Upgrade SA to newer release

   KB 23862        Last updated on 2020-10-18  

(0 votes)


Updating Spamassassin to a newer version from say 3.4.1 which is the current version for 8.7.11. Note: rules are only on main branch in SA github so we grab those first. I am using this in production as there are a few DoS against the SA versions that Zimbra ships in production. If you are hit with one of these email bombs, you can expect to see amavisd's that are 100% CPU bound and will takes about 15 minutes to timeout. You will also see postfix disconnect with END-OF-MESSAGE followed by a disconnect. After 15 mins, the email will be moved to the deferred queue. Amavisd will respond after 15 mins with a log message that it lost connection with while sending data - message may be sent more than once". A previous version of this article was for SA 3.4.2 and this is updated for the latest SA 3.4.4

Backup Current Version

Files are located under /opt/zimbra/common/lib/perl5/Mail/Spamassassin and /opt/zimbra/data/spamassassin/ Note: the '*' with tar as we are grabbing both the spamassassin.pm and the directory spamassassin.

Here is what the general structure looks like with Zimbra/SA:

/opt/zimbra/data/spamassassin/rules/* ---- rules with the distribution
/opt/zimbra/data/spamassassin/state/  ---- rules from sa-update
/opt/zimbra/data/spamassassin/state/3.004001/updates_spamassassin_org.cf  # --- rules to include

run tar as root or zimbra because need GPG stuff and all keys in that directory are 700 perms
   rwx------ zimbra/zimbra      0 2019-05-21 10:00 opt/zimbra/data/spamassassin/localrules/sa-update-keys/
    --- /opt/zimbra/commong/lib/perl5/Mail/Spamassassin ---- perms: root:root
    /opt/zimbra/data/spamassassin  perms: zimbra:zimbra

Use this command to backup existing Zimbra SA install should you need to revert back:

su - zimbra -c "tar zcvf /tmp/SA_backup.tar.gz /opt/zimbra/common/lib/perl5/Mail/SpamAssassin* \
        /opt/zimbra/data/spamassassin \
        /opt/zimbra/common/bin/sa-check_spamd \
        /opt/zimbra/common/bin/sa-update \
        /opt/zimbra/common/bin/spamassassin \
        /opt/zimbra/common/bin/sa-learn \
        /opt/zimbra/common/bin/sa-compile \
        /opt/zimbra/common/bin/spamc \
        /opt/zimbra/common/share/man/man1/sa-compile.1 \
        /opt/zimbra/common/share/man/man1/spamc.1 \
        /opt/zimbra/common/share/man/man1/sa-awl.1 \
        /opt/zimbra/common/share/man/man1/sa-learn.1 \
        /opt/zimbra/common/share/man/man1/sa-update.1 \
        /opt/zimbra/common/share/man/man1/spamd.1 \
        /opt/zimbra/common/share/man/man1/spamassassin-run.1 \
        /opt/zimbra/common/share/man/man3/Mail::SpamAssassin* \

Get and Install newer version

git clone https://github.com/apache/spamassassin.git
cd spamassassin
tar cvf ../rules.tar rules*
git checkout spamassassin_release_3_4_4
tar xvf ../rules.tar

where build_zimbra.sh is:


export PERL5LIB=/opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi:/opt/zimbra/common/lib/perl5
export PERLLIB=/opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi:/opt/zimbra/common/lib/perl5

/usr/bin/perl Makefile.PL \
     PREFIX=/opt/zimbra/common \
     LIB=/opt/zimbra/common/lib/perl5 \
     DATADIR=/opt/zimbra/data/spamassassin/rules \
     CONFDIR=/opt/zimbra/data/spamassassin/localrules \

make install
chown -R zimbra:zimbra /opt/zimbra/common/lib/perl5/Mail/SpamAssassin*
chown -R zimbra:zimbra /opt/zimbra/data/spamassassin/

Verify rules still update

Rules are updated by cron. Run this command to verify that still works. You will have a state/3.004004 directory

# su - zimbra
% /opt/zimbra/common/bin/sa-update -v --allowplugins --refreshmirrors

General Notes

#Default configuration data is loaded from the first existing directory in:
#    /opt/zimbra/data/spamassassin/state/3.004002
#    /opt/zimbra/data/spamassassin/rules
#    /opt/zimbra/common/share/spamassassin
#    /usr/local/share/spamassassin
#    /usr/share/spamassassin

# Site-specific configuration data is used to override any values which
#    had already been set. This is loaded from the first existing directory in:
#    /opt/zimbra/data/spamassassin/localrules
#    /opt/zimbra/common/etc/mail/spamassassin
#    /opt/zimbra/common/etc/spamassassin
#    /usr/local/etc/spamassassin
#    /usr/pkg/etc/spamassassin
#    /usr/etc/spamassassin
#    /etc/mail/spamassassin
#    /etc/spamassassin

#  From those 3 directories, SpamAssassin will first read file ending in ".pre" in lexical order
#      and then read files ending in ".cf" in lexical order.
#  In other words, it will read init.pre first, then 10_default_prefs.cf
#    before 50_scores.cf and 20_body_tests.cf before 20_head_tests.cf.
#  SA 4.0 requires newer perl version that exists with RHEL6/Centos6

Script to install if you don't want to install in the buildZimbra.sh step


export PERL5LIB=/opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi:/opt/zimbra/common/lib/perl5
export PERLLIB=/opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi:/opt/zimbra/common/lib/perl5

#As root
make install
chown -R zimbra:zimbra /opt/zimbra/data/spamassassin

To verify what version you now have running, do this:

# su - zimbra
$ spamassassin -V
SpamAssassin version 3.4.4
  running on Perl version 5.10.1

More articles written by me, https://wiki.zimbra.com/wiki/JDunphy-Notes

Jump to: navigation, search