Improving Anti-spam system

Revision as of 09:41, 8 November 2006 by ApolloDS (talk | contribs)

We have started working with zimbra spamassasin in order to improve it. This is what we have done:


First of all, zimbra spamassassin has no SPF enabled. Since perl enviroment is system way integrated, adding SPF support is fair simple. If you use RedHat or CentOS, you can "yum-it" from repositories by executing:

yum install perl-Mail-SPF-Query


Second, we added Razor2 in order to improve score.

As root: Get razor-agents-sdk from, untar it and

perl Makefile.PL
make install

Get also razor-agents from, untar it and

perl Makefile.PL
make install

Open your firewall ports for razor2 (TCP/2703 outgoing).

Create .razor folder in /opt/zimbra/amavisd and give zimbra user permissions

mkdir /opt/zimbra/amavisd/.razor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.razor

As zimbra user, create your razor account:

razor-admin -home=/opt/zimbra/amavisd/.razor -create 
razor-admin -home=/opt/zimbra/amavisd/.razor -discover 
razor-admin -home=/opt/zimbra/amavisd/.razor -register

And finally enable razor. Edit /opt/zimbra/conf/spamassassin/v310.pre and uncomment line

loadplugin Mail::SpamAssassin::Plugin::Razor2


Now we are going to add pyzor support for increase (again) spam score

Installing Pyzor


As root, install python support.

yum install python

Get pyzor package from, untar it and:

python build 
python install

Set perms according with pyzor readme.

chmod -R a+rX /usr/share/doc/pyzor /usr/lib/python2.3/site-packages/pyzor /usr/bin/pyzor /usr/bin/pyzord


As root, install pyzor RPM. It's included in the extra Repository of Fedora.

yum install pyzor
Downloading Packages:
(1/1): pyzor-0.4.0-10.fc5 100% |=========================|  65 kB    00:01     
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: pyzor                        ######################### [1/1] 

Installed: pyzor.noarch 0:0.4.0-10.fc5

Configuring Pyzor

Create .pyzor folder into zimbra-amavisd home and set perms

mkdir /opt/zimbra/amavisd/.pyzor; chown zimbra:zimbra /opt/zimbra/amavisd/.pyzor

Open your firewall ports for pyzor (UDP/24441 outgoing)

And ready to go, as zimbra user, with:

pyzor --homedir /opt/zimbra/amavisd/.pyzor discover

Spamassassin Config

Now we have PYZOR + RAZOR + SPF. But it would be advisable to enable it and give SPF a higher score. Those admins with wrong SPF entries should be punished since it's not mandatory and so, if you enable it, do it well. So open your spamassassin config at /opt/zimbra/conf/spamassassin/ and add this rules at the end (customize it at your own):

ok_languages en es 
ok_locales en es 
trusted_networks 127. 10.70. 192.168.
use_bayes 1
skip_rbl_checks 0
use_razor2 1
#use_dcc 1 <<< WORK IN PROGRESS
use_pyzor 1 
dns_available yes 

## Optional Score Increases 
## Choose your preferred values...
score DCC_CHECK 4.000
score SPF_FAIL 10.000  
score SPF_HELO_FAIL 10.000
score RAZOR2_CHECK 2.500
score PYZOR_CHECK 2.500
score BAYES_99 4.300
score BAYES_90 3.500
score BAYES_80 3.000
bayes_ignore_header Received: from
bayes_ignore_header Received: from localhost
bayes_ignore_header Received: from
bayes_ignore_header Received: from

Amavisd Config

Some notes about this: In zimbra, by default, spam with 15 score of higher is discarded by amavisd. If you want your user receive these mails, you have to modify amavisd.conf settings (/opt/zimbra/conf/amavisd.conf) in order to pass this email.

$final_spam_destiny = D_PASS

Enabling DCC

To setup DCC: Download dcc from DCC Site

I compile on different system to build an rpm to install in production environment. Use this spec file (rename it to .spec) to build an rpm with the command:

rpmbuild -ba /usr/src/redhat/SPECS/dcc.spec

install it on the production server:

rpm -ivh dcc-x.y.z.rpm

Change /etc/dcc/dcc_conf to read:


Change /opt/zimbra/conf/spamassassin/v310.pre to enable the DCC plugin:

loadplugin Mail::SpamAssassin::Plugin::DCC 

Enable DCC on firewall (UDP/6277 outgoing)

Have fun. I use sqlgrey as greylist server, so I don't need another one. As to me the standard value DCC == 2.5 Spamassassin point is ok, so I do not change it. With SA 3.xx you do not need to use enable_dcc in That's the same for razor2 indeed...

Implementing Whitelist/Blacklist

It' very simple changing amavis config:

put in /opt/zimbra/conf/amavis.conf*

read_hash(\%whitelist_sender, '/etc/zimbra/whitelist');
read_hash(\%blacklist_sender, '/etc/zimbra/blacklist');
read_hash(\%spam_lovers, '/etc/zimbra/spamlovers');

In /etc/zimbra/* put sender address or domain, one per line. Wildcards allowed. Example:

A spamlovers list is for that accounts that always need to receive all messages, even if spam. According to rfc 2822 postmaster, abuse and other account of this kind should be spam lovers.

I think we should prepare a script to save and restore this config changes upon zimbra updates...

Jump to: navigation, search