Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » mail » zimbra » zimbra_spam
Trace: zimbra_spam
internet:mail:zimbra:zimbra_spam

Table of Contents

Zimbra Anti-Virus and Anti-Spam

See also Zimbra DKIM Configuration

See also Zimbra - Whitelist or Blacklist IP Addresses

Whitelist and blacklist: https://computingforgeeks.com/configure-whitelist-blacklist-zimbra-amavis-spam-filtering/

Best Practices 2019: https://www.missioncriticalemail.com/2019/03/21/zimbra-anti-spam-best-practices-2019/

Custom Rules: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting

Postscreen Pre-Checks:

Zimbra Anti-spam Strategies: https://www.missioncriticalemail.com/2019/03/21/zimbra-anti-spam-best-practices-2019/

Best Practices: https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC

Rejecting False From Addresses: https://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses

Enforce Username Match: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5

http://wiki.zimbra.com/wiki/SpamAssassin_Customizations#ZCS_8.5_and_later

https://www.zimbra.com/docs/os/8.6.0/administration_guide/wwhelp/wwhimpl/js/html/wwhelp.htm#href=860_admin_os.Anti-spam_Settings.html

Zimbra Admin → Configure → Servers → <server> → Services

  • Enable Anti-Spam
  • Enable Anti-Virus

Zimbra Admin → Configure → Global Setings → AS/AV

Zimbra Admin → Configure → Global Setings → MTA

  • Protocol checks → Select All
  • DNS checks → Select All
  • List of Client RBLs
    • zen.spamhaus.org
    • b.barracudacentral.org
  • List of Client RHSBLs
    • dbl.spamhaus.org
    • multi.uribl.com
Be careful of using these settings. You may find you no longer get messages from important sources such as your PBX, router or other device.
You should change the options one or two at a time and check carefully for problems between changes.

Terms

RBL block list for checking IP addresses
RHSBL block list for checking domains
URIBL block list for checking links within an email body
False Positive legitimate email incorrectly identified as spam
Postscreen kind of an inbound email firewall
Postfix MTA included with Zimbra
Amavisd processes emails through SpamAssassin and ClamAV before allowing Postfix to deliver them
SpamAssassin performs hundreds of tests on an email
ClamAV anti-virus engine that ships with Zimbra

Anti-Virus

grep amavis /opt/zimbra/log/clamd.log

grep amavis /opt/zimbra/log/clamd.log | sendmail -v gcooper@sonoracomm.com

Quarantine

www.zimbra.com/forums/administrators/52790-how-quarantine-working-7-1-x.html

http://wiki.zimbra.com/wiki/How_to_re-create_the_Quarantine_Account

https://wiki.zimbra.com/wiki/Restore-Quarantined-Emails

Banned Content

http://bugzilla.zimbra.com/show_bug.cgi?id=66388

Anti-SPAM

http://wiki.zimbra.com/wiki/SpamAssassin_Customizations

http://wiki.zimbra.com/wiki/Improving_Anti-spam_system

http://wiki.zimbra.com/index.php?title=What_are_these_two_accounts_with_funny_names%3F

http://www.zimbra.com/forums/administrators/7071-stop-antivirus-antispam.html

Required Score

To tweak the required_score parameter in Zimbra you don't need to edit any config file. This value is calculated from a setting in a Zimbra admin page.

Zimbra Administration → Global Settings → AV/AS

The required_score is Tag percent multiplied by 0.2.

