In order to get ISPConfig GDPR compatible, we think that the default log file storage time for websites should be decreased and the statistics should be turned off. ISPConfig itself has no problems with the GDPR, because you can delete customers at any time and all data stored with this customer will be removed from your server.

With the next ISPConfig release 3.1.12 the storage time of 10 days will be standard for new websites. However, a change for existing websites does not make sense, as the software is also used outside of the EU.

Problem Statistics

The programs for creating web server statistics AWStats and Webalizer, which can be used with ISPConfig, also output the complete IP addresses of website visitors, if no corresponding adjustments have been made to the code.

We consider this to be incompatible with the GDPR and have therefore deactivated the statistics on all our web servers (own and full-managed). To avoid doing this manually for each page, you will find a small bash code at the end, which you can simply run as root on your server. If you don’t have a –defaults-file, you can use -p instead and then enter your root password for MySQL. Of course you can also enter the commands in PHPMyAdmin.

Problem Logfiles

The default setting for log files of all web sites is 30 days. We think that a significantly lower value is sufficient. Here we take 10 days as an example. However, you should certainly ask yourself whether you really need to store the data for that long time. The complete IP is certainly needed in the logfiles to secure the server or to detect problems. But if you haven’t noticed an attack after 10 days, even a longer storage time won’t help much…


Don’t forget to make the changes on all servers if you have a multi-server setup.

And this is how it works with a single SQL call:

mysql --defaults-file=/etc/mysql/debian.cnf --database=dbispconfig -e "
ALTER TABLE web_domain CHANGE stats_type stats_type varchar(255) DEFAULT ''; 
ALTER TABLE web_domain CHANGE log_retention log_retention INT(11) NOT NULL DEFAULT '10'; 
UPDATE web_domain SET log_retention = '10' WHERE log_retention > 10;
UPDATE web_domain SET stats_type = '';


ISPConfig Automail

With our plugin ISPConfig Automail you can automatically configure email clients like Thunderbird or Outlook.

If you use one or more mail servers for the domains makes no difference. Just define the appropriate data such as host name and port for each mail server. everything else is done through a small web page that provides an Autoconfig service (Thunderbird) or Autodiscover service (Outlook).

Autoconfig and Autodiscover request XML files via different addresses, to configure the email client according to your specifications.

To use the ISPConfig Automail, you only need a current version of ISPConfig and a website (Apache or nginx).

The plugin consists of two parts

  • the interface plugin for ISPConfig to manage the settings
  • a script to generate the relevant XML documents under the respective domain

In this example is your domain, over which the automatic setup of the mail clients will run. You are free to choose this domain. The domain is the domain that queries for the setup.

Install ISPConfig Automail

cd /tmp
tar xfz ispconfig-automail.tgz
cd automail
php install.php

Activate the plugin

Log in to ISPConfig as admin, go to System / CP User and activate the module automail for the user admin. After you have logged off and on again, the module is available for you.


Create a remote user who can use the “automail functions”. If you have a multi-server setup, you may need to allow remote access.

Configure the plugin

Under Provider-ID you enter a unique ID that identifies your setup. You can use the domain name of your server.

The two Hostnames are the names by which mails are retrieved (IMAP/POP3) and sent (SMTP). If you run everything on the same server, you must enter the same name in both fields.

For Ports, enter the ports that should be used for your mail server.

ISPConfig Automailer Setup

Create the required DNS records

You need an A-record for and pointing to your web server. If you use IPv6, you should also create AAAA records.

Create two entries in each customer domain. A simple CNAME is enough for autoconfig: CNAME

For autodiscover an SRV record is recommended. This will give you a certificate warning during setup, but it is the easiest way to set up any number of customer domains: SRV 0 0 443

Create the website in ISPConfig

Now you have to create the website with PHP support and without auto subdomain in ISPConfig. You should also secure this site using SSL. This is not required for autoconfig, but will be needed later for autodiscover. You can easily use Let’s Encrypt

You have to set the directives for Apache or nginx accordingly:


ServerAlias autoconfig.*


location ^~ /config\.php { deny all; }

location / { 
rewrite autodiscover\.xml$ /index.php last; 
rewrite Autodiscover\.xml$ /index.php last; 
rewrite config-v1\.1\.xml$ /index.php last; 
server_name autoconfig.*;

With alias or server_name this domain can be used later by any customer or email domain.

