See also: Anti-spam.
ZCS 8.5 and later
For ZCS 8.5, SpamAssassin layout has been corrected as per the SpamAssassin developers. sauser.cf is migrated to the /opt/zimbra/data/spamassassin/localrules directory. This is the supported location for doing customizations of SpamAssassin for ZCS 8.5 and later.
For ZCS 8.0, SpamAssassin scans for all *.cf files in /opt/zimbra/conf/sa and loads them in alphabetical order. If you create a sauser.cf file, it will be loaded after salocal.cf is loaded. This is the supported method for doing customizations of SpamAssassin for ZCS 8. Note that only the sauser.cf file will be migrated when upgrading to later releases.
In 8.0.5, two options were added to the product to enable SpamAssassin rule updates via sa-update (reference: see 82201):
Check that these are set to true, and if not, set them to true and restart amavisd and the MTA:
$ zmlocalconfig antispam_enable_rule_updates antispam_enable_rule_updates = false $ zmlocalconfig antispam_enable_restarts antispam_enable_restarts = false
$ zmlocalconfig -e antispam_enable_rule_updates=true $ zmlocalconfig -e antispam_enable_restarts=true
$ zmamavisdctl restart $ zmmtactl restart
ZCS 6 and ZCS 7
For ZCS 6 and ZCS 7, SpamAssassin customizations go in /opt/zimbra/conf/sauser.cf. When upgrading to ZCS 8 the file will be relocated to /opt/zimbra/conf/sa
Automatic rule updates
With ZCS 8 and later, it is possible to enable automatic rule updates for SpamAssassin to help improve scoring. There are two localconfig keys that control the automatic update behavior.
- antispam_enable_rule_updates controls whether or not to enable automatic rule updates. Defaults to false.
- antispam_enable_restarts controls whether or not Amavisd will be automatically restarted after a rule update if they are enabled. Defaults to false.
Automatic rule compilation
With ZCS 8.5 and later, it is possible to enable automatic rule compilation when automatic updates are enabled. Compiling the SA rules helps decrease the amount of time it takes to score email. This is controlled via a localconfig key.
- antispam_enable_rule_compilation controls whether or not to automatically compile new rules that are automatically updated. Defaults to false.
In ZCS 7 and ZCS 8, customizing Postfix is a mix of zmlocalconfig and zmprov settings. In ZCS 8.5, virtually all settings are done via zmprov (zmlocalconfig settings will be migrated on upgrade if they do not match the default value).
zmprov/zmlocalconfig are both permissible and the recommended way to perform Postfix customizations for supported keys.
zmprov ms <server> +zimbraMtaRestriction reject_unknown_reverse_client_hostname
Specific Suggested Tweaks
Last update 24 October 2014 by L. Mark Stone, Reliable Networks
Our client base is very nervous about spam-delivered malware but even more concerned about "false-positives" i.e. legitimate email incorrectly identified as spam. Consequently, we've had to develop tweaks to improve Zimbra's default SpamAssassin configurations. The results have been that users with very public email addresses who typically receive several hundred to more than a thousand emails per day will see no more than ~3 spam emails per day in their Inbox. In our experience, anything less than that and you are likely to wind up with false positives.
If your end-user base is more tolerant of false positives, then you can tighten things up.
Keep in mind that Zimbra's Postfix takes a cut at filtering the email stream before Zimbra's SpamAssassin, and that SpamAssassin's processing of emails is much more resource intensive than Postfix's. Consequently, any filtering that you can do at the Postfix level to block emails outright will be helpful in both blocking spam and lowering resource utilization on your Zimbra server. Just be careful of inducing false positives!
Zimbra recommends using a caching DNS server locally, and we like BIND9 but DNSMasq is fine as well. (As we understand it, Zimbra may start shipping a DNS server bundled with Zimbra in a later release.)
One configuration nuance to DNS is the use of forwarders in your BIND9 configuration. We have seen many Zimbra systems use their ISP's, or Google's public DNS servers as forwarders. The problem is that many of the RBL services embedded in SpamAssassin and configurable within Zimbra limit the number/rate of queries they accept from a particular DNS server. Since almost all RBL queries will never be cached, the queries get done by the forwarders. And since the forwarders are doing the same queries for lots of other folks, those queries are often blocked.
