OpenEFA

Posted: **Fri Oct 17, 2025 3:26 am**

OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

We've released installer v2.11 with several important fixes for minimal Ubuntu installations.

Installation (Fresh Minimal Ubuntu Server Recommended):
curl -sSL http://install.openefa.com/install.sh | sudo bash

What's Fixed in v2.11:
-

Full minimal Ubuntu 24.04 LTS compatibility
-

Fixed behavioral analysis module configuration errors
-

Resolved module loading warnings
-

Improved NumPy/Pandas compatibility for spacyweb
-

Enhanced dependency handling

Tested On:
- Ubuntu 24.04 LTS (minimal server installation)
- All 18 analysis modules load cleanly
- Zero errors during installation and email processing

Recommended Installation Method:
Start with a fresh minimal Ubuntu 24.04 server installation for best results.

Need Help?
Post here if you encounter any issues during installation.

Posted: **Fri Oct 17, 2025 10:31 am**

Did a fresh install with v2.11 and that went smoothly.

I temporarily changed my setup so that incoming mail would be processed by OpenEFA, but the results were not great.

Simple test mails from Gmail were given a spam score of 12.5 and not let through.
Same for a newsletter mail that is normally let through by my current EFA 5 server, also got a spam score 12.5.

When I tried to release the mails by marking them as safe, the spam score changed to 0, but they were not sent to my downstream Exchange server unfortunately.

Local testing using PowerShell's Send-MailMessage command does work (partially). The message arrives in my Exchange mailbox, but it does not seem to be processed by the spam engine, because it does not appear in the All Emails overview. Also, the body of the message is always empty in this case.

Posted: **Fri Oct 17, 2025 12:27 pm**

Ok, installed v2.11 and found the following results.
1. I entered port 26 for my relayserver as my provider closed port 25, but it still tries to send by port 25. It seems that the relayserver settings are in the db, because in postfix's main.cf there is no smarthost.

2. installation step 2/6 gives warning:
[INFO] Configuring conversation learning system...
[WARN] Failed to configure conversation learning (non-fatal)
[INFO] Initializing module configuration for Tier 2...

3. in mail.log I found:
2025-10-17T14:02:09.063411+02:00 s3 postfix/postfix-script[7625]: warning: not owned by root: /etc/postfix/./transport
2025-10-17T14:02:09.068441+02:00 s3 postfix/postfix-script[7626]: warning: not owned by root: /etc/postfix/./transport.db
2025-10-17T14:02:09.077274+02:00 s3 postfix/postfix-script[7628]: warning: group or other writable: /etc/postfix/./transport
2025-10-17T14:02:09.082339+02:00 s3 postfix/postfix-script[7629]: warning: group or other writable: /etc/postfix/./transport.db
2025-10-17T14:02:09.278792+02:00 s3 postfix/postfix-script[7816]: starting the Postfix mail system
2025-10-17T14:02:09.292829+02:00 s3 postfix/master[7818]: daemon started -- version 3.8.6, configuration /etc/postfix
2025-10-17T14:15:27.150005+02:00 s3 postfix/smtpd[8891]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
etc.

Posted: **Fri Oct 17, 2025 8:09 pm**

Is your relay server listening on port 26?

change the /etc/postfix/transport file

example.com smtp:[192.168.50.37]:26
then run
postmap /etc/postfix/transport
postfix reload

This will send it out on port 26. I am building this into the Gui relay section.

Posted: **Fri Oct 17, 2025 8:13 pm**

Post the header info from the email that was marked. There are a couple reason that it might score so high. One is the learning capabilities are to new. Another is that it is coming from a free domain and is scoring high because it is viewing it as a non business domain. Additionally, if the business email compromise module is seeing it as a possible, then it score high. Post your header and we will see what modules are kicking it off and make adjustments

Posted: **Fri Oct 17, 2025 8:21 pm**

EDIT 1: I replaced the header info because it changes after trying to release the message.

EDIT 2: I also tried to manually learn the messages as non-spam by entering the message ID and setting the spam score to 0, but it gives me the error "Failed to process request. Please check the Message-ID and try again."

EDIT 3: Adding gmail.com to the trusted domain list allows the message to be delivered, but obviously that is not the way forward.

I removed my personal info from the headers first.

