Issue Not happy with Plesk Email Security

[ssmmdd]

Have installed Plesk Email Security and I'm getting more spam than before I had it installed.

I set it to the highest level and it's still letting more through than without it.

It is making me not want to purchase it - it's not exactly setting a good example is it?

And before you go "it's better once you pay for it" I get that, but to let more spam through than without it makes me not want to pay for it.

How can I get further help with this?

Oh and hopefully this won't be deleted like my last Thread was - if this also gets deleted I will simply dump Plesk for something else.

 

[Viktor Vogel]

Hi ssmmdd,

fist of all, Plesk Email Security works without any issues with a high level of protection also in the free version. You don't have to buy the Pro license to get basic protection! The Pro version improves the protection drastically, but what you've described shouldn't happen in the free version. The free version is installed on many thousands of servers and is also making our customers happy!

It sounds like something went wrong on your server and the extension is not installed correctly. With the given information, it is hard to help you. Have you checked the mail logs, the error logs or the email headers? Without the data, I can only recommend you to reinstall the extension so that the configuration files are rewritten. Make sure to uninstall the extension first, and then install it again. Use the default settings first and send a spam test string to one of your emails. If the string is not classified as spam, then something is wrong and the protection is not working properly. Use the string from here: SpamAssassin: The GTUBE

Have success!

 

[ssmmdd]

Hello Viktor,

I have uninstalled and re-installed at least twice.

I have sent that string to myself from a different e-mail address and it was not blocked.

This is broken. How do I get help with this please?

 

[Martin Dias]

Can you provide the output for:

plesk sbin mail_handlers_control --list | egrep "all-recipients|[email protected]"

Replace [email protected] with your mailbox.


Also do you see any errors inside /var/log/maillog related to spamassasin, etc.?

This is broken. How do I get help with this please?

If you want us to check this directly on the server:

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...

support.plesk.com

 

[ssmmdd]

Can you provide the output for:

plesk sbin mail_handlers_control --list | egrep "all-recipients|[email protected]"

Replace [email protected] with your mailbox.

Yep:

[root@ssmmdd ~]# plesk sbin mail_handlers_control --list | egrep "all-recipients|[email protected]"
| X |   |    10 |                       all-recipients |             spf |           global |    before-queue |
| X |   |    10 |                       all-recipients | dd52-domainkeys |           global |    before-local |
| X |   |    20 |                       all-recipients |           dmarc |           global |    before-local |
| X |   |    10 |                       all-recipients |     check-quota |           global |    before-queue |
| X |   |    10 |                       all-recipients |     check-quota |           global | before-sendmail |
| X |   |     5 |                       all-recipients |       limit-out |           global |    before-queue |
| X |   |     5 |                       all-recipients |       limit-out |           global | before-sendmail |
|   |   |    10 |                     [email protected] |            spam |        recipient |    before-local |

Also do you see any errors inside /var/log/maillog related to spamassasin, etc.?

There are no spamassassin errors. There are other errors like this:

May 22 15:06:01 ssmmdd dovecot: service=imap, [email protected], ip=[<my IP>]. Error: Mailbox INBOX: UID=8064: read(/var/qmail/mailnames/bloggs.com/i-m/Maildir/cur/1575992973.M166767P2633.bh-uk-5.webhostbox.net,S=15479,W=15880:2,S) failed: Cached message size larger than expected (15479 > 4286, box=INBOX, UID=8064) (read reason=mail stream)
May 22 15:06:01 ssmmdd dovecot: service=imap, [email protected], ip=[<my IP>]. Error: Corrupted record in index cache file /var/qmail/mailnames/bloggs.com/i-m/Maildir/dovecot.index.cache: UID 8064: Broken physical size in mailbox INBOX: read(/var/qmail/mailnames/bloggs.com/i-m/Maildir/cur/1575992973.M166767P2633.bh-uk-5.webhostbox.net,S=15479,W=15880:2,S) failed: Cached message size larger than expected (15479 > 4286, box=INBOX, UID=8064)
May 22 15:06:01 ssmmdd dovecot: service=imap, [email protected], ip=[<my IP>]. Error: Mailbox INBOX: UID=8064: read(/var/qmail/mailnames/bloggs.com/i-m/Maildir/cur/1575992973.M166767P2633.bh-uk-5.webhostbox.net,S=15479,W=15880:2,S) failed: Cached message size larger than expected (15479 > 4286, box=INBOX, UID=8064) (FETCH BODY[])
May 22 15:06:01 ssmmdd dovecot: service=imap, [email protected], ip=[<my IP>]. FETCH read() failed rcvd=526, sent=352843

