Antivirus
---
Amavisd Config
Some notes about this: In zimbra, by default, spam with 15 score of higher is discarded by amavisd. If you want your user receive these mails, you have to modify amavisd.conf settings ( /opt/zimbra/conf/amavisd.conf ) in order to pass this email.
$final_spam_destiny = D_PASS
##########################################################################
Improving Anti-SPAM System
Razor2
Second, we added Razor2 in order to improve score.
Installing Razor
CentOS
There are several ways to install Razor-Agent. Two common ways are listed below:
Yum / RPM package
The perl-Razor-Agent is available through Dag Wiers apt/yum repository:
You will need to configure yum to use Dag Wiers repository for your Release and Architecture which is outside the scope of this document (google rpmforge-release). Enable Dag's repository and append the following line to Dag's repository section:
includepkgs=perl-Razor-Agent perl-Digest-HMAC perl-Digest-SHA1 perl-Net-DNS perl-Net-IP razor-agents
Install the Razor-Agnet and its dependencies:
# yum install perl-Razor-Agent razor-agents
Alternatively you can download the specific packages directly from Dag's mirrors and install manually with the rpm command. The downside is you are not notified if there is a patch or update to these packages.
Open your firewall ports for razor2 (TCP/2703 outgoing).
Compile
As root: Get razor-agents-sdk from razor.sourceforge.net, untar it and
perl Makefile.PL make make install
Get also razor-agents from razor.sourceforge.net, untar it and
perl Makefile.PL make make install
Open your firewall ports for razor2 (TCP/2703 outgoing).
Fedora
Downloading Packages: (1/2): perl-Razor-Agent-2 100% |=========================| 84 kB 00:07 (2/2): razor-agents-2.81- 100% |=========================| 51 kB 00:06 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: perl-Razor-Agent ######################### [1/2] Installing: razor-agents ######################### [2/2] Installed: razor-agents.i386 0:2.81-2.fc5.rf Dependency Installed: perl-Razor-Agent.i386 0:2.81-2.fc5.rf Complete!
Configuring Razor
Create .razor folder in /opt/zimbra/amavisd and give zimbra user permissions
mkdir /opt/zimbra/amavisd/.razor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.razor
As zimbra user, create your razor account:
razor-admin -home=/opt/zimbra/amavisd/.razor -create razor-admin -home=/opt/zimbra/amavisd/.razor -discover razor-admin -home=/opt/zimbra/amavisd/.razor -register
And finally enable razor. Edit /opt/zimbra/conf/spamassassin/v310.pre and uncomment line
loadplugin Mail::SpamAssassin::Plugin::Razor2
Pyzor
Now we are going to add pyzor support for increase (again) spam score
Installing Pyzor
CentOS
As root, install python support.
yum install python
Get pyzor package from pyzor.sourceforge.net, untar it and:
python setup.py build python setup.py install
Set perms according with pyzor readme.
chmod -R a+rX /usr/share/doc/pyzor /usr/lib/python2.3/site-packages/pyzor /usr/bin/pyzor /usr/bin/pyzord
Set perms for RHEL 5 x86_64 slightly different than above
chmod -R a+rX /usr/share/doc/pyzor /usr/lib/python2.4/site-packages/pyzor/usr/local/bin/pyzor /usr/bin/pyzord
Fedora
As root, install pyzor RPM. It's included in the extra Repository of Fedora.
yum install pyzor . . Downloading Packages: (1/1): pyzor-0.4.0-10.fc5 100% |=========================| 65 kB 00:01 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: pyzor ######################### [1/1] Installed: pyzor.noarch 0:0.4.0-10.fc5 Complete!
SUSE 10
As root, install python and python-devel via yast2 Software -> Software Management menu.
