UbuntuUbuntu Based

How To Install Rspamd on Ubuntu 24.04 LTS

r00t
10 minutes read

Install Rspamd on Ubuntu 24.04

Spam and phishing emails are not just annoying. On a production mail server, they consume resources, expose users to malware, and damage your domain reputation. If you are running a self-hosted mail server on Ubuntu 24.04 LTS and still relying on SpamAssassin, you already know the frustration of tuning endless rule files while spam keeps landing in inboxes.

Rspamd is the modern answer to that problem. Written in C with a Lua scripting engine, it processes email at significantly faster speeds than SpamAssassin’s Perl-based architecture. In this guide, you will learn exactly how to install Rspamd on Ubuntu 24.04 LTS, connect it to Redis, integrate it with Postfix through the milter protocol, configure DKIM signing, access the built-in Web UI, and tune spam scoring thresholds. Every command in this article was verified on Ubuntu 24.04 Noble Numbat.

Prerequisites

Before starting, confirm you have the following in place:

  • Operating System: Ubuntu 24.04 LTS (Noble Numbat), fresh or existing install
  • Mail server: Postfix already installed and running as your SMTP daemon
  • User permissions: Root access or a user with full sudo privileges
  • Network: A static IP address assigned to the server
  • DNS access: Ability to add TXT records to your domain (required for DKIM)
  • Open ports: TCP 11332 (milter proxy), 11333 (normal worker), 11334 (Web UI controller)
  • Basic skills: Comfort with the terminal, systemctl, and editing config files with nano or vi

Note: Ubuntu 24.04.1’s default package repository ships an older Rspamd build that has a known Web UI tab-switching bug. This guide uses the official Rspamd APT repository to ensure you get the latest stable release.

Step 1: Update Your System

Always start with a clean, fully updated system. This prevents dependency conflicts during installation.

sudo apt update && sudo apt upgrade -y

After the upgrade completes, install the two utility packages the Rspamd repository setup process requires:

sudo apt install curl gnupg lsb-release -y
  • curl fetches the GPG signing key from Rspamd’s servers.
  • gnupg handles key dearmoring and keyring management.
  • lsb-release returns your Ubuntu codename (in this case, noble), which the repository URL requires.

Reboot if a kernel update was applied:

sudo reboot

Step 2: Install Redis on Ubuntu 24.04

Redis is a fast in-memory key-value store. Rspamd uses it as the backend for Bayesian spam classification, greylisting, rate limiting, neural network filtering, and the Web UI history tab. Without Redis, most of Rspamd’s most effective modules stay disabled.

Add the Official Redis Repository

Ubuntu 24.04’s default Redis package works, but adding the official Redis repository gives you the latest stable version with better performance:

curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
sudo chmod 644 /usr/share/keyrings/redis-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/redis.list

Install and Enable Redis

sudo apt update
sudo apt install redis -y
sudo systemctl enable redis-server
sudo systemctl start redis-server

Verify Redis Is Running

sudo systemctl status redis-server

You should see active (running) in green. Confirm Redis is bound to localhost only:

ss -ltn | grep 6379

Expected output:

LISTEN  0  511  127.0.0.1:6379  0.0.0.0:*

Security warning: If Redis shows 0.0.0.0:6379, it is listening on all interfaces and is publicly accessible. Edit /etc/redis/redis.conf, set bind 127.0.0.1, and restart Redis. Exposing Redis to the internet is a critical vulnerability.

Step 3: Add the Official Rspamd Repository and Install Rspamd on Ubuntu 24.04

The official Rspamd APT repository always carries the latest stable build. As of 2024, Ubuntu 24.04 (Noble Numbat) is fully supported by the Rspamd project.

Add the GPG Key

curl -fsSL https://rspamd.com/apt-stable/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/rspamd.gpg

This command downloads Rspamd’s signing key and stores it in the modern keyring location. APT uses this key to verify every package it downloads from the Rspamd repository.

