Hi there folks. I tried switching from amavisd to rspamd in SYSTEM -> SERVER CONFIG -> MAIL by changing the entry in the parameter CONTENT FILTER from amavisd to rspamd. The ISPCONFIG automagically did about 27 changes on my server, which took about 1 minute to propagate through into the server settings. Excitingly enough, apache2 then crashed and wouldn't restart, and also e-mail sending and receiving also crashed, which wasn't exactly the desired outcome. This got me thinking wistfully about the value of taking backups before trying to cludge up the server settings but, c'est la vie I guess. He who lives by the sword, dies by the sword and all that kind of stuff. Anyways, first and foremost, I am wondering if a record is made of what changes ispconfig has done when I change thingys in my ISPCONFIG control panel ? I had a look in the log files under the directory /var/log/ispconfig/ but there was nothing useful in them. Why do I need to know this list of changes ? I could really do with knowing what the daaanngg ispconfig program has gone and changed and hence crashed everything. Then, I could be in a position to do some kinda diagnosis on what the planet of hell has happened to my server. Hey thanks in advance to y'all for your constructive input.
Meanwhile, back on my webserver, I ran a few checks using tips from the following howtoforge thread:- https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/ This is for ISPCONFIG 3.1, where as i am running V3.2. So I had kinda figgured that everyhting was going to work just fine and dandy, which it didn't. Anyways, I checked if named was installed, which is it. which named /usr/sbin/named After, I checked for rspamd and redis and, surprisingly, I found they weren't installed ????? WTF ????? So, how was it possible for me to select rspamd in the ISPCONFIG control panel ????? Well sure as hell I was gonna need those packages now, so i did:- apt-get install redis-server lsb-release apt-get install rspamd The next problem to fix was that apache2 wasn't starting. The error was:- status apache2.service ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2025-03-24 20:29:41 CET; 54s ago Docs: https://httpd.apache.org/docs/2.4/ Process: 5305 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE) In the log I can see:- Mar 24 20:29:41 serverx.xxxxxxxxx.com systemd[1]: Starting The Apache HTTP Server... Mar 24 20:29:41 serverx.xxxxxxxxx.com apachectl[5308]: AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/000-apps.vhost: Mar 24 20:29:41 serverx.xxxxx.com apachectl[5308]: SSLCACertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.bundle' does not exist or is empty Mar 24 20:29:41 serverx.xxxxxx.com apachectl[5305]: Action 'start' failed. I checked in /usr/local/ispconfig/interface/ssl/ and, sure enough, the file ispserver.bundle was empty. The other certificates were in the directory and dated from a while ago. I tried vainly to find out how to make a .bundle file from the other files which were present in the directory, but couldn't work it out. Those files had been created I guess when I installed the server 5 years ago, probably via openssl commands. So, I editted the following file:- vi /etc/apache2/sites-available/apps.vhost I commented out the following line:- # SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle I then restarted apache2, and, thankfully, the server was up again. Phew. I was sweating bullets back there for a while. E-Mail was still dead though.......
Things I still need to do:- 1. Work out how the heck rspamd is configured. 2. Check if I am bouncing a bunch of e-mail or not. In the howtoforge thread for configuring rspamd on ISPCONFIG V3.1 mentioned above, it talks about configuring a web interface for rspamd via a virtual host. However, this seems like a pretty bad idea to me, considering all the problems I have had with the ispconfig web interface up to now. Also, I have other software running on my server, which may get messed up by configuring this apache2 virtual hosts thingy. If possible, I would prefer to manually configure whatever the rspamd configuration files are, and , if necessary, manually edit any linked mysql files directly via the mysql command line. So, thats what I'm going to do now......
You can not just switch to a different unconfigured service that is not even installed on your system and expect it to work. Here is a tutorial on how to switch from Amavis to Rspamd properly. https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/ Follow it to the point and not just some parts of it. This procedure works flawlessly on any well-configured ISPConfig 3.1 and 3.2 systems. But as you seem to edit files manually, its obvious that your manual edits will make your system unstable and will break the setup on updates or changes sooner or later.
Dear Till, thanks so much for your reply, not to mention all your tireless work on ispconfig.....which generally works pretty good....despite my cludging of configs..... I know this is not exactly related, but i am really very keen to start logging what changes the ISPCONFIG software is doing on my server. This would serve 2 important purposes:- 1. By knowing exactly what changes have been done to what files, it allows me to see if any configuration errors have occurred, and then roll them back as necessary. 2. It allows me to follow the configuration changes, and hence educate myself into how the server is actually working by reading files within the filesystem. Getting "under the hood" , so to speak. How can i do this ?
Unfortunately, when I ran the ISPCONFIG command from the control panel to move from AMAVISD configuration to RSPAMD, neither the REDIS or RSPAMD packages were actually installed, so now I suppose I'll have to manually configure all the files which are put into the directory /etc/rspamd/local.d Can somebody please send me that list of those files, as well as their contents ? Note: I have already fixed the REDIS config. file by setting the following parameters in /etc/redis/redis.conf maxmemory 512mb maxmemory-policy volatile-lru
The tutorial explains that you must install them upfront. https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/ switch back to Amavis, and then follow the tutorial.
I was not too confident about switching back to amavis and then rspamd again automagically, due to it didn't work out too well yesterday. So, I went ahead and manually configured everything in the /etc/rspamd/local.d directory as following:- /etc/rspamd/local.d/worker-normal.inc bind_socket = "127.0.0.1:11333"; The milter protocol is supported by the proxy worker, which listens on port 11332. Milter mode must be enabled for Postfix and Rspamd to communicate, create file /etc/rspamd/local.d/worker-proxy.inc bind_socket = "127.0.0.1:11332"; milter = yes; timeout = 120s; upstream "local" { default = yes; self_scan = yes; } The controller worker server, which grants access to the Rspamd web interface, has to have a password set up next. Run the following command to create an encrypted password. rspamadm pw --encrypt -p xxxxxxmydifficultpasswordxxxxx $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx From your terminal, copy the password, and then put it in the configuration file /etc/rspamd/local.d/worker-controller.inc : # Included from top-level .conf file type = "controller"; count = 1; password = "$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; secure_ip = "127.0.0.1"; secure_ip = "::1"; static_dir = "${WWWDIR}"; By adding the following lines to the /etc/rspamd/local.d/classifier-bayes.conf file, Redis will be used as the backend for Rspamd statistics: servers = "127.0.0.1"; backend = "redis"; ~ Set the milter headers by opening the milter_headers.conf file: use = ["x-spamd-bar", "x-spam-level", "x-spam-status", "authentication-results", "remove-headers"]; authenticated_headers = ["authentication-results"]; routines { remove-headers { headers { "X-Spam" = 0; "X-Spamd-Bar" = 0; "X-Spam-Level" = 0; "X-Spam-Status" = 0; "X-Spam-Flag" = 0; } } } Finally, for modifications to take effect, restart Rspamd: sudo systemctl restart rspamd All the above seems to work OKay. Seeing as everything is going so swimmingly well, I will now try to configure DKIM........
I have a question about the DKIM e-mail setup as following. I have previously used the ISPCONFIG3.2 control panel to generate a DKIM key pair consisting of a private key and the DKIM public key, which I then put in my DNS file. I now need to place these keys into the directory /etc/rspamd/local.d and then create a file /etc/rspamd/local.d/dkim_signing.conf with the following in it:- selector = "default"; path = "/etc/rspamd/local.d/$selector.key"; allow_username_mismatch = true; and then copy this file also to the file /etc/rspamd/local.d/arc.conf So, my question is: where is this previously generated key pair in the file system and what are these files called ?
Your setup is completely off from the standard ISPConfig configuration and doesn't align with the official rspamd documentation at all. If people in a forum offer help and you ignore their advice, you have to deal with the fact that you're on your own with a setup that doesn't follow any standard. It's not meant to be harsh, but Till has explained to you several times what the correct way is to replace amavis with rspamd, and the issues you're facing with DKIM are just one of the consequences of switching to rspamd in a non-compliant way.
Don't worry, everything is working just fine with the new RSPAMD setup, due to I managed to manually locate all of the previously changed configuration files. See above for the list of the necessary changes. The only thing not working any more is that my out-going e-mails are not DKIM signed any more. When I go to the DKIM signature section of ISPCONFIG, I can't see the local DKIM certificate any more. I think that the local DKIM certificate in the top window is probably a new one, so, if I start using it, it won't match the public DKIM certificate in the bottom window which I was previously using and is posted to my DNS. When I have a bit of time, I will search for these certificates in my file system. If that doesn't turn out to be possible, then, I will use the DKIM section of the ISPCONFIG to generate a new certificate pair, and then replace the DKIM public file in my DNS file with the new one.
