.
I can also confirm rspamd is also up and running: I have activated its webGui (thanks to help received here on the forum), and there I can see it is in fact not yet scanning anything.
Thank you!
What does rspamd log tell?
Thank you for replying.
Where do I find the log? There's no log that I can find in the openSense GUI.
Bump. :)
To focus my question a bit more: where do you tell Postfix to use rspamd, precisely?
I simply checked the "Enable rspamd inegration" box in the Antispam tab. Not sure this is enough.
I followed these steps and it worked for me:
https://docs.opnsense.org/manual/how-tos/mailgateway.html
(https://docs.opnsense.org/manual/how-tos/mailgateway.html)
All services (redis, clamav, rspamd, postfix) must of course be enabled and the milter protocol should be kept on the "IPv6" setting. You actually enable rspamd in the Antispam tab of the postfix settings.
Quote from: Taym on February 10, 2021, 04:44:39 PM
Bump. :)
To focus my question a bit more: where do you tell Postfix to use rspamd, precisely?
I simply checked the "Enable rspamd inegration" box in the Antispam tab. Not sure this is enough.
That's enough
Just tick that
Quote from: Taym on February 10, 2021, 04:44:39 PM
Bump. :)
To focus my question a bit more: where do you tell Postfix to use rspamd, precisely?
I simply checked the "Enable rspamd inegration" box in the Antispam tab. Not sure this is enough.
tail -f /var/log/rspamd/rspamd.log
Quote from: mimugmail on February 11, 2021, 09:24:40 PM
tail -f /var/log/rspamd/rspamd.log
Thank you so much. Here it is:
root@Argonath:/ # 2021-02-12 20:25:14 #45692(rspamd_proxy) <71cab1>; proxy; proxy_milter_error_handler: abnormally closing milter connection from: 127.0.0.1:11784, error: invalid protocol version: 4
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:21 #45692(rspamd_proxy) <e0475b>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 25664
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:21 #45692(rspamd_proxy) <e0475b>; milter; rspamd_milter_process_command: MTA specifies too old protocol: 4, aborting connection
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:21 #45692(rspamd_proxy) <e0475b>; proxy; proxy_milter_error_handler: abnormally closing milter connection from: 127.0.0.1:25664, error: invalid protocol version: 4
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:22 #45692(rspamd_proxy) <153dec>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 40959
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:22 #45692(rspamd_proxy) <153dec>; milter; rspamd_milter_process_command: MTA specifies too old protocol: 4, aborting connection
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:22 #45692(rspamd_proxy) <153dec>; proxy; proxy_milter_error_handler: abnormally closing milter connection from: 127.0.0.1:40959, error: invalid protocol version: 4
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:22 #45692(rspamd_proxy) <f9594e>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 2579
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:22 #45692(rspamd_proxy) <f9594e>; milter; rspamd_milter_process_command: MTA specifies too old protocol: 4, aborting connection
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:22 #45692(rspamd_proxy) <f9594e>; proxy; proxy_milter_error_handler: abnormally closing milter connection from: 127.0.0.1:2579, error: invalid protocol version: 4
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:35 #45692(rspamd_proxy) <21bb20>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 13861
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:35 #45692(rspamd_proxy) <21bb20>; milter; rspamd_milter_process_command: MTA specifies too old protocol: 4, aborting connection
Missing name for redirect.
root@Argonath:/ # 2021-02-12 20:25:35 #45692(rspamd_proxy) <21bb20>; proxy; proxy_milter_error_handler: abnormally closing milter connection from: 127.0.0.1:13861, error: invalid protocol version: 4
Missing name for redirect.
Have you enabled "shared forwarding" under your Firewall -> settings -> advanced?
Quote from: lfirewall1243 on February 12, 2021, 08:39:00 PM
Have you enabled "shared forwarding" under your Firewall -> settings -> advanced?
Yes. "Shared forwarding" is
enabled. And, as far as I remember it has always been, as I never changed that.
2021-02-13 00:55:15 #45692(rspamd_proxy) <6a4283>; proxy; proxy_milter_error_handler: abnormally closing milter connection from: 127.0.0.1:11396, error: invalid protocol version: 4
2021-02-13 00:55:18 #45692(rspamd_proxy) <144587>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 63305
2021-02-13 00:55:18 #45692(rspamd_proxy) <144587>; milter; rspamd_milter_process_command: MTA specifies too old protocol: 4, aborting connection
2021-02-13 00:55:18 #45692(rspamd_proxy) <144587>; proxy; proxy_milter_error_handler: abnormally closing milter connection from: 127.0.0.1:63305, error: invalid protocol version: 4
One more check to the log, in case it helps.
Is this the latest version? Which settings do you have in anti spam Tab in postfix plugin?
I believe they are the latest version you can get from within opnSense itself (Firmware -> Plugin / Packages / Updates).
In particular
Postfix 1.17
rspamd 1.10
Redis 1.1
In Postfix plugin:
Services -> Postfix -> General
Antispam tab
I have only two items
- Enable Rspamd integration: CHECKED
- Milter IP version: IPv4 (only other option being IPv6).
Ok, I switched the Milter IP Version to "IPv6" and it appears to be working!
I am confused as to what it is meant in by "IPv6" but... it is working!
Thank you all guys for pointing me in the right direction. I had never even considered to change the Milter IP Version to "IPv6" as I interpreted it as referring to whether I was using or not IPv6 in my network. I completely overlooked at it and misunderstood the meaning of the that setting.
So, all is good now! Rspamd is scanning incoming Mail, and it even looks like score values I set are more ore less OK.
What score values are you guys using? Here are mine:
Reject Score 150
Header Score 6
Subject Score 10
Greylist Score 4
I really do not know how to set them, and I found the above values somewhere in the examples of opnSense documentation. By looking at rspamd webGUI, it looks like they are pretty good, but, I wonder, is there anything I should know about those?
Why do you have the Reject score set to 150? That would mean you're never rejecting any messages, is that what you intended?.
I'll adjust once I understand how scores work. I don't even know what a meaningful range is.
What do you have as reject score?
Reject Score 150
Header Score 9
Subject Score 10
Greylist Score 8
I already adjusted as above. Several legit messages were being graylisted with 7.x score, including notifications from this very forum.
Good thing is that a lot of spam is being detected.
My configuration is as follows:
Reject Score 12
Header Score 9
Subject Score 10
Greylist Score 4
BTW, I should point out that my Rspamd instance is on my local LAN and not the version in OPNsense.
Thanks.
I have just adjusted the reject score down to 35.
Just playing around with this and slowly making it more restrictive. I just want to be sure I minimize the chances of rejecting something I do need.
Looking at the log, it does seems that virtually all above 15 is most definitely spam. But, I've been observing rspamd in action for only few hours.
See Page 29, the whole manual is a good read.
https://www.heinlein-support.de/sites/default/files/SLAC_2019_Rspamd-neue-Konzepte-im-AntiSpam.pdf
Quote from: Bismarck on February 13, 2021, 04:00:25 PM
See Page 29, the whole manual is a good read.
https://www.heinlein-support.de/sites/default/files/SLAC_2019_Rspamd-neue-Konzepte-im-AntiSpam.pdf
Thank you!