We therefore recommend that when using a local caching DNS server that you ensure the configuration has current hints for the root servers and that the forwarders section in the BIND9 config file be set to empty.
Postscreen is a pre-screening process at the MTA level that can be used to reject spammers by doing additive scoring from a variety of sites. Support for postscreen has been added for ZCS 8.7. Full configuration details will be added to this wiki prior to release.
SpamAssassin Tweaks via the Commandline
Our current recommended SpamAssassin customizations comprise three complementary methods:
- Increase the log level reported by Amavis to get clarity from SpamAssassin on why/how spam is being blocked and getting through.
- Put Amavis's temporary directory on a RAM disk to speed up processing.
- Tweak the scores for a few selected individual SpamAssassin tests after installing Pyzor and Razor2.
1. Increase Amavis's Log Level
We found that increasing the log level from 1 to 2 puts in /var/log/zimbra.log the specific SpamAssassin tests which each email has triggered.
Customizing the Amavis Loglevel is supported in ZCS 8.0.5 and later:
zmprov mcf zimbraAmavisLogLevel 2
If you are on an earlier release, this can be achieved by editing /opt/zimbra/conf/amavisd.conf.in. You will need to change the file's permissions to be writable, edit the file, then change the permissions back. Probably a good idea to make a backup copy of the file first... The final edit should should look like this:
$log_level = 2; # verbosity 0..5 - 1 is the minimum for msg tracing
Restart amavis for the change to take effect (zmavavisdctl restart). If you are on ZCS 8.0.5 or later, zmconfigd will automatically restart Amavis for you if you change the loglevel.
Now when an email is marked as spam and an end user asks you "Why?", you can grep /var/log/zimbra.log and find out exactly why. Note the sender and recipient email addresses in the actual log file snippet below have been altered for privacy (lines wrapped for readability):
Nov 26 13:55:02 mail2 amavis: (19107-13) SPAM, <email@example.com> -> <firstname.lastname@example.org>, Yes, score=17.071 tag=-10 tag2=3.8 kill=16 tests=[BAYES_99=4, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=2.75, RDNS_NONE=3.5, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLACK=2.725, URIBL_DBL_SPAM=1.7] autolearn=spam
ZCS 8 logs (lines wrapped for readability):
Apr 21 13:55:54 edge01 amavis: (32619-05) spam-tag, <DrOz@spamsender.us> -> <email@example.com>, Yes, score=9.014 tagged_above=-10 required=3 tests=[BAYES_40=-0.001, DIGEST_MULTIPLE=0.293, DKIM_SIGNED=0.1, HTML_IMAGE_ONLY_32=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, PYZOR_CHECK=2.75, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=2.75, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
In the above example you can see that the sending server has no PTR (Reverse DNS record) and has already been reported to Razor.
2. Put Amavis's Temp Dir on a RAM Disk
We have seen even with fast RAID10 arrays that Amavis's processing an email with large attachments through SpamAssassin can take as long as 10-20 seconds. Putting Amavis'd temp directory on a RAM disk cuts this down to 1-2 seconds. Ralf Hildebrandt's book on Postfix has a section describing how to size the RAM disk, and why this is entirely safe for mail flow even in the event of a server crash. After you've done the homework for sizing, all you need to do is:
- Stop amavis, mount the RAM disk, start amavis and then edit /etc/fstab to make the change permanent.