Add the Repository

CODENAME=$(lsb_release -c -s)
echo "deb [signed-by=/usr/share/keyrings/rspamd.gpg] https://rspamd.com/apt-stable/ $CODENAME main" | sudo tee /etc/apt/sources.list.d/rspamd.list

Install Rspamd

sudo apt update
sudo apt install rspamd -y

Enable and Start Rspamd

sudo systemctl enable rspamd
sudo systemctl start rspamd
sudo systemctl status rspamd

Expected output confirms Rspamd is active (running). You can also verify its processes are up:

ps -ef | grep rspam

You should see multiple workers: rspamd: main process, rspamd: rspamd_proxy, and rspamd: controller.

Confirm that ports 11332, 11333, and 11334 are open and listening:

ss -ltn | grep 1133

Step 4: Run the Rspamd Configuration Wizard

Rspamd ships with an interactive configuration wizard called rspamadm configwizard. Running it saves you from manually creating several config files from scratch.

sudo rspamadm configwizard

The wizard walks you through the following prompts:

  • Controller password: Sets the Web UI login password. Choose a strong passphrase.
  • Redis servers: Accepts localhost as both the read and write server. Press Enter to confirm defaults.
  • DKIM signing: You can configure this here or in a dedicated step later (covered in Step 6).
  • Bayes migration: If you have existing SQLite Bayes data from a prior setup, the wizard can migrate it to Redis automatically.

The wizard writes three configuration files on your behalf:

  • /etc/rspamd/local.d/worker-controller.inc — stores the hashed Web UI password
  • /etc/rspamd/local.d/classifier-bayes.conf — Bayesian classifier settings
  • /etc/rspamd/local.d/redis.conf — Redis connection details

After the wizard finishes, reload Rspamd:

sudo systemctl reload rspamd

Config file rule: Never edit files directly inside /etc/rspamd/. Always create or modify files inside /etc/rspamd/local.d/ or /etc/rspamd/overrides.d/. Files in local.d/ merge with defaults, while files in overrides.d/ replace them entirely. Editing core files directly will cause your changes to break on the next Rspamd package update.

Step 5: Set or Update the Web UI Controller Password

If you want to change the controller password after running the wizard, generate a new bcrypt hash manually.

Generate a Password Hash

sudo rspamadm pw

You will be prompted to enter and confirm a passphrase. The output looks like this:

Enter passphrase:
$2$abcdefghij...

Copy the entire hash string starting with $2$.

Write the Hash to the Config File

sudo nano /etc/rspamd/local.d/worker-controller.inc

Add or update this line:

password "$2$abcdefghij...your-hash-here...";

Save the file and restart Rspamd:

sudo systemctl restart rspamd

You can now access the Web UI at http://your-server-ip:11334. Log in with the passphrase you just set, not the hash.

Production tip: Do not expose port 11334 directly to the internet. Place an Nginx reverse proxy with an SSL certificate in front of the Web UI. This ensures your controller password is never transmitted over plain HTTP.

Step 6: Integrate Rspamd with Postfix via the Milter Protocol

The milter protocol (short for mail filter) is the standard interface that allows Postfix to hand off each incoming message to Rspamd for inspection before deciding whether to accept or reject it. Rspamd’s proxy worker listens on TCP port 11332 for these connections.

Edit the Postfix Main Configuration

sudo nano /etc/postfix/main.cf

Add or update these lines:

smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept

Here is what each directive does:

  • smtpd_milters — applies Rspamd to all mail received over SMTP from external senders.
  • non_smtpd_milters — applies Rspamd to locally submitted mail (e.g., from cron jobs or PHP mailer).
  • milter_protocol = 6 — sets the milter protocol version. Version 6 is the current standard.
  • milter_mail_macros — passes sender, client IP, hostname, and authentication info to Rspamd, enabling more accurate scoring.
  • milter_default_action = accept — if Rspamd is temporarily unavailable (e.g., during a restart), Postfix accepts mail rather than rejecting it. This prevents legitimate mail loss.

Reload Postfix

sudo systemctl reload postfix

Verify the Integration

Send a test email through your server and watch Rspamd’s log in real time:

sudo tail -f /var/log/rspamd/rspamd.log

You should see lines showing each message’s scan results, assigned score, and the action taken (e.g., no action, add header, reject).