Here's the log of when I sent myself the test message:

May 22 15:05:50 ssmmdd postfix/smtpd[615]: connect from mail-cwlgbr01hn2209.outbound.protection.outlook.com[52.100.178.209]
May 22 15:05:50 ssmmdd postfix/smtpd[615]: EBB102120D02: client=mail-cwlgbr01hn2209.outbound.protection.outlook.com[52.100.178.209]
May 22 15:05:50 ssmmdd postfix/cleanup[622]: EBB102120D02: message-id=<LO2P123MB20166713D804323B1026257CB0B40@LO2P123MB2016.GBRP123.PROD.OUTLOOK.COM>
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: handlers_stderr: SKIP
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: SKIP during call 'limit-out' handler
May 22 15:05:51 ssmmdd spf[738]: Starting the spf filter...
May 22 15:05:51 ssmmdd spf[738]: Error code: (2) Could not find a valid SPF record
May 22 15:05:51 ssmmdd spf[738]: Failed to query MAIL-FROM: No DNS data for 'spitfire-ams.co.uk'.
May 22 15:05:51 ssmmdd spf[738]: SPF result: none
May 22 15:05:51 ssmmdd spf[738]: SPF status: PASS
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: handlers_stderr: PASS
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: PASS during call 'spf' handler
May 22 15:05:51 ssmmdd check-quota[739]: Starting the check-quota filter...
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: handlers_stderr: SKIP
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: SKIP during call 'check-quota' handler
May 22 15:05:51 ssmmdd postfix/qmgr[30110]: EBB102120D02: from=<[email protected]>, size=7837, nrcpt=1 (queue active)
May 22 15:05:51 ssmmdd postfix/smtpd[615]: disconnect from mail-cwlgbr01hn2209.outbound.protection.outlook.com[52.100.178.209] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
May 22 15:05:51 ssmmdd postfix/smtpd[648]: connect from localhost.localdomain[127.0.0.1]
May 22 15:05:51 ssmmdd postfix/smtpd[648]: 7ED052120D69: client=localhost.localdomain[127.0.0.1], orig_queue_id=EBB102120D02, orig_client=mail-cwlgbr01hn2209.outbound.protection.outlook.com[52.100.178.209]
May 22 15:05:51 ssmmdd postfix/cleanup[622]: 7ED052120D69: message-id=<LO2P123MB20166713D804323B1026257CB0B40@LO2P123MB2016.GBRP123.PROD.OUTLOOK.COM>
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: handlers_stderr: SKIP
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: SKIP during call 'limit-out' handler
May 22 15:05:51 ssmmdd spf[746]: Starting the spf filter...
May 22 15:05:51 ssmmdd spf[746]: SPF result: pass
May 22 15:05:51 ssmmdd spf[746]: SPF status: PASS
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: handlers_stderr: PASS
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: PASS during call 'spf' handler
May 22 15:05:51 ssmmdd check-quota[747]: Starting the check-quota filter...
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: handlers_stderr: SKIP
May 22 15:05:51 ssmmdd psa-pc-remote[32662]: SKIP during call 'check-quota' handler
May 22 15:05:51 ssmmdd postfix/qmgr[30110]: 7ED052120D69: from=<[email protected]>, size=8401, nrcpt=1 (queue active)
May 22 15:05:51 ssmmdd postfix/smtpd[648]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
May 22 15:05:51 ssmmdd amavis[19267]: (19267-10) Passed CLEAN {RelayedInbound}, [52.100.178.209]:31820 [52.100.178.209] <[email protected]> -> <[email protected]>, Queue-ID: EBB102120D02, Message-ID: <LO2P123MB20166713D804323B1026257CB0B40@lo2p123mb2016.gbrp123.prod.outlook.com>, mail_id: Yllr6p9GOUK7, Hits: -, size: 8049, queued_as: 7ED052120D69, dkim_sd=selector1-xxxxxxx-onmicrosoft-com:xxxxxxx.onmicrosoft.com, 412 ms
May 22 15:05:51 ssmmdd postfix-local[748]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
May 22 15:05:51 ssmmdd postfix/smtp[632]: EBB102120D02: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.88, delays=0.45/0/0/0.43, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7ED052120D69)
May 22 15:05:51 ssmmdd postfix/qmgr[30110]: EBB102120D02: removed
May 22 15:05:51 ssmmdd dk_check[749]: Starting the dk_check filter...
May 22 15:05:51 ssmmdd dk_check[749]: DKIM verify result: Success
May 22 15:05:51 ssmmdd dmarc[750]: Starting the dmarc filter...
May 22 15:05:51 ssmmdd dmarc[750]: Store DKIM result for 'xxxxxxx.onmicrosoft.com' into DMARC library.
May 22 15:05:51 ssmmdd dmarc[750]: DMARC: PASS message for [email protected]
May 22 15:05:51 ssmmdd postfix-local[748]: deliveryManager: Get empty message id, delivery state will be disabled for this mail
May 22 15:05:52 ssmmdd dovecot: service=lda, [email protected], ip=[]. sieve: msgid=? <LO2P123MB20166713D804323B1026257CB0B40@LO2P123MB2016.GBRP123.PROD.OUTLOOK.COM>: stored mail into mailbox 'INBOX'
May 22 15:05:52 ssmmdd postfix/pipe[656]: 7ED052120D69: to=<[email protected]>, relay=plesk_virtual, delay=0.6, delays=0.27/0/0/0.33, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
May 22 15:05:52 ssmmdd postfix/qmgr[30110]: 7ED052120D69: removed