This is the one from Gmail:

Code: Select all

Return-Path: <[REDACTED]@gmail.com>
Received: from mail-qv1-f54.google.com (mail-qv1-f54.google.com
 [209.85.219.54])	by [REDACTED] (Postfix) with ESMTPS id
 E13A8280276	for <[REDACTED]>; Sat, 18 Oct 2025 11:19:54 +0200
 (CEST)
Received: by mail-qv1-f54.google.com with SMTP id
 6a1803df08f44-78ea15d3489so32892006d6.3        for <[REDACTED]>;
 Sat, 18 Oct 2025 02:19:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com;
 s=20230601; t=1760779193; x=1761383993; darn=[REDACTED];       
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject        
 :date:message-id:reply-to;       
 bh=fK/BBtxSghmtE8DOhkBq6Hc38ODThtN9HhhciJ7Tfak=;       
 b=gWKLS6TDR4jmtryKSGdIwmaGuvXeg4+6GFzpm3+D6S4qFLBBLZosrRsMI3e92j5I8V        
 dibGorAQqh8KfXOmTYXA8xHWOwD/Mb5aIq6UAJsHOx8QEifklhYwZveIvZjSRYrr2UgS        
 9i6RuSGS1goCooCkOtIn5zGGSEdQ9p+O/ihBSrTQBsmuISGH7HYYJW/Vx51lAwScfG9r        
 CQI9V4Brlty9LMoItFHtBthb9Jhwb2f6ZKJBceUSvM5Ys2qjkuM97QLDWWedGaCVmKfK        
 aFySw1JnA9O7mTzgOHWtpuMfz+pDItzprNmAekH3VwvRSf7ZWfkaU1W25Hxpra3/3P7C        
 VA7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760779193; x=1761383993;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=fK/BBtxSghmtE8DOhkBq6Hc38ODThtN9HhhciJ7Tfak=;
        b=oRUYH7qtG7zbh3jhMC4AWOVHspE5TSL/7Wa5eST6AnH03vCorlCfNi5Pw71ngBPvVN
         /yrRaqZbDxyet6OMi2HZb72xo124pm6uhEPoGCpR37ELWrRagCP2Uscs1mbIRt0GK5c5
         C3Sf1EJcRwvAcSIGtZVmVfHLgisPjF4GfRusqwvXf2egRKarW1kDF+pAKasAzEPztjlA
         QGTJLd+sYDUhw+/dvVp9kOd4IP6UToqiQX3Sbsr7ehufQhd2oQnvM4MEvA5S4OAsZL0g
         JjKh4cGV6WkgeJVCRdKsSWx03mOZlZ7ll0MEmNfeO5rZBBxXIgx5WhUcGG8uwCebrLIv
         hjPQ==
X-Gm-Message-State: AOJu0YyOS0sJyLYKmeVndaI557+u4F/virkg/RaQt74a/X2utjjO1zNu
	yC6JrFbo3yiQ03rx+gDAvSoRiHb6Z59GxbgfOrsToHapfQTdC5CxlGwHm5LjGY4SRKQNDz+1eFE
	ZUaxwk0mibcaA0dNrkPpoWNYVD9ei7AHt301h2mI=
X-Gm-Gg: ASbGncvym8xe8hIHCbQEZT0vMr7jUsho8SRuuhA4rAGoTyXHK8kEcD5bYtrA8M/NErK
	5E5aGFeLGv12BWa96JUK1BBhJuUyUPtOuKqTZ2xA4iu1XZywM86cqeps6s2KHEJ32wPyyLOZvnn
	As9ZlCkcZHyusdYtbdLfVX9CHHYM3bnLgVfx8lPkrqlV+WbQuUoHXzFGdbIPFv4Am0CXTTXLGRj
	3FJVolKBpdyZaSKQcgY1ohLehr5gKp/PkTSuz4YErgU5L5z/INa4J3ic6d/ehIP29u5lKGyCQ==
X-Google-Smtp-Source: =?utf-8?q?AGHT+IFDE3gMDudXMVX9mupKHnDLXdccsysrDCQOEStB?=
 =?utf-8?q?bl+hTpxYVn6+2TY17AOyn+9anXJkgqI81UWWGntLSjrnQFs=3D?=
X-Received: by 2002:a05:6214:2405:b0:87c:22af:e995 with SMTP id
 6a1803df08f44-87c22afeab2mr74842316d6.56.1760779193446; Sat, 18 Oct 2025
 02:19:53 -0700 (PDT)
MIME-Version: 1.0
From: [REDACTED] <[REDACTED]@gmail.com>
Date: Sat, 18 Oct 2025 11:19:43 +0200
X-Gm-Features: AS18NWAB9iHDKBcy30VJ8zsG3ZIptvlu1J3NL1hN-8N8PX88b1CHOTUlVl42r98
Message-ID: 
 <CA+N1tVJezMMifhU+inP44=kNXs0tH6a1tH69VU2x7ksgKDJ64w@mail.gmail.com>
Subject: OpenEFA Test 18/10/2025 11:19
To: [REDACTED] <[REDACTED]>
Content-Type: multipart/alternative; boundary="0000000000005a772406416b5ad5"
X-Postfix-Recipient: [REDACTED]
X-Original-Auth-SPF: none
X-Original-Auth-DKIM: none
X-Original-Auth-DMARC: none
X-SpaCy-Auth-Results: openefa; spf=pass; dkim=pass; dmarc=pass (p=quarantine)
X-SpaCy-Auth-Score: 3.0
X-Auth-Abuse-Score: 0.0
X-Thread-Reply: False
X-Thread-Trust: 0