Get pyzor package from pyzor.sourceforge.net, untar it and:
python setup.py build python setup.py install
Set perms according with pyzor readme.
chmod -R a+rX /usr/local/share/doc/pyzor /usr/local/lib/python2.4/site-packages/pyzor /usr/local/bin/pyzor /usr/local/bin/pyzord
Configuring Pyzor
Create .pyzor folder into zimbra-amavisd home and set perms
mkdir /opt/zimbra/amavisd/.pyzor; chown zimbra:zimbra /opt/zimbra/amavisd/.pyzor
Open your firewall ports for pyzor (UDP/24441 outgoing)
And ready to go, as zimbra user, with:
pyzor --homedir /opt/zimbra/amavisd/.pyzor discover
Spamassassin Config
Now we have PYZOR + RAZOR + SPF. But it would be advisable to enable it and give SPF a higher score. Those admins with wrong SPF entries should be punished since it's not mandatory and so, if you enable it, do it well. So open your spamassassin config at /opt/zimbra/conf/spamassassin/local.cf and add this rules at the end (customize it at your own):
ok_languages en es ok_locales en es trusted_networks 127. 10.70. 192.168. use_bayes 1 skip_rbl_checks 0 use_razor2 1 #use_dcc 1 <<< WORK IN PROGRESS use_pyzor 1 dns_available yes ## Optional Score Increases ## Choose your preferred values... score DCC_CHECK 4.000 score SPF_FAIL 10.000 score SPF_HELO_FAIL 10.000 score RAZOR2_CHECK 2.500 score PYZOR_CHECK 2.500 score BAYES_99 4.300 score BAYES_90 3.500 score BAYES_80 3.000 bayes_ignore_header Received: from mail3.example.com bayes_ignore_header Received: from localhost bayes_ignore_header Received: from mail1.example.com bayes_ignore_header Received: from mail2.example.com
Note that these numbers can be made even higher if you want the particular filter to have more weight. Check your headers and adjust as needed to achieve the desired result.
required_score
To tweak the required_score parameter in Zimbra you don't need to edit any config file. This value is calculated from a setting in Zimbra admin page. Enter administration, go to Global Settings >> AV/AS. The required_score is tag percent * 0,2. So a tag percent value of 25 will result in a required score of 5 (25*0,2=5).
Externally-Maintained Whitelists
Even with the Bayes configurations above, some messages with high Bayes scores get through due to the existence of several externally-maintained whitelists. Essentially these are programs whereby those who subscribe to the program--for a price and agreement to follow certain rules of conduct--get a pass to send unsolicited messages. Spamassassin uses these trusted lists to REDUCE your spam score by assigning a negative point score to the message, which offsets the positive (i.e. "spammy") scores that might result from other filters in your system.
Some of these lists, such as dnswl.org, are maintained by an all-volunteer group; others, such as the Bonded Sender Program (now known as SenderScoreCertified at www.senderscorecertified.com) and Habeas (www.habeas.com) are commercial enterprises. Each describes their standards on their website; one can, of course, find plenty of heated discussion as to the extent to which the commercial ones enforce their standards.
Without engaging in the debate as to the motives or purity of one list or another, the administrator needs to evaluate each list and determine whether he/she is comfortable having that list's maintainers influence the performance of local spam filters. This section is intended to help the administrator adjust the relative scoring influences of these whitelists if so desired.
As with any technology, the services change with time. It is probably a good discipline to review your SpamAssassin configuration files from time to time (after an update in particular) looking for anything that gives your messages a negative score, so you can evaluate if you want to accept that scoring for your local system.
Bonded Sender Program (BSP)
The Bonded Sender Program is described at www.senderscorecertified.com. Spamassassin gives BSP hits a -4.5 score, which pretty well overrides everything else you've done and makes the message come through anyhow (BSP's own website actually advocates a -100 score!). The following adjustment in your local.cf file can reduce, or if you wish, neutralize, the effect of BSP on your spam scores:
# Score to reduce the effect of Bonded Sender Program (BSP) whitelisting score RCVD_IN_BSP_TRUSTED -0.500 score RCVD_IN_BSP_OTHER -0.500 score RCVD_IN_BONDEDSENDER -0.500
Change these values to zero and it goes away completely!
