Ask questionsRspamd: whitelist/blacklist enhancement

The whitelist/blacklist of rspamd is designed to work with the second domain level, eg, so you blacklist or whitelist the domain and all subdomains: email:domain:tld

However when you try to blacklist/whitelist a subdomain, it won't work because rspamd extracts only the second level of the domain name

Proposed solution

  1. In rules evaluation, try to match both the eSLD (effective second level domain - rspamd :tld filter) and the whole domain suffix against the email address of the sender/recipient.

  2. Whitelist rules are always processed before the blacklist, thus allowing a subdomain (e.g. to be whitelisted if a more generic rule wants to blacklist the entire domain (e.g.

Docs changes

  • [x] document the new behavior: clarify what happens by writing a top level domain or a subdomain record

Alternative solutions

as an alternative we could make a validator and refuse subdomain, asking or top level domain

See also

thank jfernandez


Answer questions DavidePrincipi

Useful QA commands

Inspect currently expanded whitelist and blacklist rules:

grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort

Sample curl invocation

((++I)) ; curl smtp://$(hostname):25/$(hostname) -v --mail-from --mail-rcpt <<EOF
Subject: Test ${I}
Date: $(date -R)
Message-ID: <${I}.$(date +%s)@$(hostname -d)>
Mime-Version: 1.0

Test $I

Configuration settings for bayes expiry module should be 
added to the corresponding classifier section (for instance 
in the local.d/classifier-bayes.conf).
Bayes expiry module provides intelligent expiration of 
statistical tokens for the new schema of Redis statistics 


Test case 0 - sender blacklist

  • Add a complete address to the sender blacklist, and check the message is rejected (e.g.
  • Add a third level domain like to the sender black list, and check the message is rejected if the sender is in that domain
  • Add a second level domain like to the sender black list, and check the message is rejected if the sender is in that domain

Test case 1 - sender whitelist vs sender blacklist

With the blacklist from test case 0:

  • Add the same complete sender address to the whitelist and check it wins over the blacklist rule. Message must be accepted
  • Add to the sender whitelist and check that a sender from that domain is always accepted
  • Check a sender from is still rejected

Test case 2 - recipient whitelist vs sender blacklist

Check that by setting a recipient whitelist rule it always wins against the blacklist sender rule.

Test case 3 - IP whitelist vs sender blacklist

Check that by setting an IP client whitelist in Relay > Configuration > Allow relay from IP addresses, the IP whitelist always wins over the sender blacklist


Related questions

VPN Cockpit UI hot 1
Github User Rank List