OpenEFA v1.6.2 Released

[adrastosefa]

OpenEFA v1.6.2 Released

We've just pushed v1.6.2 with important bug fixes and improvements:

Database Schema Fixes
- Fixed missing columns in email_analysis table (sender_domain, attachment_count, and others)
- Fixed missing columns in trusted_entities table (trust_level, scope, recipient_domain)
- Added quarantine_enabled to client/hosted domains tables

Module Fixes
- Fixed "KeyError: should_quarantine" error in behavioral analysis
- Fixed "detect_header_forgery() takes 2 positional arguments but 3 were given" error

Installer Improvements
- SSL option 4 (skip) now properly creates HTTP reverse proxy config
- Let's Encrypt setup now prompts for email and falls back to self-signed if it fails
- fail2ban is now optional (was blocking some VPN/Tailscale connections)
- IPv6 enabled by default in Postfix

Postfix Fixes
- Fixed transport file ownership (was causing "not owned by root" warnings)
- Uninstall backups now go to /var/backups/openefa/ to prevent nested backup directories

Update Instructions
cd /opt/openefa-installer && git pull && ./update.sh

Or fresh install:
curl -sSL http://install.openefa.com/install.sh | sudo bash

[MrBero]

That’s very good news!
While I’m at it, I’d like to ask how I can add my own RBL lists to the configuration?

[adrastosefa]

You can manually add an RBL, and the process is intentionally simple.

In OpenEFA, RBLs are defined via configuration rather than being hard-coded. To manually add or modify an RBL, update the following file:

/opt/spacyserver/config/rbl_config.json

Once the change is saved, the RBL is picked up dynamically — no service restart is required.
This allows you to test or temporarily rely on a specific DNS-based RBL if you have a particular use case or trust relationship.

That said, I want to share some context on where OpenEFA is headed and why we are encouraging users not to over-invest in legacy RBLs.

EFA Collective – Shared Threat Intelligence (Early Access)

We are rolling out the EFA Collective, a community-driven threat intelligence system integrated directly into OpenEFA. Instead of static third-party RBLs, the Collective is designed to leverage real-world telemetry from OpenEFA deployments.

Registered instances can submit:
spam_missed – spam that bypassed filtering
false_positive – legitimate mail incorrectly flagged
new_pattern – newly observed spam or phishing patterns
bug – unexpected system behavior

Submissions include sanitized forensic data such as message metadata, SPF/DKIM/DMARC results, ML classification, content analysis, network indicators, and OpenEFA-specific X-SpaCy headers.

Registration (Currently in Testing)

We are actively testing the registration and API workflow, and this is where community participation is especially valuable.

Registration flow:

Superadmin initiates registration (email + organization name)
System generates a UUID and detects the public IP
POST sent to https://openefa.com/api/collective/register
Status set to pending (manual approval, typically 1–2 business days)
Once approved, the instance can submit reports automatically

Reports are sent via SMTP to efacollective@openefa.com with JSON attachments containing the forensic payload.

Why This Matters

Manual RBLs remain supported, but the EFA Collective represents the long-term direction of OpenEFA: a shared, sanitized intelligence layer that can evolve faster than traditional RBLs and ultimately replace them.

If you’re willing, I’d encourage you to register your instance as part of this initial testing phase. It helps validate the registration and reporting pipeline and gives you early participation in the Collective as it grows.

If you want, I can also provide:

An example rbl_config.json entry

Guidance on scoring and weighting

Details on how Collective intelligence will be surfaced locally over time

Just let me know.

[jgiversen]

Hi, i tried the v1.6.2 release and I am getting trafic now, both on IPv4 and 6. A few remarks.

Some files seems not to have the correct file persissions after install.

Check File Permissions:

File: bec_config.json
Owner: spacy-filter:spacy-filter (expected: spacy-filter:spacy-filter)
Permissions: 664 (expected: 664)
✓ Permissions correct

File: module_config.json
Owner: spacy-filter:spacy-filter (expected: spacy-filter:spacy-filter)
Permissions: 640 (expected: 664)
⚠ Permissions need fixing

File: email_filter_config.json
Owner: spacy-filter:spacy-filter (expected: spacy-filter:spacy-filter)
Permissions: 640 (expected: 664)
⚠ Permissions need fixing

File: authentication_config.json
Owner: spacy-filter:spacy-filter (expected: spacy-filter:spacy-filter)
Permissions: 640 (expected: 664)
⚠ Permissions need fixing

File: threshold_config.json
Owner: spacy-filter:spacy-filter (expected: spacy-filter:spacy-filter)
Permissions: 640 (expected: 664)
⚠ Permissions need fixing

Fix permissions? [y/N]:

After adding aditional domains in the GUI, tranport and virtual postfix files are not updated with the new domains, maybe a file permission issue as the files are owned by root:root, should proably be root:spacy-filter with read write access?
In the installation process you can only add an IP address for the Relay server. It would ne nice if you could use your DNS server name instead.

