Internal solutions

In this chapter, we will present the best solutions that we can implement inside the Zimbra environment; that's why we call them internal solutions.

Enabling DSPAM

The way Zimbra handles spam is not very effective and it doesn't resolve most users' needs. In fact, it relies on SpamAssassin to filter spam/ham mails, and this heuristics-based method, in my opinion, is very old and inadequate, though it does catch a lot of spam. Besides, rules should be added/updated on a regular basis in order to face a spammer's new methods.

On the other hand, DSPAM has another approach to filter spam: a statistical method that "learns" better how to detect spam. This learning is simply done when you repeatedly show DSPAM examples of spam by marking them as junk. With time, DSPAM learns patterns (words and combinations of words) that exist mostly in your spam and ham mails. In terms of that knowledge, it can define what you should regard as spam and what you shouldn't. This is what keeps DSPAM up to date with the latest trends in spam. Besides, the language in which DSPAM is written is C, and compared to Perl (the language in which SpamAssassin is written), C is much faster.

Zimbra disabled DSPAM quite some time ago because of stability issues, and in our case the mileage varies; therefore, we have to enable DSPAM.

To enable DSPAM inside Zimbra, we need to act as the Zimbra user by running the following command:

abdelmonam@mail:~$ sudo -i
[sudo] password for abdelmonam: 
root@mail:~# su - zimbra
zimbra@mail:~$

Now we need to go to the amavisd.conf.in directory first:

zimbra@mail:~$ cd /opt/zimbra/conf/

You will see the dspam config by doing this:

zimbra@mail:~$ more amavisd.conf.in | grep dspam 
%%uncomment LOCAL:amavis_dspam_enabled%%$dspam = ''/opt/zimbra/dspam/bin/dspam'';

You can see dspam commented:

zimbra@mail:~$ more amavisd.conf | grep dspam
#$dspam = ''/opt/zimbra/dspam/bin/dspam'';

Now you need to enable DSPAM using the command:

$ zmlocalconfig -e amavis_dspam_enabled=TRUE

The zmmtaconfig command will automatically reload Amavis within 2 minutes, or you can run the following command for an immediate effect:

$ zmamavisdctl reload

If you check the different parameters in the amavisd.conf file, you will see it is uncommented:

$ more amavisd.conf | grep dspam
$dspam = ''/opt/zimbra/dspam/bin/dspam'';

Updating ClamAV independently of Zimbra updates

With each update of Zimbra comes the latest release of the ClamAV engine.

But sometimes you may need the latest package of ClamAV without waiting for Zimbra updates, especially for urgent security purposes, such as alerts of detection of critical bugs in the ClamAV release, so that the ClamAV community can correct it in the following release.

In this section, we will show you how to do that in a safe way.

Note

The update of the ClamAV virus definitions base happens automatically every two hours by default, but you can configure it using the attribute: zimbraVirusDefinitionsUpdateFrequency

You can perform all the following actions either as a Zimbra user or any other user having sudo rights. If you do it all as a user other than a Zimbra user, remember to modify the ownership of the resulting clamav-X.Y.Z folder in /opt/zimbra to zimbra:zimbra.

If upgrading from anything below 0.90.x, please refer to: http://wiki.zimbra.com/wiki/ClamAV_-_Updating_from_versions_lower_than_0.90.0

Step 1 – backing up your existing release

To avoid tricky situations, we should guarantee a rollback plan by preparing a backup for the existing release. To do that, all you need is to run the following command, making sure to replace the release version with yours:

cp -a /opt/zimbra/clamav-X.Y.Z  ~/clamav-X.Y.Z.backup

Step 2 – updating

This is the main update step; we should start by getting the latest ClamAV source code from http://www.clamav.net/download (at the time of the writing of this book, the current stable version is 0.97.8).

Extract it to where you want; just don't forget our note about ownership if you are not logged in as a Zimbra user.

Assuming that the new ClamAV version is in the /home/abdelmonam directory:

tar -xvf clamav-0.97.8.tar.gz
cd clamav-0.97.8

Next, run configure inside the clamav extract as following:

./configure --prefix=/opt/zimbra/clamav-0.97.8 --with-user=zimbra --with-group=zimbra

Note

In some cases, depending on your system configuration, you may have to install some other packages, which are dependencies, to be able to run the configure command.

If this step is completed successfully, I mean the output of your configure doesn't contain any errors, we can move to the next step: running the make command. However, if you get errors in your configure output, you should fix them before continuing. After fixing the errors, make sure to run configure again and then would go well.