If you want us to check this directly on the server:

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...

support.plesk.com

Licence was bought from a 3rd party. Their servers are incredible, but the customer service are a bit slow to reply, and I get the feeling they don't really want to help me regarding Plesk, even though as far as Plesk are concerned, it's their job.

 

[Martin Dias]

I did test this on my server and on the header from the test mail with the GTUBE string:

X-Virus-Scanned: Debian amavisd-new at mail.<GDPR>.com
X-Spam-Flag: YES
X-Spam-Score: 997.9
X-Spam-Level: ****************************************************************
X-Spam-Status: Yes, score=997.9 tagged_above=-9999 required=7
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GTUBE=1000,
    HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001, TVD_SPACE_RATIO=0.001, URIBL_BLOCKED=0.001]
    autolearn=no autolearn_force=no

Should this not be the case in yours can you please enable the SpamAssassin Debug mode and try again?
Debug can be enabled over Extensions -> Plesk Email Security -> Server Settings -> Advanced

 

[ssmmdd]

My mistake - I did it from an address I had whitelisted (I've only whitelisted two).

I did it from a non-whitelisted address and it correctly blocked it, so that part is working.

But it's still letting more spam though, even on the highest setting, than it did with it not installed.

 

[trialotto]

@ssmmdd

I have two seemingly irrelevant questions, being

1 - you state "more spam" and that is an implicit comparison........ with what? yesterday? previous month? when the extension was not installed?
2 - why not uninstalling the extension, if it indeed allows more spam than when the extension is inactive or not installed?

Please note that I am simply curious, since what you are saying is something that other people are also experiencing.

And if the Plesk Email Security Extension is actually solliciting or even causing spam (or increase in spam levels), then it should not be offered at all.

By the way, the following line in your logs

Error: Corrupted record in index cache file /var/qmail/mailnames/bloggs.com/ ....

is the most interesting one.

Did you already try to remove the cache and restart dovecot afterwards? Also see this KB article - it gives a nice tutorial on a closely related problem.