Otherwise the installation process ran smothly, without any issues.
I also have some comments on running OpenEFA, that will be in the next feedback.
/Jørgen

[jgiversen]

I have been testing OpenEFA v1.6.2 for a couple of days now. It looks very impressive I like the setup. I have a lot of questions.
I have added an email address that root mails should go to in the aliases file. So, every time someone tries to login to the OpenEFA server on port 25. I am getting the following mail as the server does not accept authentication (currently). Unfortunately, I get a lot of such mails.
“Postfix SMTP server: errors from unknown[IP-address]
Transcript of session follows.
Out: 220 openefa ESMTP
In: EHLO User
Out: 250-openefa
Out: 250-PIPELINING
Out: 250-SIZE 52428800
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250-DSN
Out: 250-SMTPUTF8
Out: 250 CHUNKING
In: AUTH LOGIN
Out: 503 5.5.1 Error: authentication not enabled
In: QUIT
Out: 221 2.0.0 Bye
For other details, see the local mail logfile”
Is that by design, or have I missed something.
Where can I change the thresholds for the spam scores? Currently 95% of the legitimate mail is currently quarantined. Where can I change the spam score threshold for quarantine a mail.

When viewing the emails for spam check it would be nice also to see the HTML version of the email. The text part is fine but, in the future, it would be nice to see the HTML version also.
A couple of things I found in the logs that might be of interest to look at.
IPv4
2025-12-16T08:09:00.275265+01:00 openefa email_filter_init: No trusted_esps.json found at /opt/spacyserver/config/trusted_esps.json
2025-12-16T08:09:01.260326+01:00 openefa email_filter_init: Module attachment_inspector not available: No module named 'py7zr'
2025-12-16T08:19:38.037782+01:00 openefa email_filter_init: DEBUG: Warning: Typosquatting detector not available
Furthermore, for IPv6
2025-12-16T08:19:38.350752+01:00 openefa email_filter: First Received header: from mail-ua1-x92a.google.com (mail-ua1-x92a.google.com [IPv6f8b0:4864:20::92a])#011by openefa (Postfix) with ESMTPS id E2F4F100077#011for <to@mailaddress >; Tue, 16 Dec 2025 08:19:36 +0100 (CE
2025-12-16T08:19:38.350798+01:00 openefa email_filter: Could not extract IP from first Received header
2025-12-16T08:19:38.350855+01:00 openefa email_filter: Real authentication error: list index out of range
IPv6 probably needs some extra work.

I will continue testing and send more feedback.
/Jørgen

[jgiversen]

Hi again,
I have seen quite strange behavior with OpenEFA v1.6.2. When I try to release a mail from spam quarantine, from the “All Emails” menu it is not always that the emails are released to the internal mail server. About 90% of the time the email in question is released but not always. When I do the same from the “User Messages” menu it has not failed so far.
/Jørgen

[adrastosefa]

Found it as well. We have created the fix and will release it shortly. Please register for the efacollective and you will get the release as soon as certify that the updates are ready for final approval. You can register for the efacollective under /config/ and then Email Administration. You will see the "EFA Collective Registration" Once you request registration, our staff will approve it in the EFA dashboard. Following that, you will receive notification of an immediate update availability and with it instruction to automatically pull down the update. All non registered users, will get the update when the release is pushed to github repository.

[jgiversen]

Great, I will do that right away.
/Jørgen

[Woger]

I installed 1.6.2 on a new server and pointed an old domain to it. So far it seems to work very well. I had one false negative so far. However, under <Configuration> - <System settings> I see a warning behind <Recipient verification> and Fail2ban is not running. On the old EFA server I have about 300 domains installed. For the transport file I can copy them and also the (new) virtual file. I guess without local users virtual isn't necessary though. But in the webconsole it also says HOSTED_DOMAINS list in app.py . Where can I find that?
In the documents you are talking about Sender > OpenEFA server > EFA server > Mail server. WHhy would there be an (extra) EFA server?
Also I can't find efacollective as I don't have "Email Administration" under Configuration.

Thanks,
Roger

Edit,
I received a few "Undelivered mail returned to sender" mails in my mailbox, but these mails didn't show up in the webconsole. In the header was an error: "user unknown. Command output: PDF analysis libraries not available: No module named 'cv2'". I tried to install Python-opencv, but the I have to break the Python environment, which I don't want to do.

[mihab]

Hi

We're testing OpenEFA 1.6.2. After trying some emails we found out that all emails send from legit domain are quarantined with spam score 20+
Looking under "Spam Score Breakdown" is shows
Language Score 20.0 (sometimes more) High Risk

Inside e-mail there is only a test message like below. We're using Slovenian characters like ščž can the be problem ? It only has one 'special' character. We're still using EFA v5 but never had this issues ?

'content_summary': 'Hi! Test brez priponke... Lp, Dušan',
'detected_language': 'en',
'disposition': 'quarantined',
'full_text_content': 'Hi!\n\nTest brez priponke...\n\nLp, Dušan\n',

Regards,