An /etc/fstab entry for a 1GB RAM disks on the server therefore looks like:
$ grep amavis /etc/fstab tmpfs /opt/zimbra/data/amavisd/tmp tmpfs defaults,noexec,nodev,nosuid,size=1024m,mode=750,uid=zimbra,gid=zimbra 0 0
3. Tweak Selected SpamAssasin Scores After Installing Pyzor and Razor2
How to install Razor and Pyzor
Installing Razor and Pyzor on Ubuntu
aptitude install razor pyzor
Installing Razor and Pyzor on RHEL6/CentOS6
[epel] name=EPEL repository baseurl=http://mirrors.kernel.org/fedora-epel/6/x86_64 enabled=1 gpgcheck=0
yum update yum install pyzor perl-Razor-Agent
As the zimbra user
pyzor --homedir /opt/zimbra/data/amavisd/.pyzor discover
# pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor # DNS lookups for pyzor can time out easily. Set the following line IF you want to give pyzor up to 20 seconds to respond # may slow down email delivery pyzor_timeout 20
As the zimbra user
razor-admin -home=/opt/zimbra/data/amavisd/.razor -create razor-admin -home=/opt/zimbra/data/amavisd/.razor -discover razor-admin -home=/opt/zimbra/data/amavisd/.razor -register -user firstname.lastname@example.org
# razor use_razor2 1
Update SpamAssassin scoring
After installing Pyzor and Razor2 and restarting Zimbra's Amavis to make sure these modules are loaded by SpamAssassin, Reliable Networks adds custom (higher) scoring for certain SpamAssassin tests to the appropriate custom SpamAssassin configuration file, which on ZCS 8 should be /opt/zimbra/conf/sa/sauser.cf. Our complete sauser.cf now looks like this (as of September 3, 2014):
pyzor_timeout 10 use_razor2 1 use_pyzor 1 score URIBL_BLACK 3.250 score RAZOR2_CHECK 3.250 score PYZOR_CHECK 3.250 score BAYES_99 4.000 score BAYES_60 2.250 score BAYES_50 1.500 score BAYES_00 -0.500 score RP_MATCHES_RCVD -0.000
Then as the zimbra user, run "zmantispamctl restart ; zmmtactl restart" to restart and load the new scores. The RP_MATCHES_RCVD score is normally -1.713, but we have found that many spammers using cloud servers have DNS and mail forwarding set to RFC standards, and that their emails then get a bump in good reputation from the default score on this test specifically.
We have found that increasing the scores of the above selected SpamAssassin scores blocks a lot of spam that would otherwise get through.
4. Add custom rules from Kevin McGrail to your scores
As zimbra user:
- 8.0 and previous:
cd /opt/zimbra/conf/sa wget -N https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf -O sakam.cf zmamavisdctl restart
- 8.5 and later:
cd /opt/zimbra/data/spamassassin/localrules wget -N https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf -O sakam.cf zmamavisdctl restart
The KAM ruleset is updated regularly, so the KAM.cf should be fetched regularly (at least once a day) by a cron script.
5. Enable DCC
The source for DCC can be obtained from https://www.dcc-servers.net/dcc/. Please read the restrictions and limitations carefully. In particular, it is important to keep in mind that DCC just marks whether something is bulk mail or not, and will tag completely legitimate bulk mailings.
After downloading and extracting the source, as the zimbra user, you will need to build it. It will take several tools (gcc, make, wget, etc).
There is some setup to be done as root initially. This is assuming using version 1.3.154 of dcc, adjust as necessary:
# mkdir -p /opt/zimbra/dcc-1.3.154 # chown zimbra:zimbra /opt/zimbra/dcc-1.3.154 # cd /opt/zimbra;ln -s dcc-1.3.154 dcc
Now, as zimbra we need to build the software. Here's an example of downloading, extracting, and building:
[zimbra@host]$ cd /tmp [zimbra@host]$ mkdir dcc [zimbra@host]$ wget https://www.dcc-servers.net/dcc/source/dcc.tar.Z [zimbra@host]$ tar xfz dcc.tar.Z [zimbra@host]$ cd dcc-1.3.154 [zimbra@host]$ ./configure --homedir=/opt/zimbra/dcc-1.3.154 \ --disable-sys-inst --with-uid=zimbra --disable-server \ --disable-dccifd --disable-dccm \ --with-updatedcc_pfile=/opt/zimbra/data/dcc \ --with-rundir=/opt/zimbra/data/dcc/run \ --bindir=/opt/zimbra/dcc-1.3.154/bin [zimbra@host]$ make [zimbra@host]$ make install [zimbra@host]$ cd /opt/zimbra/data [zimbra@host data]$ mkdir -p dcc/run
As the zimbra user, update sauser.cf as appropriate for your Zimbra version:
use_dcc 1 dcc_path /opt/zimbra/dcc/bin/dccproc
For ZCS 8.0 and earlier, you will need to enable the dcc module by modifying the v310.pre file from SpamAssassin. Find the line that looks like:
and uncomment it (remove the # sign)
Last, but not least, restart amavis to pick up the changes:
[zimbra@host]$ zmamavisdctl restart
Register your MTAs with DNSWL: https://www.dnswl.org/selfservice/
As we make updates to our own configurations, we will endeavor to keep this page updated as well.