I am not sure whether this is the root cause of the problem, but it certainly is related or even a symptom - hence, it might be relevant.

I hope to hear from you if you have cleaned up the cache!

Kind regards.......

 

[ssmmdd]

I have two seemingly irrelevant questions, being

1 - you state "more spam" and that is an implicit comparison........ with what? yesterday? previous month? when the extension was not installed?

Please note in my last reply I put

But it's still letting more spam though, even on the highest setting, than it did with it not installed.

2 - why not uninstalling the extension, if it indeed allows more spam than when the extension is inactive or not installed?

Please note that I am simply curious, since what you are saying is something that other people are also experiencing.

And if the Plesk Email Security Extension is actually solliciting or even causing spam (or increase in spam levels), then it should not be offered at all.

Because if it's not working correctly, it should be reported so it can be fixed?

By the way, the following line in your logs

Error: Corrupted record in index cache file /var/qmail/mailnames/bloggs.com/ ....

is the most interesting one.

Did you already try to remove the cache and restart dovecot afterwards? Also see this KB article - it gives a nice tutorial on a closely related problem.

I am not sure whether this is the root cause of the problem, but it certainly is related or even a symptom - hence, it might be relevant.

I hope to hear from you if you have cleaned up the cache!

Kind regards.......

Done that, I'll keep an eye on the logs. Cheers.

 

[trialotto]

@ssmmdd,

I asked question number 1 for a specific reason - it is very likely that in any comparison some bias will occur : for instance, it cannot be ruled out that coincidence is causing a spike in spam traffic exactly during the period that the extension is installed.

Sure, this seems not to be the most likely case - but it is relevant though : not only does one want to rule out bias (in any analysis), but also one should want to rule out the situation that the current problems with the extension are actually causing the extension to sollicit spam.

It might be the case that a specific problem in the extension is known to spammers and that they simply attack Plesk instances to exploit the vulnerability.

And that is something that should also be investigated, if one really wants to improve the extension.

After all, we agree with regard to your statement

Because if it's not working correctly, it should be reported so it can be fixed?

to a high degree, in the sense that I have the opinion that the extension should not be offered as is, but that it can only be offered if it is significantly improved.

Kind regards.......

 

[Viktor Vogel]

Sure, this seems not to be the most likely case - but it is relevant though : not only does one want to rule out bias (in any analysis), but also one should want to rule out the situation that the current problems with the extension are actually causing the extension to sollicit spam.

to a high degree, in the sense that I have the opinion that the extension should not be offered as is, but that it can only be offered if it is significantly improved.

Hi Trialotto,

please do not make such assumptions without data to back it up. As I said above, I'm one of the developers of the extension and can guarantee that the extension works (in almost all cases) just fine and as expected. The extension is used on several thousand servers since the release in January without any issues and will replace the built-in SpamAssassin component one day!

With our solution, we rely on open-source tools, and as you know, no software is perfect. There are always edge cases that will make problems. We are working hard to improve the extension further and also cover complex server constellations.

In general, you can increase the debug level in the advanced settings for Amavis and enable SpamAssassin's debug mode, and analyse the mail logs. Also, check the headers of emails that have been classified wrongly. Do you see X-Spam entries? What is the score and how was the score calculated?

Since this topic is complicated and depends on many factors, there is no easy solution. It would be best if one of our trained supporters could analyse the installation and configuration directly on the server.

Cheers

 

[ssmmdd]

Since this topic is complicated and depends on many factors, there is no easy solution. It would be best if one of our trained supporters could analyse the installation and configuration directly on the server.

Cheers

How would I do this? As per a previous message, the licence is via a 3rd party company, who don't want to help.

 

[Viktor Vogel]

How would I do this? As per a previous message, the licence is via a 3rd party company, who don't want to help.

Okay, please contact me via PM.

 

[trialotto]

Hi Trialotto,

please do not make such assumptions without data to back it up. As I said above, I'm one of the developers of the extension and can guarantee that the extension works (in almost all cases) just fine and as expected. The extension is used on several thousand servers since the release in January without any issues and will replace the built-in SpamAssassin component one day!

