Rspamd Configuration vs. the ISPConfig3 Admin GUI

Discussion in 'Installation/Configuration' started by Shyciii, Apr 16, 2026.

Tags:
  1. Shyciii

    Shyciii Member

    Hello,
    Our Ispconfig3 servers were still running Amavisd, and we have now switched to Rspamd based on the following article:
    https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/
    Although the article is somewhat outdated (as it refers to Debian 13), the issue was easily resolved.
    However, we ran into a problem (which exists on every server running rspamd) where it classifies even completely valid emails as spam (even official bank and postal correspondence). I checked what it assigns scores to—which I obviously can’t change—but I noticed that the settings I configure in the ISPConfig admin interface (Email/Spamfilter/Policy/Non-paying/ Rspamd) are not taken into account; in fact, I see different values here than when I run the "sudo rspamadm configdump actions" command in the terminal on the server.
    Ispconfig3 admin GUI:
    Greylisting level: 6.00
    SPAM tag level: 8.00
    SPAM tag method: Subject (adds "***SPAM***" at the beginning
    SPAM reject level: 100.00
    rspamadm configdump actions command:
    reject = 15;
    add_header = 6;
    greylist = 4;

    So is it really not possible to change the rspamd levels in the ISPConfig3 GUI, or did something go wrong during the switch from Amavisd? I checked that when I went into MySQL, the query
    USE dbispconfig;
    SELECT * FROM spamfilter_policy WHERE id = 1 \G
    shows the settings from the GUI, so it’s in sync there (though of course the old Amavisd values are also visible).
    Could you tell me how rspamd actually works with ISPConfig now?
    By the way, it doesn't work to add the word ***SPAM*** to the subject line of emails marked as spam, even though you can see above that this is set in the Rspamd tab of the ISPConfig3 admin interface.
     
    Shyciii, Apr 16, 2026
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can configure the Spam levels in ISPConfig and ISPConfig writes them into the rspamd config files for the domain or user. Check the written Rspamd config files.
     
    till, Apr 16, 2026
    #2
  3. Shyciii

    Shyciii Member

    But that’s exactly what I wrote: the values set in the ISPConfig3 interface don’t match the values shown by rspamd, which you can check using the `rspamdm configdump actions` command.
    Can you tell me which specific config file the values entered in the ISPConfig3 interface modify?
     
    Shyciii, Apr 16, 2026
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    And I asked you to look in the config files and not run this command. So you did not wrote or check if Rspamd is configured correctly by ISPConfig.

    /etc/rspamd/local.d/users/
     
    till, Apr 16, 2026
    #4
    pyte likes this.
  5. Shyciii

    Shyciii Member

    Based on that, it seems fine, but then I don't understand why the email with a score of 6.8 was marked as spam. And if it did mark it as spam, why didn’t it insert the word ***SPAM*** into the subject line? I tried setting it so that no emails would be moved to the spam folder under the Mail Filter tab/Move Spam Emails to Junk folder option, but it still didn’t change the subject line.

    Code:
    ispc_spamfilter_user_20 {
    priority = 27;
    rcpt = "[email protected]";

    apply {
            CLAM_VIRUS = 1100;
        JUST_EICAR = 1100;
            actions {
            "add header" = 8;
                    "rewrite subject" = 8;
                    reject = 100;
                        greylist = null;
                    }
    }

}
     
    Shyciii, Apr 17, 2026
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to run an ISPCOnfig update with:

    ispconfig_update.sh --force

    and let the updater reconfigure services. Maybe Rspamd is not configured correctly.

    Besides that, check the mail headers to see which exact scores got applied and which email address it was sent to.
     
    till, Apr 17, 2026
    #6
  7. Shyciii

    Shyciii Member

    Where can I find the configuration file that specifies adding the ***SPAM*** prefix to the subject line? Also, are there any exceptions where it doesn’t add the prefix to the subject line even if it’s enabled? For example, if it’s set to move the email to the spam folder, does it not modify the subject line either, since it’s already clear that the email is spam?
     
    Shyciii, Apr 17, 2026
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    See your post #5, the line:

    "rewrite subject" = 8;

    and ***SPAM*** is the default rewrite from Rspamd.
     
    till, Apr 17, 2026
    #8
  9. Shyciii

    Shyciii Member

    I ran `ispconfig_update.sh --force`.
    Then I created a policy named "test" with the following settings:
    Greylisting level 4.00
    SPAM tag level 4.00
    SPAM tag method: Subject (adds ***SPAM*** at the beginning)
    SPAM reject level 100.00
    I applied this to the user who receives the test email.
    I have a test email server that I intentionally "broke," so emails from there are marked as spam; this is also visible in the header:
    Code:
    Subject: TEST
Content-Type: text/plain; charset=UTF-8
To: <[email protected]>
User-Agent: mail (GNU Mailutils 3.19)
Date: Fri, 17 Apr 2026 12:24:09 +0200
Message-Id: <[email protected]>
From: [email protected]
X-Spam-Level: ****
X-Spamd-Bar: ++++
X-Spam-Status: Yes, score=4.92
X-Spam: Yes

