Spam and phishing emails are not just annoying; they can compromise your mail server’s reputation, clog your mail queue, and put your users at risk. If you run a self-hosted mail server on Fedora 43, you need a fast, reliable spam filter that can handle real-world email volume without eating your server resources. Rspamd is one of the best open-source spam filtering solutions available today, and this guide will walk you through a complete install Rspamd on Fedora 43 setup from start to finish.

By the end of this tutorial, you will have a fully operational Rspamd instance running with Redis as its caching backend, a secured web interface, DKIM signing, and optional Postfix integration. This is a hands-on, terminal-driven guide aimed at beginner to intermediate Linux sysadmins who are comfortable with sudo commands.

Prerequisites

Before you start, make sure you have the following in place:

• Operating system: Fedora 43 (server or minimal install recommended)
• User privileges: Root or a user with full sudo access
• Internet access: Required to pull the official Rspamd RPM repository
• MTA installed: Postfix or Exim (needed only if you want mail integration; covered in Step 10)
• Minimum hardware: 1 CPU core, 1 GB RAM (Rspamd + Redis combined)
• Open ports: 11332 (proxy/milter), 11333 (scanner), 11334 (web UI)
• Default tools available: curl, dnf, systemctl — all present on Fedora 43 by default

Step 1: Update Your Fedora 43 System

Before adding any new repository, always bring your system fully up to date. This prevents dependency conflicts and ensures you are working with the latest kernel and security patches.

Fedora 43 ships with DNF 5, which uses a --refresh flag to force metadata re-sync from all repositories. This is especially important after the Fedora 43 transition to RPM 6.0, which introduced tighter dependency resolution behavior.

Run the upgrade:

sudo dnf upgrade --refresh -y

After the upgrade finishes, reboot to apply any kernel updates:

sudo reboot

Once the server is back online, verify your Fedora version and kernel:

uname -r
cat /etc/fedora-release

You should see output confirming Fedora release 43 and the latest kernel version. If both lines return correctly, you are ready to proceed.

Step 2: Add the Official Rspamd RPM Repository

Rspamd is not available in the default Fedora repositories, so you need to add the official Rspamd stable RPM repository manually. Always use the official repository rather than COPR or third-party builds, especially on production servers.

Rspamd provides RPM packages for RHEL-compatible distributions. On Fedora 43, you can use the CentOS/EL 8-compatible repository path. The official documentation recommends detecting the EL version dynamically rather than hardcoding it:

source /etc/os-release
EL_VERSION=$(echo -n $PLATFORM_ID | sed "s/.*el//")
sudo curl -o /etc/yum.repos.d/rspamd.repo \
  https://rspamd.com/rpm-stable/centos-${EL_VERSION}/rspamd.repo

If the dynamic detection does not return a value on Fedora 43 (since Fedora is not technically an EL distro), fall back to the EL 8 path directly:

sudo curl -o /etc/yum.repos.d/rspamd.repo \
  https://rspamd.com/rpm-stable/centos-8/rspamd.repo

Confirm the repo file was saved correctly:

cat /etc/yum.repos.d/rspamd.repo

You should see a [rspamd] section with a baseurl, gpgcheck=1, and enabled=1. If gpgcheck is set to 0, change it to 1 before proceeding. Never install packages without GPG verification on a production server.

Important Note on Repository Branches

Rspamd offers three repository branches: stable, experimental, and ASAN (debug builds).

• Use stable for any production or semi-production environment
• Use experimental only in test environments where you need a specific bug fix not yet in stable
• Never use ASAN packages in production; they run significantly slower and are intended for crash debugging only

Step 3: Import the Rspamd GPG Signing Key

Fedora 43 ships with RPM 6.0, which enforces stricter GPG key verification during package installs. If you skip this step, DNF will refuse to install Rspamd and throw a GPG verification error.

Import the key:

sudo rpm --import https://rspamd.com/rpm-stable/gpg.key

Verify the key was imported successfully:

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

Look for an entry that references Rspamd in the summary column. If you see it listed, the key is in place and DNF will trust packages signed with it.