With our solution, we rely on open-source tools, and as you know, no software is perfect. There are always edge cases that will make problems. We are working hard to improve the extension further and also cover complex server constellations.

In general, you can increase the debug level in the advanced settings for Amavis and enable SpamAssassin's debug mode, and analyse the mail logs. Also, check the headers of emails that have been classified wrongly. Do you see X-Spam entries? What is the score and how was the score calculated?

Since this topic is complicated and depends on many factors, there is no easy solution. It would be best if one of our trained supporters could analyse the installation and configuration directly on the server.

Cheers

@Viktor Vogel

It is a bit strange that you assume that I do not have the data to back up my statements and/or to confirm the problems that other persons encounter.

I have initiated 5 Azure VMs with your extension activated (free version) and

1 - I did some benchmark testing with SpamExperts and rspamd (custom) cluster as benchmarks - SpamExperts is best, followed by the rspamd (custom) cluster,
2 - I did some testing to recreate issues (as experienced and mentioned by other forum members) : most of the issues did occur randomly - it is hard to recreate the exact issue mentioned by some forum members, but almost alike issues could be forced by simple installing the extension and sending a lot of spam to the test server (read : this is not really an issue, since it is just a lack of "training" and that is just a matter of time, before "training" is sufficient)

and my conclusions are simply that the Plesk Email Security Extension

a) will work to a low or high degree and only effectively after sufficient time for training,
b) is not outperforming the common alternatives, like SpamExperts or rspamd clusters,

and I really do not expand these conclusions beyond the test setup that I have used.

Sure, the Plesk Email Security Extension is -at least in theory and from the perspective of design- just as good (or bad, depends on who you are asking) as other open source alternatives (including SpamAssassin), with the only exception being the rspamd open source alternative.

This topic is not all complicated - it is just another approach to combatting spam, taking a new road that deviates from the current default combination of both SpamAssassin and Plesk Premium Antivirus (i.e. DrWeb).

It only becomes complicated, if you develop an extension that

.... works (in almost all cases) just fine and as expected. The extension is used on several thousand servers since the release in January without any issues and will replace the built-in SpamAssassin component one day!

is not yet ready for full deployment on several (thousands) servers and/or to replace SpamAssassin.

In short, the many (sometimes very biased) comments and disgruntlement about your extension is simply due to premature release of the extension.

In my humble opinion, it is a bad thing that this "thing" got released - certainly when taking into account that people are actually paying for it.

Moreover, you really missed out on the excellent opportunity to create a Plesk based eco-environment that combats spam as a network.

Please stop telling that the Plesk Email Security Extension works sufficiently - it does not for many people and it will never be the best alternative!

Please consider to spend time to develop an extension that includes rspamd with a remote rspamd learning cluster........ that will add value for many people.

As a final remark, I do not want that you see this post as a personal attack - it really is not.

This post and other posts regarding the Plesk Email Security Extension are simply intended to give them an incentive to consider your extension, other Plesk supplied extensions (like the SpamExperts extension) and all other alternatives out there.

In short, it would give all Plesk users and forum members the chance to make their own considerations with respect to what suits their objectives best, as opposed to simply buying a Plesk extension that is communicated as being "good" or even "the best solution".

And yes, again I have to plead for a Plesk extension that offers a Plesk service running a rspamd cluster - see PS1 below.

Also, have a look at PS2 and PS3 below.

I hope that all of the above explains a bit why I am responding to the messages regarding Plesk Email Security Extension.

Kind regards......

PS1 @Viktor Vogel ..... Amavis and ClamAV are not the best tools out there, they are good to very good (and in most cases sufficient). The main problem is that it is open source, implying that these solutions are lagging a bit behind in terms of development - from time to time, this delay in development is causing issues, with the "false positives problem" being a major continuing issue. Despite that Plesk wants to let Plesk users pay for open source tools that can be installed for free and that can be easily integrated with Plesk's Postfix, the biggest issue is that one relies on "local training + remote databases". Simply stated, each server with the same Plesk extensions and Amavis + ClamAV (+ SpamAssassin) is reacting differently on spam - training is different, mostly in the short run, but also in the very long run. Nevertheless, almost all spam attacks are very similar and even originating from identical IP ranges (most of them are not even in the dbases of open source tools). The before simply implies that a "bottom-up approach" of combatting spam per individual server is a bit less efficient that combatting spam in an eco-environment of very similar servers - all Plesk instances are very similar : the value of a Plesk service containing a spam cluster (rspamd based or another solution) is huge. After all, any remote spam cluster can help Plesk and its extensions do a better job in combatting spam - including your extension.

