Issue Not happy with Plesk Email Security

[GravuTrad]

I really confirm a security problem with this extension. tons of spam after installed it, and very less more with its remove. lots of mails sent by sendmail.

 

[GravuTrad]

even with the remove, it has surely created a breach thah i can't found grr....

 

[Viktor Vogel]

I really confirm a security problem with this extension. tons of spam after installed it, and very less more with its remove. lots of mails sent by sendmail.

Hey!

I'm the developer of the extension. Please do not spread untruths. The integration of Amavis in cooperation with SpamAssassin and ClamAV is a standard procedure, which many other operators also do. We only use open-source software in Plesk Email Security to fight spam, with optimised rules and processes on a Plesk server. Furthermore, the extension has nothing to do with Sendmail.

 

[GravuTrad]

Yes but since i had installed it i received waves of spams. I had to remove it to return to a normal level of spam reception.
Another problem with it that i had no install of clamav at all. (maybe it's normal? Is the clamav install not included with the install?)

 

[herrMartin]

Mega thanks to this tutorial. I got it working with your help. But one thing,
There is a small mistake in Number 18 in the path:

18. create /usr/local/etc/dovecot/sieve/sieve/sa-learn-ham.sh → one /sieve/ too much

should be 18. create /usr/local/etc/dovecot/sieve/sa-learn-ham.sh

or not?

For those, who are not satisfied with spamassassin, I like to share a documentation, how to install and activate rspamd on Plesk Obsidian >=18.0.39 and debian 10 (buster) on Intel/AMD compatible platform.
Disclosure: That procedure works perfectly on my virtual hosted server. However I cannot gurantee that it will work on all other platforms.

Plesk config:

• deinstall spamassassin via Plesk installer
• install firewall (in case not yet there) and limit port access to only used services
  (important that rspamd config interface is not directly accessible from external)
• deactivate "Switch on server-wide greylisting spam protection" and "Apply individual settings to spam filtering" in "Spam Filter Settings"
  View attachment 19831
• activate in section "DKIM spam protection" the options "Allow signing outgoing mail" and "Verify incoming mail" in "Server-Wide Mail Settings"
  View attachment 19830
  
• Deactivate "SPF spam protection" in "Server-Wide Mail Settings"

SSH client for connection to your plesk server:

• configure port forwarding for port 11334 on your local ssh-client
  That example in putty SSH-Tunnels definition would allow you to call the rspamd-config frontend on your local browser via http://localhost:7777View attachment 19829

Open terminal on your server and excute following steps:

1. rspamd source definition


2. ammend "[arch=amd64]"-setting in /etc/apt/sources.list.d/rspamd.list
(otherwise any follow update-process might take an eternity)


3. rspamd Installation


4. rspamd password generation provides hash .....


5. store generated password hash in /etc/rspamd/local.d/worker-controller.inc


6. configure /etc/rspamd/local.d/redis.conf


7. configure /etc/rspamd/local.d/classifier-bayes.conf


8. configure /etc/rspamd/local.d/logging.inc


9. configure /etc/rspamd/local.d/milter_headers.conf


10. configure /etc/redis/redis.conf


11. configure /etc/rspamd/local.d/classifier-bayes.conf


12. configure /etc/rspamd/local.d/dkim_signing.conf


13. create /etc/dovecot/conf.d/20-imap.conf


14. create /etc/dovecot/conf.d/95-plugin.conf


14b. set owership and rights


15. create /usr/local/etc/dovecot/sieve/global-spam.sieve


16. create /usr/local/etc/dovecot/sieve/report-spam.sieve


17. create /usr/local/etc/dovecot/sieve/report-ham.sieve


18. create /usr/local/etc/dovecot/sieve/sieve/sa-learn-ham.sh


19. create /usr/local/etc/dovecot/sieve/sa-learn-spam.sh


20. compile sieve scripts
in case error occurs try to restart dovecot before (/etc/init.d/dovecot restart)


20a. set rights


21. configure /etc/postfix/main.cf
look for existing entries and replace (if any)


22. Processes restart


DNS configuration change
might improve better resolution

1. change in /etc/bind/named.conf.options (changes in green)


2. make "/etc/resolv.conf" static


3. test of DNS resolver

should provide proper resolution

4. Ammend green section in "/etc/dhcp/dhclient.conf"


Good Luck!

 

[Hangover2]

Hello @ssmmdd ,

Amavis with SpamAssassin and ClamAV should not be seen as primary tool to fight incoming spam. On our servers 80% of all spam is already filtered out before with an appropriate Postfix configuration. reject_non_fqdn_sender + reject_unknown_client_hostname + reject_unknown_reverse_client_hostname are the options you should consider in your spam fighting scenario. You will be surprised about the results. To catch also the last 20% of spam some suitable DNS blackhole lists based on your needs can be added together with Amavis + SpamAssassin and ClamAV.

As example is here the summarized log for 24 hours of one mailbox, that exists since several years:

65 total incoming mails for the specific email address within 24 hours
48 mails rejected based on reject_non_fqdn_sender + reject_unknown_client_hostname + reject_unknown_reverse_client_hostname + reject_rbl_client
10 mails filtered out by Amavis + SpamAssassin + ClamAV (spam action = move to spam folder, spam level = 5) - no false positive spam
7 mails did arrive in the inbox (1 of them was spam with a score of 4.8)

2481 emails did arrive in that mailbox within 2022 till today. By setting a spam level of 4 I would have had 3 false positives. Because of that and because sometimes also spam arrives with nice scores between +3.99 and -x it does not really make sense to set a stricter value. As a result I would then need to check the whole spam folder quite often. The current setup did not have any false positive spam that I would be aware of.