  • A tag percent value of 25 will result in a required score of 5.
    • 25*0.2=5
    • 20*0.2=4

Subject Munging

Zimbra Administration → Global Settings → AV/AS

Whitelist

http://wiki.zimbra.com/wiki/IP_Address_whitelisting

Enable SPF, Razor2 and Pyzor

Start as root: 

yum --enablerepo=rpmforge install razor-agents perl-Razor-Agent python
yum --enablerepo=epel install pyzor perl-Mail-SPF
yum --enablerepo=atomic install dcc

mkdir /opt/zimbra/amavisd/.razor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.razor
mkdir /opt/zimbra/amavisd/.pyzor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.pyzor

su - zimbra

razor-admin -home=/opt/zimbra/amavisd/.razor -create
razor-admin -home=/opt/zimbra/amavisd/.razor -discover
razor-admin -home=/opt/zimbra/amavisd/.razor -register
pyzor --homedir /opt/zimbra/amavisd/.pyzor discover

vim /opt/zimbra/data/spamassassin/localrules/v310.pre

Uncomment, then save: 

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2

Add customizations: 

vim /opt/zimbra/data/spamassassin/localrules/sauser.cf

Append your SpamAssassin customizations (modify to suit): 

ok_languages en es 
ok_locales en es 
trusted_networks 127. 209.104.9. 209.193.64.
use_bayes 1
skip_rbl_checks 0
use_razor2 1
use_dcc 1
use_pyzor 1 
dns_available yes 

## Optional Score Increases 
## Choose your preferred values...
score DCC_CHECK 4.000
score SPF_FAIL 4.000
score SPF_HELO_FAIL 4.000
score RAZOR2_CHECK 2.500
score PYZOR_CHECK 2.500
score BAYES_99 3.000
score BAYES_90 3.000
score BAYES_80 3.000
bayes_ignore_header Received: from localhost
bayes_ignore_header Received: from www.sonoracomm.com
bayes_ignore_header Received: from www2.sonoracomm.com
bayes_ignore_header Received: from aaa.sonoracomm.com
bayes_ignore_header Received: from aaa2.sonoracomm.com
bayes_ignore_header Received: from backup.sonoracomm.com
bayes_ignore_header Received: from obs1.sonoracomm.com
bayes_ignore_header Received: from app1.sonoracomm.com
chmod 444 /opt/zimbra/data/spamassassin/localrules/sauser.cf

zmcontrol stop
zmcontrol start

RBLs

As zimbra user: 

su - zimbra

zmprov gacf | grep zimbraMtaRestriction

zmprov mcf \
+zimbraMtaRestriction reject_invalid_hostname \
+zimbraMtaRestriction reject_non_fqdn_hostname \
+zimbraMtaRestriction reject_non_fqdn_sender \
+zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" \
+zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"

zmprov gacf | grep zimbraMtaRestriction

Enable Dspam

:!: This may no longer be available. 

zmlocalconfig -e amavis_dspam_enabled=true

Testing

wget http://spamassassin.apache.org/gtube/gtube.txt
/opt/zimbra/zimbramon/bin/spamassassin -D -t < gtube.txt

Troubleshooting

Open your firewall port for pyzor (UDP/24441 outgoing).

By default, spam with a score of 15 or higher is discarded by amavisd. If you want your user receive these mails, you have to modify amavisd.conf settings (/opt/zimbra/conf/amavisd.conf) in order to pass this email.

Deliver Message in Quarantine

http://www.openia.com/blogs/zimbra-virus-quarantine

Encrypted Attachments

By default, Zimbra is configured to block encrypted PDFs and other attachments.

Disable the blocking of encrypted attachments: 

su - zimbra
zmprov mcf zimbraVirusBlockEncryptedArchive FALSE
zmcontrol restart

Disable Filtering for a User or Domain

This will make a user a 'spam lover' and will bypass scanning if emails are sent only to them: 

zmprov ma user@domain.tld +amavisBannedFilesLover
zmprov ma user@domain.tld amavisBypassSpamChecks TRUE amavisSpamLover TRUE

Disable all filtering for an entire domain: 

domain="domain.tld"
zmprov md $domain +amavisBypassSpamChecks TRUE 
zmprov md $domain +amavisBannedFilesLover TRUE
zmprov md $domain +amavisSpamLover TRUE

List domains with spam filtering turned off: 

for DOMAIN in `zmprov gad`; do zmprov gd $DOMAIN amavisSpamLover; done
internet/mail/zimbra/zimbra_spam.txt · Last modified: 2024/04/18 13:51 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki