Over the past few weeks I've been hardening rspamd on an ISPConfig 3.3.x server managing 38 mail domains and discovered three separate security gaps — each one independently allowing malicious mail to bypass spam filtering. All three are documented in an existing thread but I'm posting this as a quick reference for anyone running ISPConfig + rspamd. All fixes tested on: rspamd 3.14.3, ISPConfig 3.3.x, Postfix, Dovecot, Debian 12. --- Fix 1: Inbound DMARC Enforcement — rspamd ignores p=reject by default By default, rspamd on ISPConfig evaluates DMARC but does NOT enforce the domain owner's p=reject policy on inbound mail. A phishing email that fails DMARC with policy=reject is scored and flagged but still delivered. The fix is a one-line override in /etc/rspamd/override.d/dmarc.conf: Code: cat > /etc/rspamd/override.d/dmarc.conf << 'EOF' actions = { quarantine = "add header"; reject = "reject"; } EOF systemctl reload rspamd Full details, explanation and test procedure: [Solution] Inbound DMARC Enforcement for rspamd on ISPConfig 3.x https://forum.howtoforge.com/thread...-3-x-stop-domain-impersonation-phishin.95001/ --- Fix 2: GeoIP Country Blocking + ASN Blocking via rspamd multimap rspamd supports scoring or rejecting mail by originating country (GeoIP) and by ASN (hosting provider). This is useful for blocking high-spam-source countries and known spam-hosting providers. Example config for /etc/rspamd/local.d/multimap.conf: Code: BLOCKED_COUNTRY_HIGH { type = "ip"; map = "/etc/rspamd/local.d/maps/blocked_countries_high.map"; score = 15.0; description = "Mail from high-risk country"; action = "reject"; prefilter = true; filter = "country"; } BLOCKED_ASN { type = "ip"; map = "/etc/rspamd/local.d/maps/blocked_asn.map"; score = 5.0; description = "Mail from known spam-source ASN"; filter = "asn"; } Maps: - blocked_countries_high.map — one country code per line (CN, KP, IR etc.) - blocked_asn.map — one ASN per line (16276 for OVH, 24940 for Hetzner etc.) Full details, map files, test procedure and important note on using full email headers in rspamc tests: [Solution] Inbound DMARC Enforcement for rspamd on ISPConfig 3.x (post #6 onwards) https://forum.howtoforge.com/thread...-3-x-stop-domain-impersonation-phishin.95001/ --- Fix 3: Spamfilter Whitelist silently disables DMARC enforcement — Security Vulnerability This one is the most dangerous because it is caused by normal admin behaviour. When you add your own email address to ISPConfig → Email → Whitelist (a common action to prevent self-sent mail being spam-scored), ISPConfig generates a rspamd settings file that disables ALL rspamd actions — reject, add header, greylist, rewrite subject — for any mail with that From: address. Since rspamd matches on the From: header with no DKIM or SPF check, a phisher spoofing your address gets the same treatment. DMARC p=reject is bypassed completely. Confirmed in rspamd log: Code: apply static settings spamfilter_wblist-3; from,rcpt matched; priority high disabled action reject due to settings NOT set pre-result to 'reject': 'Action set by DMARC' from dmarc(1); action is disabled The phishing mail (score=24.89, DMARC_POLICY_REJECT, SPF fail, no DKIM) was delivered to the inbox with no warning. The fix is to remove your own addresses from the ISPConfig Whitelist and use the DKIM whitelist instead — which only matches mail with a valid DKIM signature from your server, not spoofed mail: Code: echo "yourdomain.com" >> /etc/rspamd/local.d/maps.d/dkim_whitelist.inc.ispc systemctl reload rspamd php /usr/local/ispconfig/server/server.php Full details, fix steps, test procedure and ISPConfig GUI improvement proposal: [Solution] Inbound DMARC Enforcement for rspamd on ISPConfig 3.x (post #8) https://forum.howtoforge.com/thread...-3-x-stop-domain-impersonation-phishin.95001/ Suggested ISPConfig GUI Improvement: The root cause of this trap is that ISPConfig's Email menu has Whitelist and Blacklist entries in the left menu but no DKIM Whitelist. Admins adding their own address to the regular Whitelist have no way of knowing it disables all rspamd actions rather than just lowering the score. A proper fix in ISPConfig would be to add a "DKIM Whitelist" entry in the left menu under Email (alongside Whitelist/Blacklist) that writes domain entries to /etc/rspamd/local.d/maps.d/dkim_whitelist.inc.ispc instead of generating a spamfilter_wblist_*.conf with null actions. This gives admins a safe, GUI-managed way to whitelist their own domains without disabling DMARC enforcement. At minimum, the existing Whitelist UI should display a warning: "Adding your own domain or address here will disable all spam actions including DMARC reject for any mail claiming to be from that address, including spoofed mail. Use DKIM Whitelist instead for your own domains." This vulnerability is also related to ISPConfig GitLab issue #6197 (Use of want_spam & actions in rspamd yields unexpected results) — the same actions { reject=null } stanza that causes the X-Spamd-Bar header issue also disables DMARC enforcement. I attempted to comment on that issue directly but have been unable to activate an account on the ISPConfig GitLab instance — confirmation emails never arrived despite two follow-up emails to the admin, and a second registration attempt failed with "email already taken". I have since registered a new account (bosspacific_new) and emailed gitlab at ipconfig dot org requesting manual approval. Once approved I will add the security impact details as a comment on #6197. --- Summary: Apply All Three If you are running ISPConfig with rspamd, applying all three fixes gives you: - DMARC p=reject enforced on inbound mail (Fix 1) - High-risk country and spam-hosting ASN mail scored/rejected (Fix 2) - Own-domain spoofing blocked even when your address is whitelisted (Fix 3) Without Fix 1, rspamd sees DMARC failures but delivers the mail anyway. Without Fix 3, Fix 1 can be silently bypassed by a whitelist entry you probably already have. Happy to answer questions. Tested on: rspamd 3.14.3, ISPConfig 3.3.x, Debian 12. Cheers, Haluk --- TAGS: rspamd, ispconfig, dmarc, security, phishing, geoip, asn, whitelist, dkim, postfix
Hello Till, Thank you for that, I have posted a comment on issue #6197 regarding the rspamd whitelist/DMARC bypass security issue, and I look forward to contributing further. Really appreciate your work. Thanks. Best Regards Haluk