PS2 @Viktor Vogel ..... there is always a possibility for "advanced spammers" (and, to be honest, most of them are not advanced) to "spam" via the "server-level", due to the fact that Plesk itself and/or Plesk based extensions are not covering spam that will be send via the server FQDN. Most of the spam running through the server and/or spam causing admission of the server IP or FQDN on blocklists and/or spam reaching or trying to reach the server is related to the "server-level" and invisible to Plesk and its extensions. Training of your Plesk Email Security Extension would be more efficient if all mail related traffic is intercepted and used for training. As far as I know now, this is not (yet) the case.

PS3 I did not find direct evidence for Plesk Email Security Extensions factually solliciting spam, but it seems to be the case that specific servers with specific IPs are aiming for Plesk instances with Plesk Email Security Extension installed. A double check has been done : after uninstalling the extension, the spam related traffic from those IPs stopped suddenly. I do not know why, I firmly belief that it is mere coincidence, nothing more. However, if and whenever possible, please investigate this thoroughly. Please note that it could also coincide with the removal of the packages associated with your extension.

 

[Viktor Vogel]

Hi Trialotto,

thank you for your opinion and constructive criticism! I will discuss your proposal how to improve the extension internally.

Cheers

 

[trialotto]

Hi Trialotto,

thank you for your opinion and constructive criticism! I will discuss your proposal how to improve the extension internally.

Cheers

@Viktor Vogel

It might be even more constructive to have a look together at something like a spam cluster - I can create some Azure VMs for us, so we can at least play a bit with rspamd (and I now regret the fact that I destroyed the old rspamd clusters that I had for development purposes).

If that is something that sounds good, just send me a PM.

Kind regards.......

 

[Noise]

please implement rspamd to plesk that is the best solution

 

[trialotto]

please implement rspamd to plesk that is the best solution

I fully agree.... but I also have to be honest by saying that rspamd only works optimal with a (central) spam cluster for (spam) training purposes.

 

[weichi]

For those, who are not satisfied with spamassassin, I like to share a documentation, how to install and activate rspamd on Plesk Obsidian >=18.0.39 and debian 10 (buster) on Intel/AMD compatible platform.
Disclosure: That procedure works perfectly on my virtual hosted server. However I cannot gurantee that it will work on all other platforms.

Plesk config:

• deinstall spamassassin via Plesk installer
• install firewall (in case not yet there) and limit port access to only used services
  (important that rspamd config interface is not directly accessible from external)
• deactivate "Switch on server-wide greylisting spam protection" and "Apply individual settings to spam filtering" in "Spam Filter Settings"
  
• activate in section "DKIM spam protection" the options "Allow signing outgoing mail" and "Verify incoming mail" in "Server-Wide Mail Settings"
  
  
• Deactivate "SPF spam protection" in "Server-Wide Mail Settings"

SSH client for connection to your plesk server:

• configure port forwarding for port 11334 on your local ssh-client
  That example in putty SSH-Tunnels definition would allow you to call the rspamd-config frontend on your local browser via http://localhost:7777

Open terminal on your server and excute following steps:

1. rspamd source definition

apt install -y lsb-release wget
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo "deb Index of /apt-stable/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src Index of /apt-stable/ $(lsb_release -c -s) main" >> /etc/apt/sources.list.d/rspamd.list

2. ammend "[arch=amd64]"-setting in /etc/apt/sources.list.d/rspamd.list
(otherwise any follow update-process might take an eternity)

deb [arch=amd64] Index of /apt-stable/ buster main
deb-src [arch=amd64] Index of /apt-stable/ buster main

