Knowledge Base : Zimbra Anti-Spam Configuration

Improving Spam diagnostics für Zimbra Network Edition 8.6 in CentOS7

Reading list for Zimbra Spam configuration:

 Goal: Dramatically reduce SPAM amount with a preference of rejecting mail instead of tagging and sorting it away.

Admin console settings

Global Settings / MTA

  • Turn all protocol and DNS checks on. This does lead to some traffic being rejected due to improperly configured mail servers, but the seems reasonable and can be fixed on the delivery site.

  • Configure block lists / blackhole lists

We had problems with the URIBL blacklist, since it lists sites like google.com, which doesn’t seem right.

Spamcop delivered the best results for us (in August 2017).

Global Settings / AS/AV

Configure kill and tag ratios. Default was 33% for tagging and 75% for killing. Note that the percentage corresponds with the SpamAssasin score. The higher the percent rate, the more score is required for the decision. The formula Zimbra uses is percentage * 0.2 = SpamAssasin score.

We choose:

  • kill percent: 75
  • tag percent: 20

which corresponds to ApamAssassin scores of 4 and 15.

Tagging SPAM might be dangerous because you once accept the delivery of mail and later so not read it.

Zimbra CLI settings

As zimbra user:

zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmconfigdctl restart
zmamavisdctl restart

In earlier zimbra versions, ham / spam processing did not work if users configured a custom SPAM folder in their mail client. A separate cron entry was needed to process the user-defined SPAM messages through SpamAssasin. In current Zimbra versions, this is fixed:

crontab -l
0 22 * * * /opt/zimbra/bin/zmtrainsa >> /opt/zimbra/log/spamtrain.log 2>&1
45 23 * * * /opt/zimbra/bin/zmtrainsa --cleanup >> /opt/zimbra/log/spamtrain.log 2>&1
45 0 * * * . /opt/zimbra/.bashrc; /opt/zimbra/libexec/zmsaupdate

Additional installation on Zimbra server

Pyzor / Razor installation is suggested using the EPEL repository, but that didn’t work with our CentOS7 installation.

We used the standard repo and manual installation combined.

Pyzor

root# yum install pyzor
zimbra$ pyzor --homedir /opt/zimbra/data/amavisd/.pyzor discover

Razor

root# wget http://dl.fedoraproject.org/pub/epel/7/x86_64/p/perl-Razor-Agent-2.85-15.el7.x86_64.rpm
root# rpm --install perl-Razor-Agent-2.85-15.el7.x86_64.rpm
zimbra$ razor-admin -home=/opt/zimbra/data/amavisd/.razor -create
zimbra$ razor-admin -home=/opt/zimbra/data/amavisd/.razor  -discover
zimbra$ razor-admin -home=/opt/zimbra/data/amavisd/.razor -register -user postmaster@loopback.org

DCC

# mkdir -p /opt/zimbra/dcc-1.3.159
# chown zimbra:zimbra /opt/zimbra/dcc-1.3.159
# ln -s /opt/zimbra/dcc-1.3.159 /opt/zimbra/dcc
$ mkdir /tmp/dcc-1.3.159; cd /tmp/dcc-1.3.159/
$ wget https://www.dcc-servers.net/dcc/source/dcc.tar.Z
$ tar xzf dcc.tar.Z
$  ./configure --homedir=/opt/zimbra/dcc-1.3.159 --disable-sys-inst --with-uid=zimbra --disable-server --disable-dccifd --disable-dccm --with-updatedcc_pfile=/opt/zimbra/data/dcc --with-rundir=/opt/zimbra/data/dcc/run --bindir=/opt/zimbra/dcc-1.3.159/bin
$ mkdir -p /opt/zimbra/dcc/run

Add custom rules from Kevin McGrail to your scores

$ cd /opt/zimbra/data/spamassassin/localrules
$ wget -N https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf -O sakam.cf
$ zmamavisdctl restart

SpamAssassin settings

SpamAssasin config is recommended to take place in /opt/zimbra/data/spamassassin/localrules today.

Our local.cf reads:

# pyzor
use_pyzor 1
pyzor_path /bin/pyzor
pyzor_timeout 20
# razor
use_razor2 1
# score tweaks
score PYZOR_CHECK 3.250
score RAZOR2_CHECK 3.250
score URIBL_BLACK 3.250
score BAYES_99 4.000
score BAYES_60 2.250
score BAYES_50 1.500
score BAYES_00 -0.500
# dcc
use_dcc 1
dcc_path /opt/zimbra/dcc/bin/dccproc