Step 4: Install Rspamd Using DNF

With the repository and GPG key in place, install Rspamd:

sudo dnf install rspamd -y

DNF will resolve and pull in all required dependencies automatically, including libicu, luajit, and hyperscan where available.

Once the install completes, confirm Rspamd is installed and check its version:

rpm -qi rspamd
rspamd --version

The --version output will show you the exact Rspamd build version along with its compile-time features (LuaJIT, Hyperscan, jemalloc). Official packages include Link Time Optimization (LTO), bundled LuaJIT 2.1, and jemalloc for a multi-threaded memory allocator — none of which are typically present in distribution-provided packages.

Default Installation Paths

After install, familiarize yourself with these key paths:

• Binary: /usr/bin/rspamd
• Configuration: /etc/rspamd/
• Local overrides: /etc/rspamd/local.d/ and /etc/rspamd/override.d/
• Data and statistics: /var/lib/rspamd/
• Log files: /var/log/rspamd/
• Client utility: rspamc
• Admin utility: rspamadm

Handling a libicu Version Conflict

On Fedora 43, you may occasionally hit a libicu version conflict because Fedora ships a newer libicu than what the EL 8 RPM expects. If DNF reports a dependency error, use the --allowerasing flag to let DNF resolve the conflict automatically:

sudo dnf install rspamd --allowerasing -y

This flag allows DNF to remove conflicting packages when necessary. Review what DNF plans to remove before confirming.

Step 5: Install and Configure Redis

Redis is a required backend for Rspamd. It stores Bayesian statistical data, fuzzy hashes, and greylisting records. Without Redis, key spam detection features including Bayes filtering and greylisting will not function.

Install Redis from Fedora’s default repositories:

sudo dnf install redis -y

Configure Redis for Security and Performance

Open the Redis configuration file:

sudo nano /etc/redis/redis.conf

Make the following changes:

bind 127.0.0.1
maxmemory 256mb
maxmemory-policy allkeys-lru

The bind 127.0.0.1 directive restricts Redis to local connections only, preventing exposure to the network. The maxmemory and eviction policy settings prevent Redis from consuming all available RAM when the cache fills up.

Link Rspamd to Redis

Create the Redis configuration file in Rspamd’s local override directory:

sudo nano /etc/rspamd/local.d/redis.conf

Add this line:

servers = "127.0.0.1";

This tells all Rspamd modules that use Redis to connect to the local Redis instance on the default port 6379.

Step 6: Start and Enable Rspamd and Redis Services

Start both services and set them to launch automatically on reboot:

sudo systemctl start redis rspamd
sudo systemctl enable redis rspamd

Check that both services are running without errors:

sudo systemctl status rspamd
sudo systemctl status redis

Both services should show Active: active (running). For Rspamd, you will also notice multiple worker processes in the status output. This is normal behavior; Rspamd spawns separate workers for the scanner, controller, and proxy roles by default.

If Rspamd fails to start, check whether Redis is available first. Rspamd depends on Redis for several startup tasks. Start Redis before Rspamd if you see connection errors in the log.

Step 7: Verify the Installation

Before touching configuration, confirm that Rspamd is listening on all expected ports:

sudo ss -tlnp | grep rspamd

Expected output:

127.0.0.1:11332   # Proxy worker (milter)
127.0.0.1:11333   # Normal worker (scanner)
127.0.0.1:11334   # Controller (web UI)

Run a quick functional test using rspamc:

echo "Test message" | rspamc

The output will include a spam score, a list of triggered symbols, and an action recommendation such as no action or add header. If you see valid output here, the scanner is working correctly.

Check the journal for any startup warnings:

sudo journalctl -u rspamd -n 50

Look for lines starting with error or critical. Warnings are generally safe to ignore at this stage, but errors need to be resolved before moving to production.

Step 8: Configure Rspamd on Fedora 43

This is one of the most important concepts to understand when you configure Rspamd on Fedora 43: never edit the main /etc/rspamd/rspamd.conf file directly.