3. rspamd Installation

apt update
apt install rspamd

4. rspamd password generation provides hash .....

rspamadm pw

5. store generated password hash in /etc/rspamd/local.d/worker-controller.inc

password = "generated expression";

6. configure /etc/rspamd/local.d/redis.conf

servers = "127.0.0.1";

7. configure /etc/rspamd/local.d/classifier-bayes.conf

servers = "127.0.0.1";
backend = "redis";
autolearn = true;

8. configure /etc/rspamd/local.d/logging.inc

type = "syslog";
level = "warning";

9. configure /etc/rspamd/local.d/milter_headers.conf

use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
authenticated_headers = ["authentication-results"];
extended_spam_headers = true;

10. configure /etc/redis/redis.conf

maxmemory 500mb
maxmemory-policy volatile-ttl

11. configure /etc/rspamd/local.d/classifier-bayes.conf

servers = "127.0.0.1";
backend = "redis";

12. configure /etc/rspamd/local.d/dkim_signing.conf

enabled = false;

13. create /etc/dovecot/conf.d/20-imap.conf

protocol imap {
mail_plugins = $mail_plugins imap_sieve
}

14. create /etc/dovecot/conf.d/95-plugin.conf

plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_extensions = +editheader +mboxmetadata +servermetadata +imapflags +notify +spamtest +spamtestplus +virustest
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_pipe_bin_dir = /usr/local/etc/dovecot/sieve

# From elsewhere to Spam folder or flag changed in Spam folder
imapsieve_mailbox1_name = INBOX.Spam
imapsieve_mailbox1_causes = COPY FLAG
imapsieve_mailbox1_before = file:/usr/local/etc/dovecot/sieve/report-spam.sieve

# From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = INBOX.Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/etc/dovecot/sieve/report-ham.sieve

#
# Automatically filter spam into the spam folder
#
sieve_before = /usr/local/etc/dovecot/sieve/global-spam.sieve
}

14b. set owership and rights

cd /etc/dovecot/conf.d/
chown root:root 20-imap.conf 95-plugin.conf
chmod 644 20-imap.conf 95-plugin.conf

15. create /usr/local/etc/dovecot/sieve/global-spam.sieve

require ["fileinto", "mailbox"];

if anyof(
header :contains "X-Spam-Flag" "YES",
header :contains "X-Spam" "YES",
header :contains "Subject" ["*** SPAM ***"],
header :contains "Subject" ["Viagra","Cialis"]
)
{
fileinto :create "INBOX.Spam";
stop;
}

16. create /usr/local/etc/dovecot/sieve/report-spam.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "imap4flags"];

if environment :is "imap.cause" "COPY" {
pipe :copy "sa-learn-spam.sh";
}

# Catch replied or forwarded spam
elsif anyof (allof (hasflag "\\Answered",
environment :contains "imap.changedflags" "\\Answered"),
allof (hasflag "$Forwarded",
environment :contains "imap.changedflags" "$Forwarded")) {

pipe :copy "sa-learn-spam.sh";
}

17. create /usr/local/etc/dovecot/sieve/report-ham.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];

if environment :matches "imap.mailbox" "*" {
set "mailbox" "${1}";
}

if string "${mailbox}" [ "INBOX.Trash", "train_ham", "train_prob", "train_spam" ] {
stop;
}

pipe :copy "sa-learn-ham.sh";

18. create /usr/local/etc/dovecot/sieve/sieve/sa-learn-ham.sh

#!/bin/bash
exec /usr/bin/rspamc -h 127.0.0.1:11334 learn_ham

19. create /usr/local/etc/dovecot/sieve/sa-learn-spam.sh

#!/bin/bash
exec /usr/bin/rspamc -h 127.0.0.1:11334 learn_spam

20. compile sieve scripts
in case error occurs try to restart dovecot before (/etc/init.d/dovecot restart)

cd /usr/local/etc/dovecot/sieve
sievec global-spam.sieve
sievec report-ham.sieve
sievec report-spam.sieve