Habeas
Habeas, at www.habeas.com, is another such subscription-based whitelisting program. Habeas also recommends a -100 score for the most highly-rated senders in their list, although Spamassassin gives them the more conservative score of -8.0 for the highest-rated senders. A reduced impact score for Habeas (again in local.cf) might look like this:
# Score to reduce the effect of Habeas whitelisting score HABEAS_ACCREDITED_COI 0 -0.5 0 -0.5 score HABEAS_ACCREDITED_SOI 0 -0.25 0 -0.25 score HABEAS_CHECKED 0 -0.1 0 -0.1
Again, all zeros would completely negate these scores
ISIPP's SuretyMail (IADB)
The Institute for Spam and Internet Public Policy (ISIPP) is another for-profit whitelister whose stated purpose in its marketing materials (www.suretymail.com) is to "Send Legitimate E-mail in a Spam-Filtered World." The ISIPP settings appear in SpamAssassin as IADB, and can be modified as follows:
# Score to reduce the effect of ISIPP/IADB SuretyMail whitelisting score RCVD_IN_IADB_VOUCHED 0 -0.2 0 -0.2 score RCVD_IN_IADB_DOPTIN 0 -0.4 0 -0.4 score RCVD_IN_IADB_ML_DOPTIN 0 -0.6 0 -0.6
And of course zeros work as well.
dnswl.org
DNSWL is different from the lists described above, in that it is deliberately a noncommercial list, and its maintainers recognize the potential conflict of interest in having an economic incentive to let senders off the hook (see their "background" page to hear it in their own words. Nevertheless, it is conceivable that administrators will find DNSWL's judgment to be allowing messages through local filters in contravention of local policy. DNSWL's default scores in Spamassassin are -1, -4, and -8. Administrators wishing to reduce these could use the following settings:
# Score to reduce the effect of DNSWL whitelisting score RCVD_IN_DNSWL_LOW 0 -0.1 0 -0.1 score RCVD_IN_DNSWL_MED 0 -0.4 0 -0.4 score RCVD_IN_DNSWL_HI 0 -0.8 0 -0.8
Amavisd Config
Some notes about this: In zimbra, by default, spam with 15 score of higher is discarded by amavisd. If you want your user receive these mails, you have to modify amavisd.conf settings (/opt/zimbra/conf/amavisd.conf) in order to pass this email.
$final_spam_destiny = D_PASS
Integrate the Cloudmark Authority Milter for AS/AV Protection
The following steps have been shown to work on Release 6.0.3_GA, 7.1.1_GA, 8.0.9_GA, and 8.6.0_GA
1) Become the Zimbra user
su - zimbra
2) [Optional] Disable the built-in SpamAssassin and ClamAV virus services (swapping these out for the Cloudmark Authority engine will improve throughput significantly).
zmprov -l ms `zmhostname` -zimbraServiceEnabled antivirus zmprov -l ms `zmhostname` -zimbraServiceEnabled antispam
2a) Verify that you don't see the following two lines in the enabled services list
zimbraServiceEnabled: antivirus zimbraServiceEnabled: antispam
zmprov gs `zmhostname` zimbraServiceEnabled # name <your-host> zimbraServiceEnabled: logger zimbraServiceEnabled: mailbox zimbraServiceEnabled: mta zimbraServiceEnabled: stats zimbraServiceEnabled: snmp zimbraServiceEnabled: ldap zimbraServiceEnabled: spell
3) Add your Milter to the Postfix configuration file (by way of zmmtaconf, which writes the main.cf during startup using zmmta.cf as a template file):
zmprov ms `zmhostname` zimbraMtaSmtpdMilters "inet:127.0.0.1:2704" zmprov ms `zmhostname` zimbraMtaNonSmtpdMilters "inet:127.0.0.1:2704"
(the format of Postfix's milter option value is "inet:<host or IP of milter>:<port of milter>")
4) Configure the destination email addresses for "Spam" and "Not Spam" buttons within the Zimbra webmail UI to delivery missed spam and false positive reports to Cloudmark-provided addresses:
zmprov mcf zimbraSpamIsSpamAccount "insert-Cloudmark-provided-spam-reporting-email-address-here" zmprov mcf zimbraSpamIsNotSpamAccount "insert-Cloudmark-provided-false-positive-reporting-email-address-here"
5) Validate your missed spam and false positive reporting addresses
zmprov gacf | grep SpamAccount
6) Restart the Zimbra installation:
zmcontrol restart
7) Become the super user:
su -
8) Configure the Cloudmark Authority Milter to tag message headers for detected Spam and Virus with the "X-Spam-Flag", but also replace the body & attachments of Virus messages. Edit the Authority Milter configuration file "cmfilter.cfg" with the following settings:
log analysis data = True log level = warning remove headers = X-Spam-Flag spam action = addheader spam header = X-Spam-Flag spam header value = YES force bulk senders legit = True virus action = addheader,replacebody,tagsubject virus header = X-Spam-Flag virus header value = YES
9) Restart the Cloudmark Authority Milter:
service cmfilter restart
10) Send a test message through and verify that your milter has received the file.
