Email role - Spam fighting - Enhance Control Panel

Email role - Spam fighting

Nickske00

Hi,

I have been looking into my email setup these last couple of days and I'm not sure what path to take now.

I have set up a PMG server, setup a testserver with Enhance (Application + Email + DB) and configured the PMG server in the Email role settings. I disabled rspamd on the Enhance testserver as there is no point in checking already checked emails again (coming from the PMG instance). Also, do the blocklist checks work? I see BLOCKLISTDE_FAIL and URIBL_BLOCKED indicating these checks are not working on Enhance? And when running the dns role there is no option to setup a local resolver (bind would have been a better option imho).

Sending and receiving via PMG works like a charm. You get a lot of tools and data at your disposal.
Only downside is if there ever is a spammer and your ip gets a bad rep, it affects all emails coming from the PMG server.

I have also been looking into the Spamhaus DQS service. Configured this on PMG and on a production Enhance server in my cluster. In both instances it is working as it is supposed to be according to the Spamhaus tests.

Others here running a PMG server or something like it?

WasSs

I use Mailcow because I ruled out PMG due to SpamAssassin, as I consider rspamd to be state-of-the-art. I'm currently using it on one domain as an incoming spam filter.

Unfortunately, the Enhance development process is so slow regarding the email system. I switched to Enhance two years ago because I wanted a central hub where I could manage everything out of the box. But my clients are forcing me to take this step because email is practically unusable without manual configuration adjustments.

I also tried using Cpfence, but its configuration only scratches the surface of the available options.

So now I'm considering using the Enhance interface exclusively via API and creating my own web interface so I can manage emails in Mailcow via API.

Because I want to maintain the user experience. It's not all bad in Enhance.

I believe it will take another two years until the enhanced email system is ready for production. Therefore, I need to take action, like many others here, to add email systems before and after the main system to keep it manageable.

Nickske00

Did some extra tinkering with rspamd on an Enhance server. Some stuff I found out:

1) Why is Enhance not using the official repo so we can be on the latest version available? Did this myself and not seeing any problems so far.

2) You need to disable dkim signing in rspamd. Enhance uses opendkim. For every outgoing mail there is a line in the logs about rspamd not being able to open the signing key (what is normal because opendkim is doing the signing). Creating a simple file /etc/rspamd/local.d/dkim_signing.conf with enabled = false; in it solves this.

3) Every mailbox has a 'Spam settings' section in Enhance. There are default settings in there rspamd is not using at the moment. They only get used when a user changes one of the settings and the panel saves them.

Default values in Enhance are: Spambox = 4; Reject = 8; Greylist = 6

But like said before, rspamd does not use these unless the user changes one first (it is enough to move one up and down to trigger the saving).

So by default rspamd will use his own defaults: Spambox = 6; Reject = 15; Greylist = 4

An easy solution would be for Enhance to set their own defaults with a config file so the displayed values in the panel are used from the start, a better solution would be to make these default settings editable in the Email section from a servers settings and let Enhance show these as defaults for every mailbox on that server.

4) More general question: why are all filters still so 'nice' for emails that are not following spf and dmarc settings? I tested spoofing from my own domain to my own server. I have spf and dmarc configured strict (spf ends with '-all', dmarc policy = reject on fail), because only my server is allowed to send emails from my domain.

But when I let another server send emails with my domain as sender you can see dmarc and spf failing but only adding 0.2 to the spamscore.. I mean, I confiure my spf and dmarc to reject so I would expect other servers to actually reject when emails get send from an unknown server.. To solve this I changed the error scores for these to 20 so my server reject this kind of mails in the future.