Nethserver-rspamd a new module


(Stéphane de Labrusse) #21

yes but not available for our version of dovecot, we need dovecot-2.2.24

I can see a rpm but not tested

(Matthieu Gaillet) #22

Another issue is that amavisd (actually clamd) is huge ressource hog. It keeps your server from handling incoming mail (and even generate non-delivery) when reloading, especially on entry levels machines where clamd takes more than 30 seconds to reload (every 3 hours).

(Stéphane de Labrusse) #23

really good

(Stéphane de Labrusse) #24

with rspamd you could imagine to go to other antivirus like sophos. I have not tested them

(Matthieu Gaillet) #25

We want a beta ! :heart_eyes:

(Davide Principi) #26


I’d like three new alternative RPMs available, that allow the stable and the beta version to coexist in our YUM repositories:

  • nethserver-mail2-common
  • nethserver-mail2-filter
  • nethserver-mail2-server

…so that anyone can choose what to install (stable/amavisd or beta/rspamd). We could also show the alternatives in the software center.

(Davide Principi) #27

Since amavisd is going to be replaced by rspamd we need a strategy for the disclaimer feature.

It is a rarely used feature, so my proposal is shipping it in an optional RPM.

This is an hypothetical road map:

  • as long as we’re in 7.4, provide -mail2 alternative implementation without disclaimer
  • at release 7.5, rename -mail2 to -mail (so that “beta” becomes “stable” and old amavisd-based installations upgrade to rspamd). Updated installations will receive automatically the nethserver-mail-disclaimer RPM with the legacy feature, whilst new installs must opt-in to have it

(Stéphane de Labrusse) #28

Altermime (disclaimer feature) has no updates since 2008, it is likely an unmaintained software, even if it is used by the amavisd stack. What incredible is, there is no alternative.

(Davide Principi) #29

Yes, my idea is applying the naive altermime recipe for Postfix and shipping it in an optional package. For instance

(Davide Principi) #30

During our Communtiy meeting at FOSDEM 2018, @stephdl shown the development progress of rspamd integration (see videos).

There’s an update: yesterday nethbot uploaded the first bundle of nethserver-mail2-* packages!

The source code of the new packages bundle is available at

This git repo contains the merged code from nethserver-mail-server, nethserver-mail-common, nethserver-mail-filter repositories plus the Rspamd development work. Old repositories are still available for v6 and v7 (amavisd-based) code.

I try to recap the current state of this huge work - feel free to comment/add more. As said our goal is to replace amavisd with rspamd for NS7.5 ISO milestone by reaching feature parity (and more). What’s missing?

To enter the Beta stage:

  • DKIM signing (based on OpenDKIM)
  • Documentation to migrate existing DKIM keys to OpenDKIM
  • Manual upgrade procedure from amavisd to rspamd

For final release:

  • Disclaimer implementation
  • Automated upgrade procedure from amavisd to rspamd
  • Merge nethserver-smarthost source code into nethserver-mail

For rspamd eagers here’s how to install the new packages from scratch:

yum --enablerepo=nethserver-testing \
    nethserver-mail2-{common,filter,server} clamav-data-empty

And how to switch to rspamd (pay attention to blanks):

yum --enablerepo=nethserver-testing swap \
    -- remove nethserver-mail-{common,filter,server} \
    -- install nethserver-mail2-{common,filter,server}

The clamd@amavisd instance can be stopped now:

systemctl status clamd@amavisd
systemctl stop clamd@amavisd

To switch back to amavisd (stable):

yum --enablerepo=nethserver-testing swap \
    -- install nethserver-mail-{common,filter,server} \
    -- remove nethserver-mail2-{common,filter,server}

(Saito Benkei) #31

Yeah, so it will break mi signature script… :frowning:

(Stéphane de Labrusse) #32

unfortunately it is only a matter of time before altermime (the engine) is tagged as non maintained. Indeed you have no updates no maintenance since 16 november 2008 and you have no alternative for postfix

I see three possible ways

  • use altermime alone without amavisd
  • use rspamd to add signature (not sure)
  • fork altermime and start a new project :slight_smile:

Sure that in maybe a short time, your signature script could die :’(

(Filippo Carletti) #33

A signature is not a disclaimer.
Briefly, signatures are user specific, each user has his signature. Signatures are handled by the MUA (Mail User Agent, i.e. thunderbird, webtop, sogo).
The disclaimer is added by the MTA, the users should have no control over it.

A centrally-administered signature is perfect to implement a disclaimer.
But not the contrary.

I’d discourage improper usage of the disclaimer feature.
Moreover, mangling of messages by the MTA is not a good practice (think about end-to-end encryption).

I vote to remove the disclaimer feature in a future version and suggest correct usage of the signature.

Ask @lucag for webtop and @stephdl for sogo to add some documentation.

(Saito Benkei) #34

Yes, but a centralized signature systems permits to have same signature format for all users with specific tags filled “on-the-fly” for every user (like a Webtop signature).
The you haven’t to go to every MUA (thunderbird, webtop, sogo, smartphones, etc) to configure the signature to every user and you have a homogeneous appearance whatever the MUA you use.

Webtop has some (in my view) issues how it generates signatures.

(Stefano Zamboni) #35

I create signatures for SOGo on SME server using user’s data and some custom templates
they are created/modified every time I create an user or edit it
the logo is BASE64 encoded
in user-create and user-modify event I call sogo tool to associate the right signature to the user
just an hint

(Davide Principi) #36

After a few hours of running rspamd I’m impressed by its accuracy!

Well done @stephdl!

(Stéphane de Labrusse) #37

Yes…rspamd is really accurate, fast and fun to use.

One of the best project I participated, thank @davidep you did a lot in the background

(Saito Benkei) #38

I’m working on it…:+1:

(Stéphane de Labrusse) #39

do not be shy to share your way if you get something workable

(Stéphane de Labrusse) #40

got something workable with altermime and email address, I need to search for a solution domain based, and write the template, but we should get disclaimer back in the server-manager