Step 7: Configure DKIM Signing in Rspamd

DKIM (DomainKeys Identified Mail) cryptographically signs every outgoing email with a private key. Receiving mail servers verify the signature against a public key published in your DNS. A valid DKIM signature proves the message actually came from your domain and was not tampered with in transit.

Create the DKIM Key Directory

Ubuntu 24.04 does not create this directory automatically after installation. You must create it manually:

sudo mkdir -p /var/lib/rspamd/dkim/
sudo chown _rspamd:_rspamd /var/lib/rspamd/dkim/

Generate a DKIM Keypair

Replace yourdomain.com with your actual domain name:

sudo rspamadm dkim_keygen -s dkim -d yourdomain.com -k /var/lib/rspamd/dkim/yourdomain.com.dkim.key

This command generates two outputs:

  • /var/lib/rspamd/dkim/yourdomain.com.dkim.key — your private signing key (keep this secure)
  • The terminal output shows the DNS TXT record you need to publish (copy this now)

Configure the DKIM Signing Module

sudo nano /etc/rspamd/local.d/dkim_signing.conf

Add this configuration:

enabled = true;

domain {
  yourdomain.com {
    selectors [
      {
        path = "/var/lib/rspamd/dkim/yourdomain.com.dkim.key";
        selector = "dkim";
      }
    ]
  }
}

sign_authenticated = true;
sign_local = true;
sign_inbound = false;
check_pubkey = true;
  • sign_authenticated = true — signs mail sent by authenticated SMTP users (your outgoing mail).
  • sign_local = true — signs mail submitted locally.
  • sign_inbound = false — does not sign mail arriving from external senders.
  • check_pubkey = true — verifies your DNS TXT record matches the private key at startup.

Publish the DNS TXT Record

The rspamadm dkim_keygen command printed a DNS TXT record in your terminal. It looks like this:

dkim._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

Add this as a TXT record in your domain’s DNS zone. DNS propagation typically takes between 15 minutes and a few hours.

Critical: The selector name in dkim_signing.conf (set to dkim here) must exactly match the DNS record subdomain prefix (dkim._domainkey). A mismatch causes DKIM verification to fail with a “no such key” error on receiving servers.

Reload Rspamd

sudo systemctl reload rspamd

Test DKIM signing by sending a mail to a tool like mail-tester.com and confirming the DKIM check passes.

Step 8: Enable the Bayesian Spam Classifier

The Bayesian classifier is one of Rspamd’s most effective tools. It tokenizes each email’s content, headers, and metadata, then calculates the probability of it being spam based on previously trained data stored in Redis.

Enabling autolearning means Rspamd trains itself over time without manual intervention.

sudo nano /etc/rspamd/local.d/classifier-bayes.conf

Add:

autolearn = true;
backend = "redis";
new_schema = true;
expire = 8640000;
  • autolearn = true — messages scoring well above the spam threshold automatically train the spam corpus; messages scoring well below train the ham corpus.
  • backend = "redis" — stores training data in Redis instead of a flat SQLite file.
  • new_schema = true — uses Rspamd’s newer, more efficient Redis data schema.
  • expire = 8640000 — training data expires after 100 days, preventing stale data from skewing results.

Reload Rspamd to activate the configuration:

sudo systemctl reload rspamd

Exploring the Rspamd Web Interface

Open a browser and navigate to:

http://your-server-ip:11334

Log in using the passphrase you set earlier. The dashboard gives you a real-time view into your mail server’s spam filtering activity.

Key sections worth knowing:

  • Throughput graph — shows live spam, ham, and total message rates over time
  • History tab — per-message scoring breakdown with individual symbol scores (requires Redis and the history_redis module)
  • Configuration tab — lets you adjust module settings, action thresholds, and symbol weights without touching config files
  • Dynamic Maps — manage custom whitelists and blacklists directly from the browser, no SSH required

The Web UI is particularly useful when you are tuning scores for a specific domain. You can look up a message, see exactly which symbols fired and their weights, and decide whether to adjust thresholds.