Your Milter callout from Postfix should now be configured.
Enabling DCC
To setup DCC: Download dcc from DCC Site
I compile on different system to build an rpm to install in production environment. Use this spec file (rename it to .spec) to build an rpm with the command:
rpmbuild -ba /usr/src/redhat/SPECS/dcc.spec
install it on the production server:
rpm -ivh dcc-x.y.z.rpm
Change /etc/dcc/dcc_conf to read:
DCCUID=zimbra DCCD_ENABLE=off
Change /opt/zimbra/conf/spamassassin/v310.pre to enable the DCC plugin:
loadplugin Mail::SpamAssassin::Plugin::DCC
Enable DCC on firewall (UDP/6277 outgoing)
Have fun. I use sqlgrey as greylist server, so I don't need another one. As to me the standard value DCC == 2.5 Spamassassin point is ok, so I do not change it. With SA 3.xx you do not need to use enable_dcc in local.cf. That's the same for razor2 indeed...
Implementing Whitelist/Blacklist
Domain white/black list
This can be accomplished by modifying /opt/zimbra/conf/amavisd.conf.in and adding a score for the domain that you want to change.
When scoring the domain, remember that negative scores whitelist, positive scores blacklist
Here's a whitelisting example:
Edit the file /opt/zimbra/conf/amavisd.conf.in and look for this section:
{ # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0,
At the top, add the domain you want to whitelist (eg, zimbra.com), with a strong negative score:
{ # a hash-type lookup table (associative array) 'zimbra.com' => -10.0, 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0,
Remember, if you want to blacklist a domain, make the score positive
Then restart amavis:
zmamavisdctl stop && zmamavisdctl start
Remember - you're trusting the sender's domain to be valid, so any email sent with an address in that domain will receive the score weighting - the address is not verified.
This can also be used with individual sender email addresses, as seen above.
User white/black list
It very simple changing amavis config:
put in /opt/zimbra/conf/amavis.conf.in
read_hash(\%whitelist_sender, '/etc/zimbra/whitelist'); read_hash(\%blacklist_sender, '/etc/zimbra/blacklist'); read_hash(\%spam_lovers, '/etc/zimbra/spamlovers');
In /etc/zimbra/* put sender address or domain, one per line. Wildcards allowed. Example:
hotstuff@sexnzen.com spammersites.net
A spamlovers list is for that accounts that always need to receive all messages, even if spam. According to rfc 2822 postmaster, abuse and other account of this kind should be spam lovers. [However, instead of hacking amavis.conf.in to create a spamlovers list, it's probaby better now to use zmprov <account> amavisSpamLover TRUE amavisBypassSpamChecks TRUE. It's possible that other recommendations on this page are similarly out of date--Ewilen 13:41, 9 August 2012 (PDT).]