Create the alias domain and point it to You don’t need any redirects, the important thing is that the domain has an SSL certificate. A-Records in DNS are enough to point to your web server so you can use Let’s Encrypt.

Upload the script to the webseite

Upload the files from the website directory from the archive to the newly created website and adjust the data in config.php. Rename the htaccess to .htaccess. If you use nginx, you can also delete the file directly.


You can easily test Autoconfig via wget:

wget -O test

In the file test you will find the result. The email address must exist of course.

For Autodiscover there is the Microsoft Remote Connectivity Analyzer.


Spammail understand header and move mails

Various scanners can be used to scan incoming and outgoing mail. For example, ISPConfig uses SpamAssassin, ClamAV and Amavis. The individual threshold values (more on this later) can be defined individually.

To prevent spammers from appearing in the inbox, you can automatically move mails to a separate folder based on an individual spam value. This makes spam mails visible via an IMAP client or a webmailer and reduces the risk of not seeing a mail mistakenly identified as spam.

Caution: when the mails are picked up using POP3, the moved mails will not be retrieved. They are no longer in the inbox, but in a subfolder. This moving is always done directly on the server.

Scan Procedure

  • postfix receives the mail
  • and relays the mail to amavis
  • on the basis of different spam rules (see also current rules for SpamAssassin from schaal @it) the mail gets different information in the header
  • Amavis sends the mail back to Postfix

Structure of a mailheader

We deliberately leave out most of the entries from a mailheader because they are not relevant for detecting or moving spam. The essential lines of a mail header see e.g. like this:

 X-Virus-Scanned: Debian amavisd-new at
 X-Spam-Flag: YES
 X-Spam-Score: 7.039
 X-Spam-Level: *******
 X-Spam-Status: Yes, score=7.039 tagged_above=3 required=5 tests=[BAYES_50=0.8, DATE_IN_PAST_24_48=1.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SCHAALIT_HEADER_964=5] autolearn=no


The first line shows which scanner was used. If you want other information, you can adjust the Amavis-Config accordingly. For Debian or Ubuntu, this would be $ X_HEADER_LINE in /etc/amavis/conf.d/20-debian_defaults.


If this is set to YES, the mail was classified as spam.


The X-Spam score is the value that SpamAssassin has determined based on its filter rules for the mail. In ISPConfig, you can define the value from which a mail should be marked as spam (5.00 for Trigger happy) under Policy – Spamfilter policy – Tag Level in the “SPAM tag2 level” field.


This is the integer value of X-Spam-Score in * – in our case, the score is 7.039 and thus there are seven asterisks. You can use the value with your own filter, if you do not want to take the X-Spam-Score.


Yes, score=7.039 this is the same as in X-Spam’s flag and X-Spam score.

tagged_above=3 specifies the value from which these lines listed here should be inserted into the header. For ISPConfig, this is the “SPAM tag level” for the Spamfilter policy.

required=5 is the value from which the mail is then marked as spam and the X-Spam flag is set to YES. For the Spamfilter policy, this is the “SPAM tag2 level”

tests= shows you which individual rules SpamAssassin has applied and how many points have been set for this mail:

BAYES_50, DATE_IN_PAST_24_48 and SCHAALIT_HEADER_964 have increased the value, the signing with DKIM has reduced the score by a total of 0.1 (DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU) and RP_MATCHES_RCVD has decreased the value by 0.001.

overall, therefore:

0.8 + 1.34 + 5 = 7.14

0.1 – 0.1 – 0.1 = -0,1

– 0.001

And this brings us to score of 7.039

If you are interested in the contents of the tests, you can find the rules in different folders in /var/lib/spamassassin. As an example we take the rule SCHAALIT_HEADER_964:

header SCHAALIT_HEADER_964 From =~ /\@pkv.*\.(online|net|com|org|co|info|de)/
describe SCHAALIT_HEADER_964 schaal @it Spam
Header-964 score SCHAALIT_HEADER_964 5

The rule applies to the from line in the mail. In doing so, a RegEx is used, which spans various spam mails on the subject of german private health insurance.