 

[Maarten]

I wonder if there is a way to check the current maillog on the postfix settings: reject_non_fqdn_sender + reject_unknown_client_hostname + reject_unknown_reverse_client_hostname, so you could see which emails would have been rejected if those settings were enabled in the postfix configuration.

 

[Hangover2]

Hello @maartenv ,

see also: Postfix Configuration Parameters

- for reject_unknown_client_hostname and reject_unknown_reverse_client_hostname: 450 4.7.25 Client host rejected: cannot find your hostname, [IP]
- for reject_non_fqdn_sender: 504

 

[sergej-wv]

For us this tutorial did not work. The user action does not trigger the sieve action. But I can confirm that it works on a Centos 7 server without the Plesk panel.
The sieve libraries are not loaded by the dovecot/imap process.

Centos 7 server without Plesk panel:

# lsof -p 3378 | grep sieve
imap 3378 vmail mem REG 182,736209 776432 148017 /usr/lib64/dovecot/libdovecot-sieve.so.0.0.0
imap 3378 vmail mem REG 182,736209 48792 149577 /usr/lib64/dovecot/lib95_imap_sieve_plugin.so

Centos 7 server with Plesk panel:

# lsof -p 24125 | grep sieve
(no output)

I pinged the support about it, will report whether we will find something. It might be something local as the server is a little bit old.

 

[sergej-wv]

The parameter imap_sieve must be added for the sieve libraries to be loaded:

protocol imap {
mail_plugins = $mail_plugins imap_quota imap_sieve
}

The list inside the main configuration file does not include by default. It could be added to the file conf.d/95-plugin.conf .

 

[bendim]

Does someone use Rspamd in a docker container on Pesk?
Might that work?

Why docker? Don’t clutter the host system with dependencies while still beeing able to upgrade to newer versions as required

 

[Nextgen-Networks]

Does someone use Rspamd in a docker container on Pesk?
Might that work?

Why docker? Don’t clutter the host system with dependencies while still beeing able to upgrade to newer versions as required

short time ago I've tried to get a dockerized instance of rspamd running ... was partly successful

docker container was accessable for spam-check of mail demon - sieve learing from spam marked mails was not possible (found no working way to pipe sieve data to docker container)

Help is very welcome if anyone has an idea how to solve this.

 

[bendim]

I followed the steps from @weichi.238665 but the sa-learn-spam.sh is not executed.

For testing purposes i added a echo command to the sa-learn-spam.sh bash script.

#!/bin/bash
#exec /usr/bin/rspamc -h 127.0.0.1:11334 learn_spam
exec echo "sa-learn-spam.sh executed $(date)" >> /var/log/dovecot-sieve.log

If i run it manually the log entry will be written, but not if dovecot tries to execute it.
Any idea?

Here the dovecot log:

Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: action pipe: running program: sa-learn-spam.sh                                              ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh: Created                                ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh: Pass environment: [email protected] ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh: Pass environment: HOME=/var/qmail/mailn┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh: Pass environment: HOST=myHOST.de  ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: Mailbox INBOX.Spam: UID 3857: Opened mail because: mail stream                                     │
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Finished executing pipe action (status=ok, keep=implicit)                         │
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Finished executing actions (status=ok, keep=implicit, executed=yes)               │
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Finished executing result (no commit, status=ok, keep=yes)                        ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: multi-script: Sequence active                                                               ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: multi-script: Finishing sequence (status=ok)                                                ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Executing result (status=ok, commit=yes)                                          ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Starting execution of actions                                                     ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Executing actions                                                                 ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Finished executing actions (status=ok, keep=implicit, executed=yes)               ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Execute implicit keep (status=ok)                                                 ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Start storing into mailbox INBOX.Spam                                             ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Executing implicit keep action                                                    ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Execute storing into mailbox 'INBOX.Spam'                                         ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: Mailbox INBOX.Spam: Mailbox opened                                                                 ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Updated existing mail in mailbox 'INBOX.Spam'                                     ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Finished executing implicit keep action (status=ok)                               ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Finalizing actions                                                                ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Finalize pipe action (status=ok, action_status=ok, commit_status=ok, pre-commit=ye┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Commit pipe action                                                                ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh: Establishing connection                ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh: Forked child process                   ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh (19726): Connected to program           ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh (19726): Failed to run program          ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh (19726): Disconnected                   ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh (19726): Child process ended            ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: program exec:/usr/local/etc/dovecot/sieve/sa-learn-spam.sh (19726): Destroy                        ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Finished finalizing actions (status=failure, keep=implicit, committed=no)         ┤
│Feb 27 14:40:23 service=imap, [email protected], ip=[109.32.241.44]. Debug: sieve: uid=3857: Switch to failure implicit keep

 

[mow]

If i run it manually the log entry will be written, but not if dovecot tries to execute it.
Any idea?

Does the dovecot user have write access to that logfile?

 

[bendim]

Does the dovecot user have write access to that logfile?

I deleted the log file after run the task manually. So the dovecot should create a new one with the correct rights?