Now run:

make

If the make output goes well, we can move to the next step; else, we should fix the errors in the make output. Note that we should switch to the root user to be able to run the following commands; to do that under Ubuntu, you need to run this command:

sudo -i

Now run:

make check

After that, run:

make install

If you have no errors, we can say that you now have the new version installed into the /opt/zimbra/clamav-0.97.8 directory.

Before copying the clamav config file from the old release to the new one, you can compare your old clamd.conf and freshclam.conf files with the new ones:

cd /opt/zimbra/clamav-0.97.8/etc/
diff clamd.conf ../../clamav/etc/clamd.conf
diff freshclam.conf ../../clamav/etc/freshclam.conf

Then, you can copy these config files from the previous version to the new version directory:

mv clamd.conf clamd.conf.org
mv freshclam.conf freshclam.conf.org
cd /opt/zimbra/conf
cp clamd.conf /opt/zimbra/clamav-0.97.8/etc/
cp freshclam.conf /opt/zimbra/clamav-0.97.8/etc/

As a Zimbra user, run the following command to stop Zimbra:

zmcontrol stop

Now, delete the symbolic link and re-link it to the new install. As a root user, use the following command:

cd /opt/zimbra
ls -la | grep clamav

(You should see clamav -> /path/to/previous clamAV)

If so:

rm -rf clamav

If you want to keep the old install and link around, you can easily exit; just use the following command:

mv clamav clamav.old

Then:

ln -s /opt/zimbra/clamav-0.97.8 /opt/zimbra/clamav

Create the directory /opt/zimbra/clamav/db:

mkdir /opt/zimbra/clamav/db

Now, you should make sure the Zimbra user owns all of clamav:

chown -R zimbra:zimbra /opt/zimbra/clamav-0.97.8

The Zimbra user also needs access to the freshclam.conf file:

chmod a+r /opt/zimbra/clamav/etc/freshclam.conf

Next, we need to update the virus database:

abdelmonam@mail:~$ sudo -i
[sudo] password for abdelmonam: 
root@mail:~# su - zimbra
zimbra@mail:~$

Run:

/opt/zimbra/clamav/bin/freshclam

If you get any warning, just run the command again to confirm that everything was successfully updated.

To start Zimbra, run:

zmcontrol start

Note that you may not need to stop Zimbra during this update. If you don't stop Zimbra, at this point just run:

zmantivirusctl restart

Run the following command to make sure the antivirus is running. If it is, you're good to go:

zmcontrol status

You should check /opt/zimbra/log/clamd.log, and freshclam.log, in the same directory, and also /var/log/zimbra.log for errors.

Using ASSP with Zimbra

You can easily implement Anti-Spam SMTP Proxy (ASSP) with Zimbra as a separate appliance. All you need is a Linux distribution either on a simple machine or even a virtual machine; just configure ASSP to point to the Zimbra machine. You can either disable the antispam provided with Zimbra by default via admin console and use only ASSP, or keep it and use both internal and external antispam solutions to get better results.

You can also install ASSP on the same machine side by side with Zimbra; this implementation is a little bit more complex and can generate issues, especially when upgrading. The idea behind it is to change the receiving SMTP port inside Zimbra to a custom one that you choose, then install ASSP and configure it, firstly, to listen on the default port 25 and secondly, to forward mails to localhost at the customized Zimbra specified port number.

Despite its complexity and the upgrade issues that can occur, this method allows us to have both services on the same machine, which in turn reduces the amount of hardware or virtual instances to be maintained.

Independently of the method chosen to handle incoming e-mails, we must also configure all outgoing e-mails to be forwarded to the ASSP instance if you would like ASSP to maintain its automatic whitelist. Doing that is quite easy; all you need to do is specify the port and address of the ASSP instance in the Zimbra administration console:

  1. Navigate to Configure | Global Settings | MTA.
  2. Configure the Relay MTA for external delivery field from the administration console as shown in the following screenshot:
Using ASSP with Zimbra

You will also need to ensure that the ASSP administrators and users can send e-mails to ASSP. The slickest way to do this, I think, is to create distribution lists in Zimbra with a single address similar to the desired ASSP reporting address. For example, create a distribution list named and enter a single list member—. Make the display name something like "ASSP: Forward Spam Here".

The whole point of this exercise is to get the ASSP reporting addresses into Zimbra's Global Address List (GAL). Use a naming convention for these addresses, so they all sort together in the GAL. In this example, each display name would begin with "ASSP:".

One should also put the prefix—in this case "ASSP"—in the first name blank and the function—"Forward Spam"—in the last name when creating the distribution list. Then, users can easily look up all the appropriate addresses in the GAL if they forget what they are.