###########################################################################
Setup blacklist and whitelist for SPAM filter
Easy method
As root, edit the amavisd config at /opt/zimbra/conf/amavisd.conf.in, add 2 lines:
read_hash(\%whitelist_sender, '/opt/zimbra/conf/whitelist'); read_hash(\%blacklist_sender, '/opt/zimbra/conf/blacklist');
Create the list files:
cat <<EOT > /opt/zimbra/conf/whitelist 3open.org EOT cat <<EOT > /opt/zimbra/conf/blacklist spammer@example.com EOT
Then take effect by:
su - zimbra -c 'zmamavisdctl restart'
Alternate method
Edit the amavisd config at /opt/zimbra/conf/amavisd.conf.in, at section:
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white) # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) ... ### ### Add custom black / white list here : ### # blacklisting: 'promote@somedomain.com' => 10.0, 'spammer.com' => 10.0, # whitelisting: 'mycustomer.com' => -100.0, ...
And run restart aamvisd to take effect:
zmamavisdctl stop && zmamavisdctl start
######################################################################################################################
Anti-spam Strategies
Anti-spam Strategies
Customizing SpamAssassin
ZCS 8.5 and later
For ZCS 8.5, SpamAssassin layout has been corrected as per the SpamAssassin developers. sauser.cf is migrated to the /opt/zimbra/data/spamassassin/localrules directory. This is the supported location for doing customizations of SpamAssassin for ZCS 8.5 and later.
ZCS 8
For ZCS 8.0, SpamAssassin scans for all *.cf files in /opt/zimbra/conf/sa and loads them in alphabetical order. If you create a sauser.cf file, it will be loaded after salocal.cf is loaded. This is the supported method for doing customizations of SpamAssassin for ZCS 8. Note that only the sauser.cf file will be migrated when upgrading to later releases.
In 8.0.5, two options were added to the product to enable SpamAssassin rule updates via sa-update (reference: see82201):
antispam_enable_rule_updates
antispam_enable_restarts
Check that these are set to true, and if not, set them to true and restart amavisd and the MTA:
$ zmlocalconfig antispam_enable_rule_updates antispam_enable_rule_updates = false $ zmlocalconfig antispam_enable_restarts antispam_enable_restarts = false
$ zmlocalconfig -e antispam_enable_rule_updates=true $ zmlocalconfig -e antispam_enable_restarts=true
$ zmamavisdctl restart $ zmmtactl restart
ZCS 6 and ZCS 7
For ZCS 6 and ZCS 7, SpamAssassin customizations go in /opt/zimbra/conf/sauser.cf. When upgrading to ZCS 8 the file will be relocated to /opt/zimbra/conf/sa
Automatic rule updates
With ZCS 8 and later, it is possible to enable automatic rule updates for SpamAssassin to help improve scoring. There are two localconfig keys that control the automatic update behavior.
antispam_enable_rule_updates controls whether or not to enable automatic rule updates. Defaults to false.
antispam_enable_restarts controls whether or not Amavisd will be automatically restarted after a rule update if they are enabled. Defaults to false.
Automatic rule compilation
With ZCS 8.5 and later, it is possible to enable automatic rule compilation when automatic updates are enabled. Compiling the SA rules helps decrease the amount of time it takes to score email. This is controlled via a localconfig key.
antispam_enable_rule_compilation controls whether or not to automatically compile new rules that are automatically updated. Defaults to false.
Customizing Postfix
In ZCS 7 and ZCS 8, customizing Postfix is a mix of zmlocalconfig and zmprov settings. In ZCS 8.5, virtually all settings are done via zmprov (zmlocalconfig settings will be migrated on upgrade if they do not match the default value).
zmprov/zmlocalconfig are both permissible and the recommended way to perform Postfix customizations for supported keys.
For example:
zmprov ms <server> +zimbraMtaRestriction reject_unknown_reverse_client_hostname
Specific Suggested Tweaks
Last update 24 October 2014 by L. Mark Stone, Reliable Networks
Our client base is very nervous about spam-delivered malware but even more concerned about "false-positives" i.e. legitimate email incorrectly identified as spam. Consequently, we've had to develop tweaks to improve Zimbra's default SpamAssassin configurations. The results have been that users with very public email addresses who typically receive several hundred to more than a thousand emails per day will see no more than ~3 spam emails per day in their Inbox. In our experience, anything less than that and you are likely to wind up with false positives.
