Integration of Rspamd into production grommunio environments
1. Introduction
With grommunio-antispam, the platform is extended by a powerful spam filtering component based on Rspamd, combining modern analysis methods. In addition to classic verification mechanisms such as SPF, DKIM, and DNS validation, adaptive learning technologies are also employed, continuously adjusting to real-world user behavior.
In production environments, however, it is not sufficient to merely detect spam. What matters is consistently reliable filtering quality that can adapt to emerging threats without negatively affecting legitimate email communication. This is exactly where grommunio-antispam comes into play: through a combination of automatic learning, flexible rule definitions, and clearly structured administration.
2. Role of grommunio-antispam in the Mail Infrastructure
Within the grommunio architecture, grommunio-antispam is responsible for the central task of evaluating the content of incoming messages. Rspamd does not operate in isolation, but rather as an integral part of the mail processing pipeline.
Every incoming email is analyzed, evaluated, and classified using a scoring system. This score is calculated from a wide range of factors, including technical authentication mechanisms, reputation data, and statistical models. The result is a well-founded decision on whether a message should be delivered, tagged, or blocked.
This architecture enables a high degree of flexibility and can be tailored to different requirements — from highly restrictive environments with strict security demands to open communication structures where deliverability is the primary focus.
3. Access and Administration
Administration of grommunio-antispam is performed through the integrated web interface within the grommunio Admin UI. It provides a centralized entry point for configuration, analysis, and troubleshooting.
If access to the web interface is no longer possible — for example due to a forgotten password — the password can be reset at any time via the command line. To do so, a new hash must first be generated:
rspamadm pw
The generated value looks similar to the following example:
$2$xruxgg1e5ebwy7r1mmsayyd1ixuo1nhx$ts74rx8fi65a8rrfzzxcmpucfe135jiy8gscmkerdazk86ffq5rb
The generated value is then entered into the file /etc/grommunio-antispam/local.d/worker-controller.inc:
password = "$2$xruxgg1e5ebwy7r1mmsayyd1ixuo1nhx$ts74rx8fi65a8rrfzzxcmpucfe135jiy8gscmkerdazk86ffq5rb";
After restarting the service, the web interface will again be available at https://mail.example.com:8443/antispam/:
systemctl restart grommunio-antispam
This mechanism ensures that administrative access remains available at all times, independently of the web interface.
After logging into the web interface, you gain access to the dashboard containing all relevant information about current filtering activity.
4. Multimaps as a Central Control Element
A core component of the configuration is the use of so-called multimaps. They enable flexible and granular control over senders and therefore represent an essential tool for fine-tuning the filtering logic.
In practice, a clear separation between domain-based and address-based rules has proven effective. Domains are evaluated independently of individual users, while specific senders can be handled in a more targeted manner. This results in a clean and maintainable structure that can easily be extended and managed over time.
Typical use cases include whitelisting trusted partner domains, selectively allowing individual senders, as well as blocking suspicious domains or email addresses.
This flexibility makes it possible to respond quickly to real-world requirements without having to modify the entire filtering logic.
A typical configuration may look as follows:
WHITELIST_SENDER_DOMAIN {type = "from";filter = "email:domain";map = "/var/lib/grommunio-antispam/whitelist_sender_domain.map";score = -25.0;regexp = true;}WHITELIST_SENDER_ADDRESS {type = "from";map = "/var/lib/grommunio-antispam/whitelist_sender_address.map";score = -12.0;}
While domain-based rules extract and evaluate only the relevant domain portion of an address, individual email address rules perform a direct comparison. The resulting evaluation is controlled through the assigned score, which directly influences the behavior of the spam filter accordingly.
5. Separation of Configuration and Data
A key best-practice approach when operating grommunio-antispam is the strict separation between static configuration and dynamic data.