Improving SpamAssassin

There is more than one level to improve SpamAssassin; here is a list of them:

salocal.cf.in

The best way to configure the SpamAssassin filtering rules is to edit the /opt/zimbra/conf/salocal.cf.in file. Just keep in mind to back up this file before each Zimbra upgrade, because it will be replaced during this operation.

Blacklists and whitelists

This is the simplest way to add filtering rules for SpamAssassin, in fact to block all mails going from an address or domain. You just have to add the address or the domain into a blacklist entry, and vice versa if you want that mails from a specific address or domain should bypass all filtering rules, we just need to add this address or domain into a whitelist entry.

The following example shows how to add blacklist or whitelist entries to the salocal.cf.in file:

blacklist_from [email protected]
whitelist_from [email protected]
blacklist_from *@abc-xyz.net

Note that * is a wildcard. In this example, *@ abc-xyz.net indicates all e-mails from any user at abc-xyz.net.

Zimbra SpamAssassin needs to be restarted for each modification on the salocal.cf.in file; to do that, we have to run the following command as a Zimbra user:

zmmtactl restart && zmamavisdctl restart

Basic rules

As we saw, blacklists and whitelists are used to filter addresses and domain names; however, this is not sufficient to filter spam mails, which is why there is another way based on content filtering that SpamAssassin uses to detect spam via reading headers, content of mails, and applying rules to that content.

Rules can be in the form of a particular word or phrase, as well as a variety of built-in functions. When a rule is "hit" while evaluating an e-mail, a point score is added to that e-mail's total score. When an e-mail's total score exceeds a certain threshold (typically 5 on a Zimbra system), the e-mail is either marked as spam, or deleted automatically if the score is high enough.

Rules are in the form of a test followed by a score. The rule mechanism typically uses Perl regular expressions to search for specific content within an e-mail. Custom rules should be added to the salocal.cf.in file in the following format:

body LOCAL_RULE /sale/
score LOCAL_RULE 0.5

The preceding code creates a rule called LOCAL_RULE that searches the body of the message for the word "sale" in lower case. If it finds the word "sale" anywhere in the body, it adds 0.5 to the total score of the e-mail. Note that the score is only applied once—multiple instances of the word "sale" in the same e-mail will not be scored separately. Also note that you should always precede the name added by the user in his/her defined rules with the word LOCAL as in the given example, to distinguish them from built-in SpamAssasin rules and prevent accidental duplicate names.

Perl regular expressions are quite powerful mechanisms for locating text. The following are some additional examples of Perl regular expression-based rules:

Performs a case-insensitive search for the word "sale":

body LOCAL_SALE /sale/i

Searches for a line that starts with the words "hot stock tip" in any case:

body LOCAL_STOCK1 /^hot stock tip/i

Searches for any four capital letters in a row (generally a stock symbol):

body LOCAL_4CAPS /[A-Z][A-Z][A-Z][A-Z]/

Searches for three digits, a decimal point, and two more digits, and treats it as a word:

body LOCAL_MONEY /d?d?d?.dd/

Meta rules

We can also search for a combination of rules and apply a score to that combination by creating a "meta" rule in the following format:

body LOCAL_FOUR_CAPS /[A-Z][A-Z][A-Z][A-Z]/
body LOCAL_MONEY /d?d?d?.dd/
meta LOCAL_STOCK (LOCAL_MONEY && LOCAL_FOUR_CAPS)
score LOCAL_STOCK 1

The given rule would add 1 to an e-mail's score only if both LOCAL_FOUR_CAPS and LOCAL_MONEY were hits. Be careful when creating meta rules, as it is easy to "over-score" an e-mail, as in the following code:

body LOCAL_FOUR_CAPS /[A-Z][A-Z][A-Z][A-Z]/
score LOCAL_FOUR_CAPS 1
body LOCAL_MONEY /d?d?d?.dd/
score LOCAL_MONEY 1
meta LOCAL_STOCK (LOCAL_MONEY && LOCAL_FOUR_CAPS)
score LOCAL_STOCK 1

The given example could add 3 points to the e-mail score, if the meta rule hits.

After editing the salocal.cf.in file, restart Zimbra SpamAssassin by issuing the following command at the server prompt (as a Zimbra user):

zmmtactl restart && zmamavisdctl restart

Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent forgery of the sender address. More precisely, the current version of SPF—called SPFv1 or SPF Classic—protects the envelope sender address, which is used for the delivery of messages.

Read more about SPF and how to configure it for any domain at http://www.openspf.org/

Also, read about tools for testing your SPF settings at http://www.openspf.org/Tools

First of all, Zimbra SpamAssassin has no SPF enabled. Since the Perl environment is system-way-integrated, adding SPF support is fairly simple.