Posted: **Sat Oct 18, 2025 6:11 pm**

We are working on the new installer that comes with numerous bug fixes, decision tree (spam/ham release quarantine) features. We also added the ability to allow a user role to have and alias, then have the permissions to control both of those emails. The admin or domain admin already had this function, but no the user can have two or more emails and be in control. We also fixed a few bugs in the release and delete functions.
Stay tuned, I hope to have the installer out today with all of the fixes and adds.

Regarding the scoring in your email, this system is no longer just purely rule based like it was in EFA 5. OpenEFA has a lot of intelligence built in and gets better very dynamically as users identify good emails and the good emails are identified, patterns established, terms learned, and more. In the meantime, here is a quick bit of information trying to explain how things are scored.

How the Learning Works:

1. Thread and Relationship Trust Building
- Notice the X-Thread-Trust: 0 in your header? On a new install, every sender starts at zero trust.
- As emails flow through the system, OpenEFA builds a relationship graph: who emails whom, who replies to whom, and which
conversations are legitimate.
- Over time, regular correspondents build trust scores. When someone you frequently communicate with sends email, their trust
score increases, reducing false positives.

2. NLP (Natural Language Processing) with spaCy
- OpenEFA uses spaCy to analyze email content contextually, not just keyword matching.
- The NLP engine identifies linguistic patterns, terminology specific to your organization, and communication styles.
- Initial state: Uses general language models
- After 2-4 weeks: Begins recognizing your business terminology, names, and communication patterns
- After 2-3 months: Has substantial learned context about legitimate vs. suspicious language in YOUR environment

3. Behavioral Pattern Learning
- Sending patterns (time of day, frequency, volume)
- Email structure and formatting preferences
- Attachment types and sizes typical for your organization

Timeline for Effectiveness:
- Week 1: Base filtering using general rules—expect some false positives
- Weeks 2-4: Relationship trust begins building, fewer false positives on regular senders
- Months 2-3: NLP has learned organizational terminology and communication patterns
- Month 3+: System reaches maturity with robust historical context

What You Can Do:
- Review and correct false positives during the first month—this trains the system
- Whitelist known good senders initially to accelerate trust building
- Be patient—the system genuinely gets smarter with every email processed

Your test email scored X-Thread-Trust: 0 because the system had no history with that sender/recipient pair. Give it a few weeks
of email flow, and you'll see that score improve significantly for legitimate correspondents.

Posted: **Sat Oct 18, 2025 10:29 pm**

Ok I will wait for the next release before testing further.

I hope with the new version, the release & mark as safe functionality will actually work, otherwise it will be difficult to use the training system

Posted: **Sun Oct 19, 2025 10:17 am**

You say, SpaCey NLP engine learns terminology for your specific organization. Does it do that per domainname or systemwide. As I have several different companies using the spamfilter, they all use a different terminology.

Posted: **Sun Oct 19, 2025 5:20 pm**

Great question!
"The SpaCy learning uses system-wide vocabulary (shared language understanding across all domains) combined with per-domain
relationship tracking (which senders your specific domain communicates with). This is actually optimal because:

1. Professional communication patterns are universal across industries
2. Spam/phishing tactics don't change based on target industry
3. Larger vocabulary dataset = smarter system
4. Each domain maintains separate sender relationships and trust scores

The domain relationships carry the most weight in scoring (35%), so your different companies won't interfere with each other's
legitimate communications."

Woger wrote: Sun Oct 19, 2025 10:17 am You say, SpaCey NLP engine learns terminology for your specific organization. Does it do that per domainname or systemwide. As I have several different companies using the spamfilter, they all use a different terminology.

OpenEFA

OpenEFA Installer v1.x Now Available - Minimal Ubuntu Compatible

OpenEFA Installer v1.x Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible

Re: OpenEFA Installer v2.11 Now Available - Minimal Ubuntu Compatible