Step 9: Tune Spam Actions and Score Thresholds

Rspamd assigns a cumulative spam score to each message by running it through dozens of modules. Each module adds or subtracts points. When the total score crosses a threshold, Rspamd takes a defined action.

The default action thresholds look like this:

Action Default Score Effect on Message
greylist ~4.0 Temporary delay for unknown senders
add header ~6.0 Adds X-Spam: Yes header to message
rewrite subject ~8.0 Prepends [SPAM] to the subject line
reject ~15.0 Outright refuses delivery

You can adjust these thresholds in /etc/rspamd/local.d/actions.conf or directly through the Web UI under the Configuration tab.

Enable extended Rspamd headers on all processed emails to make debugging easier:

echo "extended_spam_headers = true;" | sudo tee /etc/rspamd/local.d/milter_headers.conf
sudo systemctl reload rspamd

This adds X-Rspamd-Score, X-Rspamd-Action, and X-Rspamd-Queue-Id headers to every message, giving you a transparent record of how each email was scored.

Verifying the Full Installation

Run a final check to confirm every component is working together:

# Check Rspamd service health
sudo systemctl status rspamd

# Confirm all expected ports are active
ss -ltn | grep 1133

# Watch log output during a live mail scan
sudo tail -f /var/log/rspamd/rspamd.log

# Manually scan an email file for testing
rspamc < /path/to/test-email.eml

The rspamc command returns the full scoring output for any .eml file, showing every triggered symbol and its weight. This is the fastest way to validate your configuration is working correctly before you open your server to live traffic.

Troubleshooting Common Errors

Rspamd Fails to Start After Installation

Run the configuration test command to catch syntax errors:

sudo rspamadm configtest

Fix any errors it reports, then try starting again with sudo systemctl start rspamd.

DKIM Verification Fails with “No Such Key” Error

This happens when the selector name in dkim_signing.conf does not match the selector in your DNS TXT record. Confirm that both use the same selector string (for example, dkim) and that the DNS record has fully propagated. You can verify propagation with:

dig TXT dkim._domainkey.yourdomain.com

Web UI Tabs Are Not Working Correctly

This is a confirmed bug in the Rspamd version shipped with Ubuntu 24.04.1’s default repositories. The fix is to use the official Rspamd APT repository, which this guide covers in Step 3. If you installed Rspamd before adding the official repository, remove the default package and reinstall from the official source.

Redis-Dependent Modules Are Disabled

If modules like greylist, ratelimit, or history_redis show as disabled in the Web UI, Rspamd is not connecting to Redis. Verify that /etc/rspamd/local.d/redis.conf exists and contains:

write_servers = "localhost";
read_servers = "localhost";

If the file is missing, run sudo rspamadm configwizard again and confirm Redis settings.

Postfix Rejects All Mail When Rspamd Is Stopped

This happens when milter_default_action is set to reject instead of accept. Open /etc/postfix/main.cf and confirm the line reads milter_default_action = accept, then reload Postfix.

Bayes Training Data Lost After a Redis Migration

Before migrating Redis to a new server or upgrading to Valkey, always export your Redis data first:

redis-cli BGSAVE
cp /var/lib/redis/dump.rdb /backup/redis-dump-$(date +%F).rdb

Restore this file on the new Redis instance before pointing Rspamd to it.

Congratulations! You have successfully installed Rspamd. Thanks for using this tutorial to install the latest version of Rspamd open-source spam filtering system on Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official Rspamd website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
10 minutes read
Photo of r00t

r00t

r00t is a dedicated and highly skilled Linux Systems Administrator with over a decade of progressive experience in designing, deploying, and maintaining enterprise-grade Linux infrastructure. His professional journey began in the telecommunications industry, where early exposure to Unix-based operating systems ignited a deep and enduring passion for open-source technologies and server administration.​ Throughout his career, r00t has demonstrated exceptional proficiency in managing large-scale Linux environments, overseeing more than 300 servers across development, staging, and production platforms while consistently achieving 99.9% system uptime. He holds advanced competencies in Red Hat Enterprise Linux (RHEL), Debian, and Ubuntu distributions, complemented by hands-on expertise in automation tools such as Ansible, Terraform, Bash scripting, and Python.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button