====== Zimbra Anti-Virus and Anti-Spam ====== See also **[[internet:mail:zimbra:zimbra_dkim|Zimbra DKIM Configuration]]** See also **[[internet:mail:zimbra:zimbra_white_black|Zimbra - Whitelist or Blacklist IP Addresses]]** **Whitelist and blacklist**: https://computingforgeeks.com/configure-whitelist-blacklist-zimbra-amavis-spam-filtering/ **Best Practices 2019**: https://www.missioncriticalemail.com/2019/03/21/zimbra-anti-spam-best-practices-2019/ **Custom Rules**: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting **Postscreen Pre-Checks**: * https://info.zimbra.com/hubfs/landing-pages/whitepapers/Zimbra_Postscreen_Whitepaper.pdf * https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen **Zimbra Anti-spam Strategies**: https://www.missioncriticalemail.com/2019/03/21/zimbra-anti-spam-best-practices-2019/ **Best Practices**: https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC **Rejecting False From Addresses**: https://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses **Enforce Username Match**: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5 http://wiki.zimbra.com/wiki/SpamAssassin_Customizations#ZCS_8.5_and_later https://www.zimbra.com/docs/os/8.6.0/administration_guide/wwhelp/wwhimpl/js/html/wwhelp.htm#href=860_admin_os.Anti-spam_Settings.html **Zimbra Admin -> Configure -> Servers -> -> Services** * Enable ''Anti-Spam'' * Enable ''Anti-Virus'' **Zimbra Admin -> Configure -> Global Setings -> AS/AV** **Zimbra Admin -> Configure -> Global Setings -> MTA** * ''Protocol checks'' -> Select All * ''DNS checks'' -> Select All * ''List of Client RBLs'' * zen.spamhaus.org * b.barracudacentral.org * ''List of Client RHSBLs'' * dbl.spamhaus.org * multi.uribl.com Be careful of using these settings. You may find you no longer get messages from important sources such as your PBX, router or other device. You should change the options one or two at a time and check carefully for problems between changes. {{:internet:mail:zimbra_spam.png?750 |}} ===== Terms ===== ^RBL |block list for checking IP addresses | ^RHSBL |block list for checking domains | ^URIBL |block list for checking links within an email body | ^False Positive |legitimate email incorrectly identified as spam | ^Postscreen |kind of an inbound email firewall | ^Postfix |MTA included with Zimbra | ^Amavisd |processes emails through SpamAssassin and ClamAV before allowing Postfix to deliver them | ^SpamAssassin |performs hundreds of tests on an email | ^ClamAV |anti-virus engine that ships with Zimbra | ===== Anti-Virus ===== grep amavis /opt/zimbra/log/clamd.log grep amavis /opt/zimbra/log/clamd.log | sendmail -v gcooper@sonoracomm.com ===== Quarantine ===== www.zimbra.com/forums/administrators/52790-how-quarantine-working-7-1-x.html http://wiki.zimbra.com/wiki/How_to_re-create_the_Quarantine_Account https://wiki.zimbra.com/wiki/Restore-Quarantined-Emails ===== Banned Content ===== http://bugzilla.zimbra.com/show_bug.cgi?id=66388 ===== Anti-SPAM ===== http://wiki.zimbra.com/wiki/SpamAssassin_Customizations http://wiki.zimbra.com/wiki/Improving_Anti-spam_system http://wiki.zimbra.com/index.php?title=What_are_these_two_accounts_with_funny_names%3F http://www.zimbra.com/forums/administrators/7071-stop-antivirus-antispam.html ==== Required Score ==== To tweak the ''required_score'' parameter in Zimbra you don't need to edit any config file. This value is calculated from a setting in a Zimbra admin page. **Zimbra Administration -> Global Settings -> AV/AS** The required_score is ''Tag percent'' multiplied by 0.2. * A tag percent value of 25 will result in a required score of 5. * ''25*0.2=5'' * ''20*0.2=4'' ==== Subject Munging ==== **Zimbra Administration -> Global Settings -> AV/AS** ==== Whitelist ==== http://wiki.zimbra.com/wiki/IP_Address_whitelisting ==== Enable SPF, Razor2 and Pyzor ==== Start as root: yum --enablerepo=rpmforge install razor-agents perl-Razor-Agent python yum --enablerepo=epel install pyzor perl-Mail-SPF yum --enablerepo=atomic install dcc mkdir /opt/zimbra/amavisd/.razor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.razor mkdir /opt/zimbra/amavisd/.pyzor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.pyzor su - zimbra razor-admin -home=/opt/zimbra/amavisd/.razor -create razor-admin -home=/opt/zimbra/amavisd/.razor -discover razor-admin -home=/opt/zimbra/amavisd/.razor -register pyzor --homedir /opt/zimbra/amavisd/.pyzor discover vim /opt/zimbra/data/spamassassin/localrules/v310.pre Uncomment, then save: loadplugin Mail::SpamAssassin::Plugin::DCC loadplugin Mail::SpamAssassin::Plugin::Pyzor loadplugin Mail::SpamAssassin::Plugin::Razor2 Add customizations: vim /opt/zimbra/data/spamassassin/localrules/sauser.cf Append your SpamAssassin customizations (modify to suit): ok_languages en es ok_locales en es trusted_networks 127. 209.104.9. 209.193.64. use_bayes 1 skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 dns_available yes ## Optional Score Increases ## Choose your preferred values... score DCC_CHECK 4.000 score SPF_FAIL 4.000 score SPF_HELO_FAIL 4.000 score RAZOR2_CHECK 2.500 score PYZOR_CHECK 2.500 score BAYES_99 3.000 score BAYES_90 3.000 score BAYES_80 3.000 bayes_ignore_header Received: from localhost bayes_ignore_header Received: from www.sonoracomm.com bayes_ignore_header Received: from www2.sonoracomm.com bayes_ignore_header Received: from aaa.sonoracomm.com bayes_ignore_header Received: from aaa2.sonoracomm.com bayes_ignore_header Received: from backup.sonoracomm.com bayes_ignore_header Received: from obs1.sonoracomm.com bayes_ignore_header Received: from app1.sonoracomm.com chmod 444 /opt/zimbra/data/spamassassin/localrules/sauser.cf zmcontrol stop zmcontrol start ==== RBLs ==== As zimbra user: su - zimbra zmprov gacf | grep zimbraMtaRestriction zmprov mcf \ +zimbraMtaRestriction reject_invalid_hostname \ +zimbraMtaRestriction reject_non_fqdn_hostname \ +zimbraMtaRestriction reject_non_fqdn_sender \ +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" \ +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" zmprov gacf | grep zimbraMtaRestriction ==== Enable Dspam ==== :!: This may no longer be available. zmlocalconfig -e amavis_dspam_enabled=true ==== Testing ==== wget http://spamassassin.apache.org/gtube/gtube.txt /opt/zimbra/zimbramon/bin/spamassassin -D -t < gtube.txt ==== Troubleshooting ==== Open your firewall port for pyzor (UDP/24441 outgoing). By default, spam with a score of 15 or higher is discarded by ''amavisd''. If you want your user receive these mails, you have to modify ''amavisd.conf'' settings (''/opt/zimbra/conf/amavisd.conf'') in order to pass this email. ==== Deliver Message in Quarantine ==== http://www.openia.com/blogs/zimbra-virus-quarantine ===== Encrypted Attachments ===== By default, Zimbra is configured to block encrypted PDFs and other attachments. Disable the blocking of encrypted attachments: su - zimbra zmprov mcf zimbraVirusBlockEncryptedArchive FALSE zmcontrol restart ===== Disable Filtering for a User or Domain ===== This will make a user a 'spam lover' and will bypass scanning if emails are sent only to them: zmprov ma user@domain.tld +amavisBannedFilesLover zmprov ma user@domain.tld amavisBypassSpamChecks TRUE amavisSpamLover TRUE Disable all filtering for an entire domain: domain="domain.tld" zmprov md $domain +amavisBypassSpamChecks TRUE zmprov md $domain +amavisBannedFilesLover TRUE zmprov md $domain +amavisSpamLover TRUE List domains with spam filtering turned off: for DOMAIN in `zmprov gad`; do zmprov gd $DOMAIN amavisSpamLover; done