Move the mail to the spam folder

After Postfix has returned the mail from Amavis (see Scan Procedure), the mail is either sent, or – if the recipient is one of our users – delivered via Dovecot into the mailbox.

The local delivery of the mail by Dovecot is one of the decisive points: if the mail was previously marked as spam by SpamAssassin, it is not moved to the inbox, but to the subfolder Junk. For ISPConfig, the checkbox for the email account in the email filters must be set to “Move Spam Emails to Junk directory”.

Basics about the filters with ISPConfig

  1. A spam filter must be selected for the domain or mailbox. If a filter is defined for the domain and the mailbox, the settings from the mailbox are in place. If only the domain has a filter, it’s also used for the mailbox. In short: Mailbox overwrites domain – this is the only way, to define individual policies for each mailbox. If you use an alias, the policy for the domain applies.
  2. The selected spam filter must be defined in such a way that the corresponding values also “fit” to the mail. If our filter had a “SPAM tag2 level” of 10, the mail would not be marked as spam.
  3. Spam-mails will only be moved if “Move Spam Emails to Junk directory” is set.
  4. Only the administrator can change or create policies. If every user had the possibility, this would affect all the mailboxes that use this filter. If you are in doubt, you better suggest an additional guideline.

Current rules for SpamAssassin from schaal @it

Current rules for SpamAssassin from schaal @itWe regularly publish new rules for the spamfilter SpamAssassin of the Apache Software Foundation Apache Software Foundation. Of course, you can also use the rules for the ISPConfig spam filter settings.

Most of our rules have a score of 5.

Our rules can be used free of charge. For this, only our channel has to be added to the SpamAssassin-Config or our script has to be installed. Please do not forget to restart SpamAssassin after installing or updating rules.

SpamAssassin uses DNS checks to detect new rules so that the script can be called every hour or at least dayly without generating a significant load.

Use the rules with Rspamd

You can use SpamAssassin rules with Rspamd by creating the file /etc/rspamd/local.d/spamassassin.conf with the following content:

ruleset = "/var/lib/spamassassin/rspamd/sa_ruleset";
base_ruleset = "/var/lib/spamassassin/rspamd/*.cf";
# Limit search size to 100 kilobytes for all regular expressions
match_limit = 100k;
# Those regexp atoms will not be passed through hyperscan:
pcre_only = ["RULE1", "__RULE2"];

Our update-script copies the rules to the directory and updates the the rulest.

For more informations about the SpamAssassin module for Rspamd: Spamassassin module

Update the rules using cron

To use the rules and keep them up-to-date, just install a simple shell-script in /etc/cron.hourly:

cd /etc/cron.hourly && wget -O sa-update && chown root.root sa-update && chmod 755 sa-update

The script takes care of the different requirements for Amavisd and Rspamd and performs the appropriate actions if one or both content-filters are installed.

Add more rules

Just add more channels to the variable update_channels in the script.

ISPConfig Backup-Space remote

You can use our BackupSpace to run ISPConig with this as an external backup space.

ISPConfig offers you the possibility to save the backups directly to an external storage. It makes no sense to back up relevant data for recovery directly on the server, which should be restored in case of any problems.

To do this enable the option  “Backup directory is a mount” and create a small shell-script.


If there is no SSH key on your server (/root/.ssh/, you must first create a key pair with ssh-keygen:

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/

Then create a shell user for your backup space and enter the key from /root/.ssh/ there.


The script /usr/local/ispconfig/server/scripts/ is used to mount the external memory before backups. With our backup space you only need two lines:

sshfs /var/backup

Finally, set the right permissions for the script:

chown root.root /usr/local/ispconfig/server/scripts/
chmod 700 /usr/local/ispconfig/server/scripts/

If you want, you can unmount the space after the backups. Just create the script /usr/local/ispconfig/server/scripts/

umount /var/backup

Whether you’re using umount or not, it’s up to you. If the backup space is not mounted, ISPConfig will always attempt to mount the storage. This is not only the case with backups, but also when restoring individual backups.