Customizing SpamAssassin on Zimbra 8.5 or later
1. Using MailStore Archiving with Zimbra:
[root@mail ~]# vi /opt/zimbra/conf/amavisd.conf.in
— amavisd.conf.in.zimbra-dist 2011-06-03 20:22:33.856452812 +0200
+++ amavisd.conf.in 2011-06-03 20:22:45.686544874 +0200
@@ -156,6 +156,10 @@
# $forward_method = ‘smtp:[127.0.0.1]:10025’; # set to undef with milter!
%%uncomment SERVICE:archiving%%$archive_quarantine_method = ‘smtp:[127.0.0.1]:10025’;
+# Enable archiving to fixed e-mail address
+$archive_quarantine_method = ‘smtp:[127.0.0.1]:10025’;
+@archive_quarantine_to_maps = (‘my-archiving-address@example.com’);
+
%%uncomment VAR:zimbraAmavisQuarantineAccount%%$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD;
This should send every e-mail passed through Zimbra to the address my-archiving-address@example.com. This is the POP3 or IMAP mailbox that MailStore uses to receive all e-mails. Amavis will take care of writing headers that help MailStore identify to which e-mail address the e-mail actually belongs, so that it can be archived in the right MailStore account.
[zimbra@mail root]$ zmamavisdctl restart
Stopping amavisd… done.
Stopping amavisd-mc… done.
Starting amavisd-mc…done.
Starting amavisd…done.
2. Make Zimbra only accept mail for existing accounts:
By default, Zimbra accepts e-mails for addresses which are not valid and later sends a bounce mail. Unfortunately this can cause SPAM back-scatter and thus should be avoided (also see my blog article).
In Zimbra 8 it is very simple to change this behavior:
[zimbra@mail root]$ zmprov mcf +zimbraMtaRestriction reject_unverified_recipient
Effect on Hosts Listed in zimbraMtaMyNetworks
The change described above will have no effect on hosts listed in zimbraMtaMyNetworks. Therefore, if you have mail-server acting as a front-end to the Zimbra server, you should not list it in zimbraMtaMyNetworks. zimbraMtaMyNetworks should only contain the Zimbra server itself (and the loopback address).
However, for OpenDKIM and SpamAssassin, you also want to trust your other mail servers. You can get this effect by editing the configuration files and adding the appropriate IP addresses there:
[zimbra@mail root]$ vi /opt/zimbra/conf/opendkim-localnets.conf.in (Zimbra 8 only):
%%zimbraMtaMyNetworksPerLine%%
192.168.1.1/32
[2001:db8::1]/128
[zimbra@mail root]$ vi /opt/zimbra/conf/salocal.cf.in
%%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%% 192.168.1.1/32 [2001:db8::1]/128
In recent Zimbra versions (ZCS 8.5 and newer) it might be more elegant to add your own trusted_networks line to
[zimbra@mail root]$ /opt/zimbra/data/spamassassin/localrules/sauser.cf
trusted_networks 127.0.0.1/8 [::1]/128 192.168.1.1/32
[zimbra@mail root]$ zmamavisdctl restart && zmmtactl restart
Stopping amavisd…done.
Stopping amavisd-mc… done.
Starting amavisd-mc…done.
Starting amavisd…done.
Rewriting configuration files…done.
Stopping saslauthd…done.
Starting saslauthd…done.
/postfix-script: refreshing the Postfix mail system
[zimbra@mail root]$ zmamavisdctl status && zmmtactl status
amavisd is running.
amavisd-mc is running.
[zimbra@mail root]$
3. Strict-Transport-Security Header
It makes sense to add the Strict-Transport-Security header so that the web interface is never used through an unencrypted connection. I got the idea here). I use these settings with Zimbra 8.
Typically, the add_header option needs to be added to two files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
The option is added in the following form and add it right after the ssl_verify_depth option:
[zimbra@mail root]$ vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
add_header Strict-Transport-Security max-age=15768000;
Since Zimbra 8.7 there is a simpler option for adding this header:
[zimbra@mail root]$ zmprov mcf +zimbraResponseHeader “Strict-Transport-Security: max-age=15768000”
If you enable the Nginx proxy for the first time, do not forget to (re-)enable the redirect mode (unless you are using the pure https mode):
zmprov ms server.lan zimbraReverseProxyMailMode redirect
You also might have to configure the protocol and hostname used for generating URLs (otherwise, some generated URLs might use the http scheme):
zmprov md mail.server.lan zimbraPublicServiceHostname server.lan
zmprov md server.lan zimbraPublicServiceProtocol https
4. Adjusting DH key size (Diffie-Hellman key exchange)
By default, Nginx only uses 1024 bit keys when using the TLS_DH_* ciphers (Diffie-Hellman key exchange). This is not considered enough any longer. In order to increase this size, the Diffie-Hellman parameters need to be configured explicitly. I am using the following settings with Zimbra 8.6.
First, the DH parameters need to be generated with OpenSSL:
[zimbra@mail conf]$ openssl dhparam -outform PEM -out /opt/zimbra/conf/dhparam2048.pem 2048
Next, the ssl_dhparam option has to be added to the relevant sections of the Nginx configuration. I added it to the following configuration files, right before the ssl_ecdh_curve option:
/opt/zimbra/conf/nginx/templates/nginx.conf.mail.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.template
The configuration line should look like this:
ssl_dhparam /opt/zimbra/conf/dhparam2048.pem;
Starting with Zimbra 8.7, Zimbra uses 2048 bit DH params by default and this manual intervention is not necessary any longer.
5. Enabling SpamAssassin rule updates
Since Zimbra 8, it might be necessary to explicitly enable SpamAssassin rule updates. You can do this through zmlocalconfig:
To check current status of antispam
[zimbra@mail conf]$ zmlocalconfig antispam_enable_rule_updates
antispam_enable_rule_updates = false
[zimbra@mail conf]$ zmlocalconfig antispam_enable_restarts
antispam_enable_restarts = false
[zimbra@mail conf]$ zmlocalconfig antispam_enable_rule_compilation
antispam_enable_rule_compilation = false
[zimbra@mail conf]$ zmlocalconfig -e antispam_enable_rule_updates=true
[zimbra@mail conf]$ zmlocalconfig -e antispam_enable_restarts=true
[zimbra@mail conf]$ zmlocalconfig -e antispam_enable_rule_compilation=true
[zimbra@mail conf]$ zmamavisdctl restart && zmmtactl restart
To check for updates:
[zimbra@mail conf]$ zmlocalconfig antispam_enable_rule_updates
antispam_enable_rule_updates = true
[zimbra@mail conf]$ zmlocalconfig antispam_enable_restarts
antispam_enable_restarts = true
[zimbra@mail conf]$ zmlocalconfig antispam_enable_rule_compilation
antispam_enable_rule_compilation = true
The last line is only necessary if you want to compile rules (this should improve the scan performance).
6. Customizing Postfix:
customizing postfix is a mix of zmlocalconfig and zmprov settings on ZCS 8.5 and later version.
To reject unknown client name
[zimbra@mail ]$ zmprov ms mail.lqs.co.in +zimbraMtaRestriction reject_unknown_reverse_client_hostname