    The rspamd log shows that it handled it:
    Code:
    2026-04-17 12:24:09 #1121(rspamd_proxy) <8d4dfd>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 53176
2026-04-17 12:24:09 #1121(rspamd_proxy) <8d4dfd>; milter; rspamd_milter_process_command: got connection from 79.120.221.61:40988
2026-04-17 12:24:09 #1124(normal) <8346d5>; task; rspamd_worker_body_handler: accepted connection from 127.0.0.1 port 39082, task ptr: 00007F601F3E4CB0
2026-04-17 12:24:09 #1124(normal) <8d4dfd>; task; rspamd_message_parse: loaded message; id: <[email protected]>; queue-id: <9C68C60308>; size: 911; checksum: <b583e094df3b2d2bf46767e5caef78f2>
2026-04-17 12:24:09 #1124(normal) <8d4dfd>; lua; settings.lua:423: <[email protected]> apply static settings ispc_spamfilter_user_15 (id = 2508178252); rcpt matched; priority high
2026-04-17 12:24:09 #1124(normal) <8d4dfd>; task; lua_task_set_settings: disabled action greylist due to settings
2026-04-17 12:24:09 #1124(normal) <8d4dfd>; spf; spf_record_dns_callback: spf error for domain telemedia.cc: cannot resolve AAAA record for telemedia.cc: requested record is not found
2026-04-17 12:24:09 #1124(normal) <8d4dfd>; spf; spf_record_dns_callback: spf error for domain telemedia.cc: cannot resolve A record for telemedia.cc: requested record is not found
2026-04-17 12:24:09 #1124(normal) <8d4dfd>; task; dkim_module_key_handler: stored DKIM key for default._domainkey.telemedia.cc in LRU cache for 3600 seconds, 1/2000 elements in the cache
2026-04-17 12:24:09 #1124(normal) <8d4dfd>; task; rspamd_spf_maybe_return: stored SPF record for telemedia.cc (0xdf847cbe7d6873ec) in LRU cache for 3600 seconds, 1/2000 elements in the cache
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; task; finalize_item: slow asynchronous rule: RCVD_IN_DNSWL(515): 839.50 ms; no idle timer is needed
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; task; finalize_item: slow asynchronous rule: DWL_DNSWL(522): 835.50 ms; no idle timer is needed
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; task; finalize_item: slow asynchronous rule: URIBL_MULTI(545): 352.50 ms; no idle timer is needed
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; lua; greylist.lua:467: greylisting pass (body) until Sat, 18 Apr 2026 10:24:10 GMT
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; lua; lua_bayes_learn.lua:523: id: <[email protected]>, from: <[email protected]>: can autolearn junk: score 4.92 / 4, mime_rcpts: <[email protected]>
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; task; rspamd_stat_check_autolearn: <[email protected]>: autolearn spam for classifier 'bayes' as message's action is reject, score: 4.91
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; task; rspamd_stat_classifiers_learn_class: <[email protected]> contains less tokens than required for bayes classifier: 7 < 11
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; task; rspamd_task_process: skip learning: <[email protected]> contains less tokens than required for bayes classifier: 7 < 11
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; task; rspamd_task_write_log: id: <[email protected]>, qid: <9C68C60308>, ip: 79.120.221.61, from: <[email protected]>, (default: T (add header): [4.91/100.00] [R_MIXED_CHARSET(2.50){},MISSING_MIME_VERSION(2.00){},R_BAD_CTE_7BIT(1.05){unknown;utf8;},DMARC_POLICY_ALLOW(-0.50){telemedia.cc;reject;},SUBJ_ALL_CAPS(0.37){5;},R_DKIM_ALLOW(-0.20){telemedia.cc:s=default;},R_SPF_ALLOW(-0.20){+mx;},MIME_GOOD(-0.10){text/plain;},MX_GOOD(-0.01){},ARC_NA(0.00){},ARC_SIGNED(0.00){ccpro.hu:s=default:i=1;},ASN(0.00){asn:12301, ipnet:79.120.192.0/19, country:HU;},DKIM_TRACE(0.00){telemedia.cc:+;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},GREYLIST(0.00){pass;body;},MID_RHS_MATCH_FROMTLD(0.00){},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ONE(0.00){1;},RCVD_TLS_LAST(0.00){},R_DUMMY(0.00){},SINGLE_SHORT_PART(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 911, time: 1276.159ms, dns req: 37, digest: <b583e094df3b2d2bf46767e5caef78f2>, rcpts: <[email protected]>, mime_rcpts: <[email protected]>, settings_id: ispc_spamfilter_user_15
2026-04-17 12:24:10 #1124(normal) <8d4dfd>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 180 regexps total, 70 regexps cached, 0B scanned using pcre, 526B scanned total
2026-04-17 12:24:10 #1121(rspamd_proxy) <53bf49>; proxy; proxy_milter_finish_handler: finished milter connection
    But when I view the email in Thunderbird, the subject line is still TEST, not ***SPAM*** TEST

    upload_2026-4-17_12-33-26.png
     
    Shyciii, Apr 17, 2026
    #9

Share This Page