If your end-user base is more tolerant of false positives, then you can tighten things up.
Keep in mind that Zimbra's Postfix takes a cut at filtering the email stream before Zimbra's SpamAssassin, and that SpamAssassin's processing of emails is much more resource intensive than Postfix's. Consequently, any filtering that you can do at the Postfix level to block emails outright will be helpful in both blocking spam and lowering resource utilization on your Zimbra server. Just be careful of inducing false positives!
DNS Tweaks
Zimbra recommends using a caching DNS server locally, and we like BIND9 but DNSMasq is fine as well. (As we understand it, Zimbra may start shipping a DNS server bundled with Zimbra in a later release.)
One configuration nuance to DNS is the use of forwarders in your BIND9 configuration. We have seen many Zimbra systems use their ISP's, or Google's public DNS servers as forwarders. The problem is that many of the RBL services embedded in SpamAssassin and configurable within Zimbra limit the number/rate of queries they accept from a particular DNS server. Since almost all RBL queries will never be cached, the queries get done by the forwarders. And since the forwarders are doing the same queries for lots of other folks, those queries are often blocked.
We therefore recommend that when using a local caching DNS server that you ensure the configuration has current hints for the root servers and that the forwarders section in the BIND9 config file be set to empty.
Postfix Tweaks
RBLs
At the Postfix level we use just a few complementary and conservative RBLs, one DNS check and one Protocol check. All of these can be configured via the Admin Console: (Global Settings > MTA). A list of RBLs can be found at https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
The RBLs we use are:
zen.spamhaus.org psbl.surriel.com b.barracudacentral.org
Additional RBLs used by zimbra are:
bl.spamcop.net
The Client RHSBLs we use are (updated June 2, 2014):
dbl.spamhaus.org multi.uribl.com multi.surbl.org
Additional Client RHSBLs used by Zimbra:
rhsbl.sorbs.net
Sender RHSBLs used by Zimbra:
multi.uribl.com multi.surbl.org rhsbl.sorbs.net dbl.spamhaus.org
Reverse Client RHSBLs used by Zimbra:
dbl.spamhaus.org
Adding RBL and RHSBLs checks in postfix can also be done via the command line.
For RBLs:
zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
For RHSBL clients:
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org"
On the same Admin Console page we also enable (and leave the remaining Protocol and DNS checks disabled):
reject_non_fqdn_sender
reject_unknown_sender_domain (Note this setting will be updated in 8.0.5)
On that same page we also make sure disable "Add X-Originating-IP to messages" as this can block email from remote users with fat email clients like Outlook and Thunderbird on home and public networks like Internet cafes (ZWC clients are unaffected by this.)
fqrdns.pcre from GitHub
Hardware Freak.com maintains a PCRE listing of bad IP ranges to be rejected. This generally rejects larges amounts of bot traffic where the bots are sending out email directly rather than an authenticated user going through the ISP outgoing SMTP servers. Support for using this PCRE method is built into ZCS 8.7 and later.
cd /opt/zimbra/conf wget https://raw.githubusercontent.com/stevejenkins/hardwarefreak.com-fqrdns.pcre/master/fqrdns.pcre zmprov mcf zimbraMtaRestriction 'check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre'
Postscreen
Postscreen is a pre-screening process at the MTA level that can be used to reject spammers by doing additive scoring from a variety of sites. Support for postscreen has been added for ZCS 8.7. Full configuration details will be added to this wiki prior to release.
SpamAssassin Tweaks via the Commandline
Our current recommended SpamAssassin customizations comprise three complementary methods:
Increase the log level reported by Amavis to get clarity from SpamAssassin on why/how spam is being blocked and getting through.
Put Amavis's temporary directory on a RAM disk to speed up processing.
Tweak the scores for a few selected individual SpamAssassin tests after installing Pyzor and Razor2.