Rspamd uses a layered configuration system:

• /etc/rspamd/local.d/ — for partial overrides (your settings merge with defaults)
• /etc/rspamd/override.d/ — for full replacements (your settings completely replace defaults)

Always use local.d unless you specifically need to replace an entire section.

Set a Secure Web Interface Password

The web interface has no password by default. Set one immediately:

rspamadm pw

Enter and confirm a strong password. The tool outputs a bcrypt hash. Copy it, then create the controller configuration file:

sudo nano /etc/rspamd/local.d/worker-controller.inc

Add:

password = "$2$your_generated_hash_here";
bind_socket = "127.0.0.1:11334";

Binding the controller to 127.0.0.1 prevents the web interface from being exposed directly to the internet. Access it remotely via SSH tunnel or an Nginx reverse proxy with HTTPS for production setups.

Configure the Normal Worker

sudo nano /etc/rspamd/local.d/worker-normal.inc

Add:

bind_socket = "127.0.0.1:11333";

Configure Logging

sudo nano /etc/rspamd/local.d/logging.inc

Add:

level = "error";
type = "syslog";

Setting the log level to error keeps the logs clean on a stable system. Change it to info or debug temporarily when troubleshooting.

Validate and Reload Configuration

Always test your configuration before reloading the service. A syntax error in a config file will crash Rspamd on restart:

rspamadm configtest

If the output says syntax OK, reload the service:

sudo systemctl reload rspamd

Step 9: Access and Secure the Rspamd Web Interface

The Rspamd web interface gives you a real-time dashboard to monitor throughput, inspect per-symbol scores, and train the Bayesian filter directly from a browser.

If you are accessing the server remotely, open port 11334 through Fedora’s firewall temporarily for testing:

sudo firewall-cmd --permanent --add-port=11334/tcp
sudo firewall-cmd --reload

Open your browser and go to:

http://<your-server-ip>:11334

Log in with the password you set in Step 8. The dashboard will show active connections, messages scanned per second, spam/ham ratio, and module status.

For a production setup, close port 11334 on the public interface and use an SSH tunnel instead:

ssh -L 11334:127.0.0.1:11334 user@your-server

Then access http://localhost:11334 from your local browser. This keeps the web UI completely off the public internet without needing Nginx or Apache.

Step 10: Integrate Rspamd with Postfix (Milter)

Rspamd connects to Postfix via the milter (mail filter) protocol. This allows Rspamd to inspect every incoming and outgoing message and attach spam scores as headers, or reject messages above a threshold.

Enable the Proxy Milter Worker

sudo nano /etc/rspamd/local.d/worker-proxy.inc

Add:

bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
  default = yes;
  self_scan = yes;
}

Reload Rspamd:

sudo systemctl reload rspamd

Configure Postfix to Use Rspamd

Edit the main Postfix configuration file:

sudo nano /etc/postfix/main.cf

Add these lines at the end:

smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
milter_protocol = 6
milter_default_action = accept

The milter_default_action = accept directive ensures that if Rspamd is temporarily unavailable, Postfix will still accept mail rather than reject it. This is the right default for production.

Restart Postfix:

sudo systemctl restart postfix

Send a test email through your server and check the headers. You should see X-Rspamd-Score and X-Spamd-Result headers injected by Rspamd into every processed message.

Step 11: Configure DKIM Signing

Rspamd has a built-in DKIM signing module, which means you do not need a separate tool like OpenDKIM. This simplifies your stack considerably and reduces the number of moving parts to maintain.

Generate a DKIM key pair for your domain:

rspamadm dkim_keygen -s mail -d yourdomain.com \
  -k /var/lib/rspamd/dkim/yourdomain.com.mail.key

Replace yourdomain.com with your actual domain. The command outputs the private key file and prints the DNS TXT record you need to publish with your domain registrar.

