Improving Anti-spam system: Difference between revisions
No edit summary |
|||
Line 1: | Line 1: | ||
These are some community suggested methods for improving Zimbra's anti-spam system. They have met with some success, but are not tested by Zimbra, and are '''not supported''' by Zimbra support. Additionally, changes made here will likely '''not''' persist across upgrades | |||
==SPF== | ==SPF== |
Revision as of 14:56, 12 December 2006
These are some community suggested methods for improving Zimbra's anti-spam system. They have met with some success, but are not tested by Zimbra, and are not supported by Zimbra support. Additionally, changes made here will likely not persist across upgrades
SPF
First of all, zimbra spamassassin has no SPF enabled. Since perl enviroment is system way integrated, adding SPF support is fair simple. If you use RedHat or CentOS, you can "yum-it" from dag.wieers.com repositories by executing:
yum install perl-Mail-SPF-Query
For every other platform you can install SPF by opening, and configuring in case you didn't, cpan command line utility and executing:
perl -MCPAN -eshell install Mail::SPF::Query
Razor2
Second, we added Razor2 in order to improve score.
Installing Razor
CentOS
As root: Get razor-agents-sdk from razor.sourceforge.net, untar it and
perl Makefile.PL make make install
Get also razor-agents from razor.sourceforge.net, untar it and
perl Makefile.PL make make install
Open your firewall ports for razor2 (TCP/2703 outgoing).
Fedora
Downloading Packages: (1/2): perl-Razor-Agent-2 100% |=========================| 84 kB 00:07 (2/2): razor-agents-2.81- 100% |=========================| 51 kB 00:06 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: perl-Razor-Agent ######################### [1/2] Installing: razor-agents ######################### [2/2] Installed: razor-agents.i386 0:2.81-2.fc5.rf Dependency Installed: perl-Razor-Agent.i386 0:2.81-2.fc5.rf Complete!
Configuring Razor
Create .razor folder in /opt/zimbra/amavisd and give zimbra user permissions
mkdir /opt/zimbra/amavisd/.razor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.razor
As zimbra user, create your razor account:
razor-admin -home=/opt/zimbra/amavisd/.razor -create razor-admin -home=/opt/zimbra/amavisd/.razor -discover razor-admin -home=/opt/zimbra/amavisd/.razor -register
And finally enable razor. Edit /opt/zimbra/conf/spamassassin/v310.pre and uncomment line
loadplugin Mail::SpamAssassin::Plugin::Razor2
Pyzor
Now we are going to add pyzor support for increase (again) spam score
Installing Pyzor
CentOS
As root, install python support.
yum install python
Get pyzor package from pyzor.sourceforge.net, untar it and:
python setup.py build python setup.py install
Set perms according with pyzor readme.
chmod -R a+rX /usr/share/doc/pyzor /usr/lib/python2.3/site-packages/pyzor /usr/bin/pyzor /usr/bin/pyzord
Fedora
As root, install pyzor RPM. It's included in the extra Repository of Fedora.
yum install pyzor . . Downloading Packages: (1/1): pyzor-0.4.0-10.fc5 100% |=========================| 65 kB 00:01 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: pyzor ######################### [1/1] Installed: pyzor.noarch 0:0.4.0-10.fc5 Complete!
Configuring Pyzor
Create .pyzor folder into zimbra-amavisd home and set perms
mkdir /opt/zimbra/amavisd/.pyzor; chown zimbra:zimbra /opt/zimbra/amavisd/.pyzor
Open your firewall ports for pyzor (UDP/24441 outgoing)
And ready to go, as zimbra user, with:
pyzor --homedir /opt/zimbra/amavisd/.pyzor discover
Spamassassin Config
Now we have PYZOR + RAZOR + SPF. But it would be advisable to enable it and give SPF a higher score. Those admins with wrong SPF entries should be punished since it's not mandatory and so, if you enable it, do it well. So open your spamassassin config at /opt/zimbra/conf/spamassassin/local.cf and add this rules at the end (customize it at your own):
ok_languages en es ok_locales en es trusted_networks 127. 10.70. 192.168. use_bayes 1 skip_rbl_checks 0 use_razor2 1 #use_dcc 1 <<< WORK IN PROGRESS use_pyzor 1 dns_available yes ## Optional Score Increases ## Choose your preferred values... score DCC_CHECK 4.000 score SPF_FAIL 10.000 score SPF_HELO_FAIL 10.000 score RAZOR2_CHECK 2.500 score PYZOR_CHECK 2.500 score BAYES_99 4.300 score BAYES_90 3.500 score BAYES_80 3.000 bayes_ignore_header Received: from mail3.example.com bayes_ignore_header Received: from localhost bayes_ignore_header Received: from mail1.example.com bayes_ignore_header Received: from mail2.example.com
Amavisd Config
Some notes about this: In zimbra, by default, spam with 15 score of higher is discarded by amavisd. If you want your user receive these mails, you have to modify amavisd.conf settings (/opt/zimbra/conf/amavisd.conf) in order to pass this email.
$final_spam_destiny = D_PASS
Enabling DCC
To setup DCC: Download dcc from DCC Site
I compile on different system to build an rpm to install in production environment. Use this spec file (rename it to .spec) to build an rpm with the command:
rpmbuild -ba /usr/src/redhat/SPECS/dcc.spec
install it on the production server:
rpm -ivh dcc-x.y.z.rpm
Change /etc/dcc/dcc_conf to read:
DCCUID=zimbra DCCD_ENABLE=off
Change /opt/zimbra/conf/spamassassin/v310.pre to enable the DCC plugin:
loadplugin Mail::SpamAssassin::Plugin::DCC
Enable DCC on firewall (UDP/6277 outgoing)
Have fun. I use sqlgrey as greylist server, so I don't need another one. As to me the standard value DCC == 2.5 Spamassassin point is ok, so I do not change it. With SA 3.xx you do not need to use enable_dcc in local.cf. That's the same for razor2 indeed...
Implementing Whitelist/Blacklist
Domain white/black list
This can be accomplished by modifying /opt/zimbra/conf/amavisd.conf.in and adding a score for the domain that you want to change.
When scoring the domain, remember that negative scores whitelist, positive scores blacklist
Here's a whitelisting example:
Edit the file /opt/zimbra/conf/amavisd.conf.in and look for this section:
{ # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0,
At the top, add the domain you want to whitelist (eg, zimbra.com), with a strong negative score:
{ # a hash-type lookup table (associative array) 'zimbra.com' => -10.0, 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0,
Remember, if you want to blacklist a domain, make the score positive
Then restart amavis:
zmamavisdctl stop zmamavisdctl start
Remember - you're trusting the sender's domain to be valid, so any email sent with an address in that domain will receive the score weighting - the address is not verified.
This can also be used with individual sender email addresses, as seen above.
User white/black list
It very simple changing amavis config:
put in /opt/zimbra/conf/amavis.conf*
read_hash(\%whitelist_sender, '/etc/zimbra/whitelist'); read_hash(\%blacklist_sender, '/etc/zimbra/blacklist'); read_hash(\%spam_lovers, '/etc/zimbra/spamlovers');
In /etc/zimbra/* put sender address or domain, one per line. Wildcards allowed. Example:
hotstuff@sexnzen.com spammersites.net
A spamlovers list is for that accounts that always need to receive all messages, even if spam. According to rfc 2822 postmaster, abuse and other account of this kind should be spam lovers.
I think we should prepare a script to save and restore this config changes upon zimbra updates...