1. Increase Amavis's Log Level
We found that increasing the log level from 1 to 2 puts in /var/log/zimbra.log the specific SpamAssassin tests which each email has triggered.
Customizing the Amavis Loglevel is supported in ZCS 8.0.5 and later:
zmprov mcf zimbraAmavisLogLevel 2
If you are on an earlier release, this can be achieved by editing /opt/zimbra/conf/amavisd.conf.in. You will need to change the file's permissions to be writable, edit the file, then change the permissions back. Probably a good idea to make a backup copy of the file first... The final edit should should look like this:
$log_level = 2; # verbosity 0..5 - 1 is the minimum for msg tracing
Restart amavis for the change to take effect (zmavavisdctl restart). If you are on ZCS 8.0.5 or later, zmconfigd will automatically restart Amavis for you if you change the loglevel.
Now when an email is marked as spam and an end user asks you "Why?", you can grep /var/log/zimbra.log and find out exactly why. Note the sender and recipient email addresses in the actual log file snippet below have been altered for privacy (lines wrapped for readability):
Nov 26 13:55:02 mail2 amavis[19107]: (19107-13) SPAM, <comsumer_health@spamsender.com> -> <masked_recipient@example.com>, Yes, score=17.071 tag=-10 tag2=3.8 kill=16 tests=[BAYES_99=4, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=2.75, RDNS_NONE=3.5, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLACK=2.725, URIBL_DBL_SPAM=1.7] autolearn=spam
ZCS 8 logs (lines wrapped for readability):
Apr 21 13:55:54 edge01 amavis[32619]: (32619-05) spam-tag, <DrOz@spamsender.us> -> <masked_recipient@example.com>, Yes, score=9.014 tagged_above=-10 required=3 tests=[BAYES_40=-0.001, DIGEST_MULTIPLE=0.293, DKIM_SIGNED=0.1, HTML_IMAGE_ONLY_32=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, PYZOR_CHECK=2.75, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=2.75, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
In the above example you can see that the sending server has no PTR (Reverse DNS record) and has already been reported to Razor.
2. Put Amavis's Temp Dir on a RAM Disk
We have seen even with fast RAID10 arrays that Amavis's processing an email with large attachments through SpamAssassin can take as long as 10-20 seconds. Putting Amavis'd temp directory on a RAM disk cuts this down to 1-2 seconds. Ralf Hildebrandt's book on Postfix has a section describing how to size the RAM disk, and why this is entirely safe for mail flow even in the event of a server crash. After you've done the homework for sizing, all you need to do is:
Stop amavis, mount the RAM disk, start amavis and then edit /etc/fstab to make the change permanent.
An /etc/fstab entry for a 1GB RAM disks on the server therefore looks like:
$ grep amavis /etc/fstab tmpfs /opt/zimbra/data/amavisd/tmp tmpfs defaults,noexec,nodev,nosuid,size=1024m,mode=750,uid=zimbra,gid=zimbra 0 0
3. Tweak Selected SpamAssasin Scores After Installing Pyzor and Razor2
How to install Razor and Pyzor
Installing Razor and Pyzor on Ubuntu
aptitude install razor pyzor
Installing Razor and Pyzor on RHEL6/CentOS6
Create /etc/yum.repos.d/epel.repo
[epel] name=EPEL repository baseurl=http://mirrors.kernel.org/fedora-epel/6/x86_64 enabled=1 gpgcheck=0
yum update yum install pyzor perl-Razor-Agent
Configuring Pyzor
As the zimbra user
pyzor --homedir /opt/zimbra/data/amavisd/.pyzor discover
Update /opt/zimbra/conf/sa/sauser.cf
# pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor # DNS lookups for pyzor can time out easily. Set the following line IF you want to give pyzor up to 20 seconds to respond # may slow down email delivery pyzor_timeout 20
Configuring Razor