We can install it on Debian/Ubuntu-like systems via the following command:

sudo apt-get install libmail-spf-query-perl

For every other platform, you can install SPF by opening and configuring it; if you didn't, use the cpan command line utility and execute the following commands:

perl -MCPAN -eshell
install Mail::SPF::Query

Razor2

Razor is a collaborative spam filtering network allowing users to report and filter out matching spam. After adding SPF, we can add Razor2 to enhance scores.

To install Razor2, we should first of all get the razor-agents-sdk package from razor.sourceforge.net, then untar it and run the following commands as a root user (that will compile and then install it):

perl Makefile.PL
make
make install

Repeat the preceding action with the razor-agents package that you get from razor.sourceforge.net:

perl Makefile.PL
make
make install

Don't forget to open the firewall ports for Razor2 (TCP/2703 outgoing).

Configuring Razor2

To configure Razor2, start by creating a .razor folder under /opt/zimbra/amavisd and, of course, don't forget to give Zimbra user permissions; follow this:

mkdir /opt/zimbra/amavisd/.razor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.razor

Then, as the Zimbra user, create your Razor account:

razor-admin -home=/opt/zimbra/amavisd/.razor -create
razor-admin -home=/opt/zimbra/amavisd/.razor -discover
razor-admin -home=/opt/zimbra/amavisd/.razor -register

Finally, enable Razor (if it is not done already). To do that, edit /opt/zimbra/conf/spamassassin/v310.pre and uncomment the line:

loadplugin Mail::SpamAssassin::Plugin::Razor2

Pyzor

Like Razor, Pyzor too serves to increase spam scores. Now, we are going to add Pyzor support to increase (again) spam scores. We can install it to improve spam filtering inside Zimbra.

Installing Pyzor

As we are using Ubuntu, to install Pyzor, we need to just run the following command:

sudo apt-get install pyzor

Configuring Pyzor

To configure Pyzor, start by creating the .pyzor folder into zimbra-amavisd home and, of course, don't forget to give Zimbra user permissions; follow this:

mkdir /opt/zimbra/amavisd/.pyzor; chown zimbra:zimbra /opt/zimbra/amavisd/.pyzor

Don't forget to open your firewall ports for Pyzor (UDP/24441 outgoing).

Finally, as a Zimbra user, run the following command:

pyzor --homedir /opt/zimbra/amavisd/.pyzor discover

How to configure SpamAssassin

At this point, we have all three filters: Pyzor, Razor, and SPF. However, to gain the advantages of these tools, we should enable them and set rules for them inside the SpamAssassin configuration. To do that, edit the /opt/zimbra/conf/spamassassin/local.cf file and add the following rules at the end; of course, you can change values as you want and customize rules to suit your needs:

ok_languages en fr
ok_locales en fr
trusted_networks 127. 172.16.
use_bayes 1
skip_rbl_checks 0
use_razor2 1
#use_dcc 1 <<< WORK IN PROGRESS - SEE NEXT STEP
use_pyzor 1
dns_available yes
## Optional Score Increases
## Choose your preferred values...
score DCC_CHECK 4.000
score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
score RAZOR2_CHECK 2.500
score PYZOR_CHECK 2.500
score BAYES_99 4.300
score BAYES_90 3.500
score BAYES_80 3.000
bayes_ignore_header Received: from mail.zimbra-essentials.com
bayes_ignore_header Received: from localhost

To get the required score parameter in Zimbra, we don't need to edit any config file. This value is calculated from a setting in the Zimbra admin page. Enter administration, and go to Global Settings | AS/AV. The required score parameter is tag percent x 0.2. So a Tag percent value of 33 will result in a required score of 6.6 (33 x 0.2=6.6).

How to configure SpamAssassin

Adding DCC

We can also enable Distributed Checksum Clearinghouses (DCC) to enhance antispam content filtering.

The basic logic in DCC is that most spam mails are sent to many recipients. The same message body appears many times; therefore, it creates bulk e-mail. DCC identifies bulk e-mail by taking a checksum and sending that checksum to a Clearinghouse (server). The server responds with the number of times it has received that checksum. An individual e-mail will create a score of 1 each time it is processed. Bulk mail can be identified because the response number is high. The content is not examined.

To set up DCC, start by downloading it from http://www.rhyolite.com/dcc/.

Compile and install it, then change /etc/dcc/dcc_conf to read:

DCCUID=zimbra
DCCD_ENABLE=off

After that, change /opt/zimbra/conf/spamassassin/v310.pre to enable the DCC plugin:

loadplugin Mail::SpamAssassin::Plugin::DCC

Finally, enable DCC on the firewall (UDP/6277 outgoing).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.186.79