20a. set rights

cd /usr/local/etc/dovecot/sieve
chmod 755 *.*

21. configure /etc/postfix/main.cf
look for existing entries and replace (if any)

smtpd_milters = inet:localhost:11332, inet:127.0.0.1:12768
milter_default_action = accept
milter_protocol = 6

22. Processes restart

/etc/init.d/rspamd restart
/etc/init.d/postfix restart
/etc/init.d/dovecot restart

DNS configuration change
might improve better resolution

1. change in /etc/bind/named.conf.options (changes in green)

acl goodclients {
localhost;
};

options {
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See CERT/CC Vulnerability Note VU#800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See Current Root Trust Anchors
//========================================================================
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

2. make "/etc/resolv.conf" static

rm -f /etc/resolv.conf
cp /run/resolvconf/resolv.conf /etc
chattr +i /etc/resolv.conf

3. test of DNS resolver

dig heise.de @127.0.0.1

should provide proper resolution

4. Ammend green section in "/etc/dhcp/dhclient.conf"

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;

supersede domain-name-servers 127.0.0.1;

Good Luck!

 

[Achim Drees]

For those, who are not satisfied with spamassassin, I like to share a documentation, how to install and activate rspamd on Plesk Obsidian >=18.0.39 and debian 10 (buster) on Intel/AMD compatible platform.
Disclosure: That procedure works perfectly on my virtual hosted server. However I cannot gurantee that it will work on all other platforms.

Plesk config:

• deinstall spamassassin via Plesk installer
• install firewall (in case not yet there) and limit port access to only used services
  (important that rspamd config interface is not directly accessible from external)
• deactivate "Switch on server-wide greylisting spam protection" and "Apply individual settings to spam filtering" in "Spam Filter Settings"
  View attachment 19831
• activate in section "DKIM spam protection" the options "Allow signing outgoing mail" and "Verify incoming mail" in "Server-Wide Mail Settings"
  View attachment 19830
  
• Deactivate "SPF spam protection" in "Server-Wide Mail Settings"

SSH client for connection to your plesk server:

• configure port forwarding for port 11334 on your local ssh-client
  That example in putty SSH-Tunnels definition would allow you to call the rspamd-config frontend on your local browser via http://localhost:7777View attachment 19829

Open terminal on your server and excute following steps:

1. rspamd source definition


2. ammend "[arch=amd64]"-setting in /etc/apt/sources.list.d/rspamd.list
(otherwise any follow update-process might take an eternity)


3. rspamd Installation


4. rspamd password generation provides hash .....


5. store generated password hash in /etc/rspamd/local.d/worker-controller.inc


6. configure /etc/rspamd/local.d/redis.conf


7. configure /etc/rspamd/local.d/classifier-bayes.conf


8. configure /etc/rspamd/local.d/logging.inc


9. configure /etc/rspamd/local.d/milter_headers.conf


10. configure /etc/redis/redis.conf


11. configure /etc/rspamd/local.d/classifier-bayes.conf


12. configure /etc/rspamd/local.d/dkim_signing.conf


13. create /etc/dovecot/conf.d/20-imap.conf


14. create /etc/dovecot/conf.d/95-plugin.conf


14b. set owership and rights


15. create /usr/local/etc/dovecot/sieve/global-spam.sieve


16. create /usr/local/etc/dovecot/sieve/report-spam.sieve


17. create /usr/local/etc/dovecot/sieve/report-ham.sieve


18. create /usr/local/etc/dovecot/sieve/sieve/sa-learn-ham.sh


19. create /usr/local/etc/dovecot/sieve/sa-learn-spam.sh


20. compile sieve scripts
in case error occurs try to restart dovecot before (/etc/init.d/dovecot restart)


20a. set rights


21. configure /etc/postfix/main.cf
look for existing entries and replace (if any)


22. Processes restart


DNS configuration change
might improve better resolution

1. change in /etc/bind/named.conf.options (changes in green)


2. make "/etc/resolv.conf" static


3. test of DNS resolver

should provide proper resolution

4. Ammend green section in "/etc/dhcp/dhclient.conf"


Good Luck!

anyone tried that?