I had a look for where the key is supposed to be in amavisd. looked in the amavis configuration file /etc/amavis/conf.d/60-dkim It says:- dkim_key('example.com', 'default', '/var/lib/amavis/dkim/example.com.private'); I looked in that directory and i found the keys, and I also checked that the public key corresponds to what I have in my DNS zones file (which is not on my server), and, it matches.:- /var/lib/amavis/dkim # ls example.com.private example.com.public I tried copying those keys across to /etc/rspamd/local.d/ and setting up the configuration files dkim_signing.conf and arc.conf. contents of dkim_signing.conf:- selector = "default"; path = "/etc/rspamd/local.d/$selector.key"; allow_username_mismatch = true; also copied this to the file arc.conf However, I don't think it is working. I think my outgoing mails are still not dkim signed. The setup becomes quite complicated due to those files have a variable $selector in them, which then has to be plugged into them via another setup file in some way. Anyway, I will leave it running for a few days to see if i can accumulate some diagnostic info. and then try again. If I manage to fix it, i will post my config. here.
For rspamd you need 2 map files for DKIM. -> dkim_domains.map / dkim_selectors.map The dkim_domains contains the domains and the path to the private key files for example: Code: domain.tld /var/lib/amavis/dkim/domain.tld.private The dkim_selectors contains the domains and the selctor name for example: Code: domian.tld selector1 Both of these files get referenced in the dkim_sining.conf. If the mailsystem itself is not sending the mails but rather another server like exchange for example you also need to define a map with sining networks like dkim_sign_networks.map with content as follows: Code: 10.10.10.10 #Exchange 10.20.10.20 #Another Upstream Server And also need to reference it in the dkim_sining.conf like this: Code: sign_networks = "/etc/rspamd/local.d/dkim_sign_networks.map";
I managed to get the DKIM signature working. The problem was being caused by that it was not possible for the _rspamd server to read the configuration files. I fixed this by issuing the command chown _rspamd:_rspamd * from within the directory /etc/rspamd/local.d All of the steps which I have done are as following:- 1. Copy the public DKIM key you were previously using from the old amavisd directory to the rspmd directory and call it default.pub:- cp -v /var/lib/amavis/dkim/example.com.public /etc/rspamd/local.d/default.pub 2. Copy the private DKIM key you were previously using from the old amavisd directory to the rspmd directory and call it default.key:- cp -v /var/lib/amavis/dkim/example.com.public /etc/rspamd/local.d/default.key 3. Create a new file dkim_signing.conf in the /etc/rspamd/local.d directory and put the following in it:- selector = "default"; path = "/etc/rspamd/local.d/$selector.key"; allow_username_mismatch = true; 4. Change the permissions of the certificate keys to -r--r----- 5. Change the ownership and group of all files in the directory /etc/rspamd/local.d to _rspamd:_rspamd Just as an FYI, here are the contents of this directory on my system:- etc/rspamd/local.d # ls -l total 44 -rw-r--r-- 1 _rspamd _rspamd 98 Mar 31 12:52 arc.conf -rw-r--r-- 1 _rspamd _rspamd 42 Mar 25 17:31 classifier-bayes.conf -r--r----- 1 _rspamd _rspamd 1702 Mar 31 12:46 default.key -r--r----- 1 _rspamd _rspamd 451 Mar 31 12:46 default.pub -rw-r--r-- 1 _rspamd _rspamd 98 Mar 31 12:52 dkim_signing.conf -rw-r--r-- 1 _rspamd _rspamd 55 Mar 24 19:14 history_redis.conf -rw-r--r-- 1 _rspamd _rspamd 332 Mar 25 17:33 milter_headers.conf -rw-r--r-- 1 _rspamd _rspamd 23 Mar 24 19:13 redis.conf -rw-r--r-- 1 _rspamd _rspamd 244 Mar 25 17:29 worker-controller.inc -rw-r--r-- 1 _rspamd _rspamd 33 Mar 25 17:21 worker-normal.inc -rw-r--r-- 1 _rspamd _rspamd 120 Mar 25 17:23 worker-proxy.inc 6. For all this to work, obviously, you'll need to have copied the DKIM public certificate to your DNS zones file. I know this has been done correctly, becuase, when I do a DIG command on my domain, I can see the DKIM certificate:- dig default._domainkey.example.com TXT +short "v=DKIM1; t=s; p=M-xxxxxxxxxxxxxxxxxxxxxxxa-long-key-xxxxxxxxxxxxxxxxxxxx" 7. I then restarted rspamd and postfix, just to make sure everything had been reset. service rspamd stop service rspamd start service postfix stop service postfix start (If you monitor your logs while you are doing this, you can check for any error messages i.e tail -f /var/log/mail.log ). Now, when I send an e-mail to an e-mail address at another domain, I can see the DKIM certificate in the full e-mail header of the e-mail that has been received:- Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=default; t=1743430301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-certificate-xxxxxxxxxxxxxxxxxxxxxxxxxxx You can also check if everything is working by going to the website https://dkimvalidator.com, which allows you to send them an e-mail to check it.