While the actual filtering logic is stored under
/etc/grommunio-antispam
remains in place, lists such as whitelists and blacklists are stored under
/var/lib/grommunio-antispam
For example, the following files may be located there:
whitelist_sender_domain.mapwhitelist_sender_address.map
The chosen structure provides several advantages. Changes to lists can be made independently of the configuration, updates do not interfere with existing customizations, and administration tasks can be delegated in a controlled manner. At the same time, the system configuration remains stable and transparent.
chown groas:grommunio /var/lib/grommunio-antispam/*.mapchmod 750 /var/lib/grommunio-antispam/*.map
After this adjustment, domains and email addresses can be managed directly through the web interface without requiring access to the command line. This is a major advantage, especially in environments with delegated administration.
6. Managing Whitelists and Blacklists
Sender lists are maintained using simple map files. These may contain both domains and individual email addresses and are evaluated directly by Rspamd.
To allow editing through the web interface, the corresponding files must be assigned appropriate permissions. This ensures that changes can be made in a controlled manner without requiring direct command-line access.
This is a significant advantage, particularly in environments with multiple administrators or external service providers, as responsibilities can be clearly separated.
One current limitation is that the web interface only supports basic password authentication. Integration with centralized identity solutions for personalized access control is currently not available, which may become a limitation especially in larger environments.
7. Automatic Spam Learning
A decisive factor in the quality of a spam filter is its ability to learn from real-world data. For this purpose, grommunio-antispam utilizes the contents of users’ junk folders and evaluates them on a regular basis.
The learning process is controlled through a systemd timer and is executed once per day by default. During this process, existing spam messages are analyzed and incorporated into the statistical models.
A systemd timer is used for activation:
systemctl enable grommunio-spam-run.timer
This approach ensures that the filter continuously adapts to new patterns and reliably detects previously unknown spam variants as well.
8. Manual Testing and Debugging
For testing purposes or detailed analysis, the learning process can also be triggered manually at any time:
systemctl start grommunio-spam-run.service
Alternatively, the underlying script can be executed directly:
/usr/sbin/grommunio-spam-run.sh
This requires that corresponding emails are present in the junk folders of the mailboxes. Only then can they be processed as training data and incorporated into the filtering logic.
In addition to automated learning, the Rspamd web interface provides further options for analysis and manual training. Through the “Scan/Learn” section, individual messages can be checked and classified directly.
In the upper section, a message can be pasted or uploaded in order to receive an immediate evaluation by the spam filter.
In addition, so-called fuzzy hashes can be calculated and selectively added to the database. Unlike traditional hashes, these are capable of identifying not only identical content but also similar messages with minor modifications. This allows Rspamd to detect recurring spam campaigns even when individual contents or headers have been slightly altered.
This significantly improves the recognition of known spam patterns and enhances long-term filtering quality.
For more advanced analysis, tools such as “Test Selectors” are available. These allow detailed evaluation of individual message components and are especially useful when developing or troubleshooting custom rules.
In addition, the History view provides an overview of previously processed messages. Here, evaluations, scores, and detected symbols can be reviewed, which is especially helpful when analyzing false positives or other misclassifications.
These features are especially valuable in complex environments where the behavior of the spam filter needs to be analyzed and optimized in a targeted manner.
9. Best Practices for Production Environments
In production environments, a clear separation between configuration and data has proven to be highly effective. The actual filtering logic remains under /etc/grommunio-antispam, while dynamic content such as whitelists and blacklists is maintained under /var/lib/grommunio-antispam.
This structure not only improves stability during updates, but also simplifies maintenance and enables a clear separation of responsibilities between system administration and operational management.
10. Conclusion
grommunio-antispam provides a powerful foundation for modern spam filtering in production environments. By combining flexible multimaps, a clearly structured architecture, and automated learning capabilities, the system continuously improves while remaining easy to manage.
The consistent separation of configuration and data, together with the ability to delegate administrative maintenance tasks, makes the solution particularly maintainable and scalable.
