Advice for fighting spam on Enhance -powered mail server

ronald

I'm running a Enhance -powered mail server in my stack, and I've been struggling with spam not being adequately caught by Rspamd. While Rspamd is integrated within Enhance, I’ve noticed that the default configuration seems quite basic and doesn’t catch enough spam.

I’m looking for advice from others who have fine-tuned their spam filtering settings. Specifically, I’d love to hear about any custom configurations, module recommendations (like RBLs, Bayesian filtering, fuzzy checks), or any other tips that have helped improve spam detection.

I know there has been talks about improvements in future upgrades of Enhance, but I am not sure I can wait that long without loosing customers to their daily frustration of spam being let through, without any proper means of filtering their mail.

JohnBee

ronald
I think I get where you're coming from.

That said, the only thing I can think of at this stage, would be offloading your mail services to another solution.
Then again, im not sure how far down that rabbit hole one should go for shared email hosting...

In all fairness, when was the last time you used web hosting email for anything but a pinch?

Whatever the case, you could implement filtering like Proxmox Mail Gateway or similar third party to your email services, though I would avoid such types measures in shared environments, and as these tend to be make-or-break, in-that email is either done right, or not at all - otherwise, it will prove to be a never-ending pit of constant attention and hardship.

NB, if you really want to offer mail services to live customers, then I'd recommend a solution like MXroute Reseller)(w/ whitelisting), otherwise, I really don't think email hosting is worth the hassles in a shared customer environment personally - but that's just me

PS, I've been using Cloudron w/SoGo webmail along with Proxmox Mail Gateway for my personal emails, which has proven to be bullet-proof insofar as spam goes - though to be fair, that is not a customer environment, and moreso, that what little customers I do offer email to, are being hosted on MXroute

bruzli

For users which request better spam filtering we configure SpamExperts, manually as mx, there is no integration from what I know. Or we also resell M365 for customers who afford it and require more functionality.

Vendoz

JohnBee NB, if you really want to offer mail services to live customers, then I'd recommend a solution like MXroute Reseller)(w/ whitelisting), otherwise, I really don't think email hosting is worth the hassles in a shared customer environment personally - but that's just me

Totally agree. After more or less 15 years, we're discontinuing the email service as it is more of a pain than a gain today. Here in enhance cluster we didn't create a mail server indeed. If a customer wants mail service now we only offer M365, and since then every single aspect is better (service, maintenance and profit), at least this is my experience.

josedieguez

i'm still surprised of see many providrs who have discountinued the email service, or talks bad about providers who dare to offer email services...

I just can't see how i would be able of that, i mean, for me, if the hosting services doesn't include mail, or the provider tells me "go pay extra to google or microsoft" i would just go to another provider s:

Vendoz

josedieguez You can resell it, you don't "send them to google or microsoft", you activate 365 email instead of create yours. Price is bigger, but service is infinitely better.

mendozal

josedieguez this is exactly my experience too. Customers want the whole package and they are not willing to pay (or can't) 6 or 7 USD per mailbox.

I was thinking on having a mailcow instance and move customers with special needs there. It's just a very intensive manual work.

Having said that. I've had only very minor issues with spam. The last case was due to the spam settings not being saved to the enhance's redis db and thus not applying correctly.

I believe more spam features are coming. Like the ability to learn spam. And more flexible blacklist options.

JohnBee

mendozal

I was thinking on having a mailcow instance and move customers with special needs there

Sounds sadistic lol

ronald

I am not interested in a debate of whether to host email or not, and is clearly not the topic or question in this post.

My larger clients are using professional mail services, but most of my customers are startups/entrepreneurs and small businesses where a email offering is required to be considered as their hosting provider.

I have years of experience as a network and system administrator, I am an old fart, but only a few months as an Enhance admin - which is why I reached out. I refuse to believe the best solution is to close down the email offering.

I will give Proxmox Mail Gateway a go.

JohnBee

ronald

I will give Proxmox Mail Gateway a go.

I think you'll like what PMG can bring to your mail services, insofar as security is concerned.

That said, and if it were me(for whatever that's worth), I'd also consider adding an outbound relay to the mix - ie, smtp2go provides subaccounts with API to control /monitor outbound mail - and mores, that this combined with PMG could prove substantial in helping curb IP blacklisting with shared mail services.

Good luck!

ronald

I have got Proxmox Mail Gateway up and running for incoming mail and so far so good. Tempted to also use it for outgoing relay but I need to do some more testing first.

As far as I can tell Enhance only support smart host relay globally, am I correct?

JohnBee

ronald

To leave no stone unturned, outgoing SMTP relay can be accomplished as follows;

at the user client level - too easy
at the mail server level - moderate to easy
at the PMG level - no so easy

That said, and should you choose to cover both in/and outbound with PMG, I would offer the following for your consideration;

`To configure username/password authentication with SMTP2GO on PMG;

Create necessary directories and copy templates:

   mkdir -p /etc/pmg/templates
   cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/main.cf.in

Edit /etc/pmg/templates/main.cf to include:

   smtp_sasl_auth_enable = yes
   smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
   smtp_sasl_security_options = noanonymous

Configure SMTP authentication:

   nano /etc/postfix/smtp_auth
   mail.smtp2go.com:2525 username:password
   chmod 640 /etc/postfix/smtp_auth
   postmap /etc/postfix/smtp_auth

Sync PMG configuration and restart services:

   pmgconfig sync --restart 1
   systemctl restart postfix

I have performed these steps/ tested and confirmed to work`

NB, To my knowledge, it is not possible to edit ' /etc/pmg/templates/main.cf.in', as PMG will revert it the moment it is saved /restarted etc. And so you'll need to make changes to the template ' /etc/pmg/templates/main.cf.in'

best of luck!

Amadex

https://community.enhance.com/d/2013-spam-protection-based-on-dns-blackhole-lists

ronald

With PMG up and running for both incoming and outgoing e-mail, is like night and day. I now have proper SPF/DKIM and spam fighting techniques in play - where there seemed to be none on a vanilla Enhance mail setup.

I hope this is something we will see improvements for at the Enhance -level soon, cause right now the vanilla e-mail setup for Enhance is not production ready.

JohnBee

ronald
Congratulations!

I've grown quite fond of PMG since implementing it in my own service stack in recent past.
That said, and after all of the trauma with alternative setups, we've all but forgotten what it was like to suffer with SPAM 🙂

PS, there is also the matter of sa-learning with PMG that you may want to consider in the future

alenguav

Have you tried this thing called cPFence? I guess they include antispam in their solution too

cPFence

alenguav Have you tried this thing called cPFence? I guess they include antispam in their solution too

Yes, that’s correct. cPFence includes a server wide spam protection feature that users can enable with:

cpfence --enable-spam-protection

By default, it is off. When enabled, cPFence will automatically quarantine pure spam emails that do not contain infections or phishing links but are otherwise annoying or misleading or are trying to deceive and blackmail the user.

One of our users with mail servers have reported cPFence removing over 2,400 spam emails from a single account, significantly reducing inbox clutter.

wav3front

For PMG you have to manually add each domain that you host on Enhance?

JohnBee

wav3front
Yes, correct

wav3front

cPFence does it also use DNSBL checks?

cPFence

wav3front

No, cPFence does not use DNSBL checks. Instead, it scans emails server-wide as they arrive. If any malicious links or malware are detected, the email is quarantined. When spam protection is enabled, cPFence will also quarantine pure spam emails, those meant to deceive, blackmail, or mislead users , keeping your inbox safe without external DNS-based filtering.