Filters & Rules¶
nmg offers multiple layers of filter rules, all managed through the management UI and immediately replicated to all cluster nodes.
Sender Filters¶
Under Mail Filters → Sender Filters, explicit allow and block rules for senders are defined.
Fields¶
| Field | Description |
|---|---|
| Type | whitelist (allow) or blacklist (block) |
| Domain | Applies only to recipients of this domain — or globally (no domain filter) |
| Recipient (user_email) | Applies only to mails addressed to this specific address (per-recipient scope) |
| Match Type | What is compared: sender (sender address), sender_domain (sender domain), ip (IP address) |
| Match Mode | exact (exact match), wildcard (e.g. *@example.com), regex (regular expression) |
| Match Source | envelope (SMTP envelope from), header (From header), both |
| Value | The value to check (email address, domain, IP, CIDR) |
| Description | Optional free text |
| Active | Enable/disable filter |
| Also Sandbox Allow-List | Simultaneously creates a matching entry in the sandbox allow-list so the sender also bypasses YARA scanning. Only available for global whitelist entries (no domain scope, no recipient scope, no regex mode). |
Action set automatically
The action is automatically derived from the type: whitelist → accept, blacklist → reject. It cannot be overridden manually.
Also Sandbox Allow-List
Enable Also Sandbox Allow-List when creating a global whitelist entry if the sender should bypass both the rspamd filter and YARA scanning. When the sender filter is deleted, the associated sandbox allow-list entry is automatically removed as well.
Scope Hierarchy¶
- Global: Applies to all inbound mails regardless of domain and recipient
- Domain scope: Applies only to mails to recipients of this domain
- Recipient scope (user_email): Applies only to mails to exactly this one address
End-user self-service allowlists (e.g. from the quarantine portal) also land here as recipient-specific filters.
Match source: envelope vs. header
envelope checks the technical SMTP sender (bounce address). header checks the From header visible in the email. These can differ with mailing lists and forwards. both protects against spoofing attempts that manipulate one of the two sources.
Content Filters¶
Under Mail Filters → Content Filters, content-based rules are defined.
Fields¶
| Field | Description |
|---|---|
| Scope | global, domain, or user |
| Domain | For domain/user scope: which domain |
| Recipient | For user scope: which email address |
| Filter Type | What is checked (see table below) |
| Match Mode | contains (substring), regex, exact |
| Pattern | Search pattern |
| Action | reject, quarantine, discard, add_header, accept |
| Header Name / Value | For add_header only: name and value of the header to add |
| Priority | Order when multiple rules apply (lower = higher priority) |
Filter Types¶
| Type | Checks |
|---|---|
body_keyword |
Text in the mail body (HTML and plaintext) |
subject_keyword |
Subject line |
attachment_type |
MIME type of an attachment (e.g. application/x-msdownload) |
attachment_name |
Filename of an attachment (e.g. *.exe) |
header_match |
Any header (combined with header name/value) |
sender |
Sender address (like sender filter, but in content filter context) |
Watched Domains¶
Domains for which a notification is sent for every incoming mail. Useful for monitoring critical partner domains or when domain spoofing is suspected. Found under Mail Filters → Watched Domains.
RBL (DNS Blocklists)¶
Under RBL, the DNS blocklists in use are managed.
| Column | Description |
|---|---|
| Name | RBL label |
| Hostname | DNS query host (e.g. zen.spamhaus.org) |
| Score | rspamd score contribution on hit |
| Active | Enable/disable this RBL |
Pre-installed RBLs: Spamhaus ZEN, Barracuda, SURBL, URIBL. Custom RBLs can be added.
Composites (Combination Rules)¶
Under Composites, rspamd composite rules are managed. A composite rule combines multiple rspamd symbols with boolean logic into a new symbol with its own score.
Example:
Phishing Feeds¶
Under Phishing Feeds, URL blocklists for known phishing sites are managed. nmg checks all URLs in mail bodies and attachments against active feeds.
| Feed | Description |
|---|---|
| OpenPhish | Automatically updated phishing URL list |
| PhishTank | Community-based phishing list |
| Custom Feeds | Custom URL lists (CSV or TXT) |
Phishing Keywords¶
Keywords that indicate phishing attempts. Keywords can be entered as regex patterns, with optional score contribution and language filter.
Suspicious TLDs¶
TLDs that are statistically frequently abused for spam and phishing can be assigned a malus score. Default high-malus TLDs: .xyz, .top, .click, .loan, .win, .gq, .tk.
URL Shorteners¶
nmg automatically resolves URL shortener links (e.g. bit.ly, t.co) and checks the destination URL against phishing feeds. Under URL Shorteners, the list of shortener domains is managed.
Sandbox Allow-List¶
Senders whose attachments should not be processed by the YARA sandbox are managed under Sandbox → Sandbox Allow-List (since v1.10.26 — no longer under Mail Filters).