Create the DKIM signing configuration:

sudo nano /etc/rspamd/local.d/dkim_signing.conf

Add:

path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector = "mail";
allow_envfrom_empty = true;
allow_hdrfrom_mismatch = true;

Set correct ownership on the key directory:

sudo chown -R _rspamd: /var/lib/rspamd/dkim/

Reload Rspamd, then send a test email and inspect the headers for a valid DKIM-Signature field.

Step 12: Enable SPF, DMARC, and Greylisting

These three features work together to block spoofed and forged email at the inbound level. All three modules come with Rspamd and just need to be activated.

Enable SPF Checks

sudo nano /etc/rspamd/local.d/spf.conf

Add:

enabled = true;

Enable DMARC Checks

sudo nano /etc/rspamd/local.d/dmarc.conf

Add:

reporting {
  enabled = true;
  from_name = "Rspamd DMARC report";
}

Enable Greylisting

Greylisting temporarily rejects messages from unknown senders, forcing legitimate mail servers to retry. Spambots rarely retry, so this single technique blocks a large percentage of junk mail with almost zero false positives.

sudo nano /etc/rspamd/local.d/greylisting.conf

Add:

enabled = true;

Greylisting data is stored automatically in Redis. To avoid delaying legitimate newsletters or bulk senders, only greylist messages that already have a score above 4.0 by adjusting the threshold in your actions.conf.

Reload Rspamd after making all three changes:

rspamadm configtest && sudo systemctl reload rspamd

Step 13: Test Your Full Setup

Run a comprehensive test to confirm the whole pipeline is working correctly.

Scan a Test Message

echo "Test message" | rspamc

Use the GTUBE Spam Test String

The GTUBE (Generic Test for Unsolicited Bulk Email) is the standard string used to verify that a spam filter is actually catching spam. Create a test email file and add this string to the body:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Scan it:

rspamc < /path/to/gtube-test.eml

Rspamd should return a very high spam score (well above the default reject threshold of 15) and flag the GTUBE symbol.

Check the Web UI

Log into http://<server-ip>:11334 and confirm that scan statistics are updating on the dashboard.

Final Configuration Check

rspamadm configtest

This command must return syntax OK with zero errors before you consider the setup production-ready.

Troubleshooting Common Errors on Fedora 43

Error 1: GPG Key Verification Failure During dnf install rspamd

Symptom: DNF refuses to install Rspamd and shows a GPG signature error.

Fix: Re-run the GPG key import command and retry:

sudo rpm --import https://rspamd.com/rpm-stable/gpg.key
sudo dnf install rspamd -y

Error 2: rspamd.service Fails to Start (Redis Not Available)

Symptom: Rspamd fails at startup with a Redis connection error in journalctl.

Fix: Make sure Redis starts before Rspamd:

sudo systemctl start redis
sudo systemctl start rspamd

If this keeps happening on reboot, create a systemd override:

sudo systemctl edit rspamd

Add under [Unit]:

After=redis.service
Requires=redis.service

Error 3: libicu Version Conflict During Install

Symptom: DNF reports an unresolvable libicu dependency error.

Fix: Use the --allowerasing flag:

sudo dnf install rspamd --allowerasing -y

Review the list of packages DNF plans to remove before confirming.

Error 4: Web Interface Not Accessible

Symptom: Browser cannot reach http://<server-ip>:11334.

Fix: Check your firewall rules and confirm Rspamd is bound to the right address:

sudo firewall-cmd --list-ports
sudo ss -tlnp | grep 11334

If port 11334 is not listed, check your worker-controller.inc bind address and reload Rspamd.

Error 5: Configuration Change Does Not Take Effect

Symptom: You edited a file in local.d but behavior did not change.

Fix: Always validate and reload in two steps:

rspamadm configtest
sudo systemctl reload rspamd

If configtest reports an error, fix it before reloading. Reloading a broken config will crash the Rspamd service.

Congratulations! You have successfully installed Rspamd. Thanks for using this tutorial to install the latest version of Rspamd open-source spam filtering system on Fedora 43 Linux system. For additional help or useful information, we recommend you check the official Rspamd website.