As the zimbra user
razor-admin -home=/opt/zimbra/data/amavisd/.razor -create razor-admin -home=/opt/zimbra/data/amavisd/.razor -discover razor-admin -home=/opt/zimbra/data/amavisd/.razor -register -user postmaster@yourdomain.com
Update /opt/zimbra/conf/sa/sauser.cf
# razor use_razor2 1
Update SpamAssassin scoring
After installing Pyzor and Razor2 and restarting Zimbra's Amavis to make sure these modules are loaded by SpamAssassin, Reliable Networks adds custom (higher) scoring for certain SpamAssassin tests to the appropriate custom SpamAssassin configuration file, which on ZCS 8 should be /opt/zimbra/conf/sa/sauser.cf. Our complete sauser.cf now looks like this (as of September 3, 2014):
pyzor_timeout 10 use_razor2 1 use_pyzor 1 score URIBL_BLACK 3.250 score RAZOR2_CHECK 3.250 score PYZOR_CHECK 3.250 score BAYES_99 4.000 score BAYES_60 2.250 score BAYES_50 1.500 score BAYES_00 -0.500 score RP_MATCHES_RCVD -0.000
Then as the zimbra user, run "zmantispamctl restart ; zmmtactl restart" to restart and load the new scores. The RP_MATCHES_RCVD score is normally -1.713, but we have found that many spammers using cloud servers have DNS and mail forwarding set to RFC standards, and that their emails then get a bump in good reputation from the default score on this test specifically.
We have found that increasing the scores of the above selected SpamAssassin scores blocks a lot of spam that would otherwise get through.
4. Add custom rules from Kevin McGrail to your scores
As zimbra user:
8.0 and previous:
cd /opt/zimbra/conf/sa wget -N https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf -O sakam.cf zmamavisdctl restart
8.5 and later:
cd /opt/zimbra/data/spamassassin/localrules wget -N https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf zmamavisdctl restart
5. Enable DCC
The source for DCC can be obtained from https://www.dcc-servers.net/dcc/. Please read the restrictions and limitations carefully. In particular, it is important to keep in mind that DCC just marks whether something is bulk mail or not, and will tag completely legitimate bulk mailings.
After downloading and extracting the source, as the zimbra user, you will need to build it. It will take several tools (gcc, make, wget, etc).
There is some setup to be done as root initially. This is assuming using version 1.3.154 of dcc, adjust as necessary:
# mkdir -p /opt/zimbra/dcc-1.3.154 # chown zimbra:zimbra /opt/zimbra/dcc-1.3.154 # cd /opt/zimbra;ln -s dcc-1.3.154 dcc
Now, as zimbra we need to build the software. Here's an example of downloading, extracting, and building:
[zimbra@host]$ cd /tmp [zimbra@host]$ mkdir dcc [zimbra@host]$ wget https://www.dcc-servers.net/dcc/source/dcc.tar.Z [zimbra@host]$ tar xfz dcc.tar.Z [zimbra@host]$ cd dcc-1.3.154 [zimbra@host]$ ./configure --homedir=/opt/zimbra/dcc-1.3.154 \ --disable-sys-inst --with-uid=zimbra --disable-server \ --disable-dccifd --disable-dccm \ --with-updatedcc_pfile=/opt/zimbra/data/dcc \ --with-rundir=/opt/zimbra/data/dcc/run \ --bindir=/opt/zimbra/dcc-1.3.154/bin [zimbra@host]$ make [zimbra@host]$ make install [zimbra@host]$ cd /opt/zimbra/data [zimbra@host data]$ mkdir -p dcc/run
As the zimbra user, update sauser.cf as appropriate for your Zimbra version:
use_dcc 1 dcc_path /opt/zimbra/dcc/bin/dccproc
For ZCS 8.0 and earlier, you will need to enable the dcc module by modifying the v310.pre file from SpamAssassin. Find the line that looks like:
#loadplugin Mail::SpamAssassin::Plugin::DCC
and uncomment it (remove the # sign)
Last, but not least, restart amavis to pick up the changes:
[zimbra@host]$ zmamavisdctl restart
DNSWL registration
Register your MTAs with DNSWL: https://www.dnswl.org/selfservice/
---