These days the world is dealing with a different kind of threat. You may have heard the term called “Mail borne threat”. Usually a network/system administrator is concerned about end user workstation’s security. Therefore, they use various security mechanism as filter to secure their user’s workstations. These traditional end point security may secure the user workstation from all entrances (internet, peripheral, etc) but it still leaves one entrance unchecked. That is the email.
If any unwanted malware, spam, virus, threat come to a user via email and the users accidentally opens it, then a very few end point security appliance can stop the damage. And it inevitable that despite of continuous end user awareness campaign, sometimes users fall for the trap of spam/phishing email.
On that note, if we could just filter out these threats at the entrance of our email system it would be more convenient and effective. Here Zimbra makes the differences from all other open-source email solutions.
For antispam and antivirus, Zimbra uses SpamAssassin and ClamAV engines respectively. We will come to them one by one into our later discussions.
How Antispam Works
First let’s try to understand the way Zimbra antispam (SpamAssassin) works.
SpamAssassin is an open-source software that comes with Zimbra. It checks each email with various patterns/points and adds positive or negative score to them. At the end it sums up all scores to get the combined score of that email. Then these scores are compared to the pre set threshold scores which than determines the next action for the respective email. Based on the comparison, the email can land into user’s inbox/ junk or even the mail can be rejected.
The threshold value of SpamAssassin points can be adjusted as per the administrator’s convenience. By default, anything over 5 is moved to junk and anything over 15 is not delivered to the users email account
SpamAssassin uses various tests to identify spam signatures. SpamAssassin settings are stored in plain text which makes it easier to configure and manage.
The supported location for customization of SpamAssassin for ZCS 8.5 and later is
Initially SpamAssassin scans for all
*.cf files in
/opt/Zimbra/conf/ and loads them into alphabetical order.
If we have a SpamAssassin working setup, then we might not need any custom rules. But if we want to tweak SpamAssassin to match our personal expectations.
Lets take a look how a basic local rule can be written:
body LOCAL_DEMONSTRATION_RULE /password body LOCAL_DEMONSTRATION_RULE /password/ score LOCAL_DEMONSTRATION_RULE 0.5 describe LOCAL_DEMONSTRATION_RULE This is a simple test rule
This rule does a simple case-sensitive search of the body of the email for the string “password” and adds a 0.5 to the score of the email if it finds it.
In Zimbra 8.0.5 and later two options were added to the product to enable SpamAssassin rule updates via sa-update.
Check that these are set to true, and if not, set them to true and restart amavisd and the MTA:
$ zmlocalconfig antispam_enable_rule_updates antispam_enable_rule_updates = false $ zmlocalconfig antispam_enable_restarts antispam_enable_restarts = false $ zmlocalconfig -e antispam_enable_rule_updates=true $ zmlocalconfig -e antispam_enable_restarts=true $ zmamavisdctl restart $ zmmtactl restart
In a Zimbra server, you may find Antivirus & Antispam service is disabled. Please enable them before doing any further modification.
$ zmprov -l gs <mail.example.com> | egrep -i 'serviceen|servicein' $ zmprov -l ms <mail.example.com> -zimbraServiceEnabled antispam
Moreover, to train Bayesian spam filtering with SpamAssassin, two system mailboxes with obfuscated names are created during the Zimbra OSE installation phase.
In our case, it is email@example.com and firstname.lastname@example.org… The spam system mailbox receives all emails that are marked as spam by server users. This works with both the Zimbra OSE web client and the IMAP protocol.
By analyzing the messages contained in this mailbox, SpamAssassin learns and then more effectively detects messages containing spam.
The ham system mailbox contains emails that SpamAssassin has detected as spam, but are not. Emails end up in the ham mailbox when users manually move them from the Spam folder to another mail folder. This works with both the Zimbra OSE web client and the IMAP protocol. By analyzing the contents of messages in this mailbox, SpamAssassin also learns and furthermore effectively detects messages that do not contain spam. Quota is disabled for both of these mailboxes. This is done to ensure that all emails that are marked by users are guaranteed to get into them.
Thus, the Zimbra OSE administrator at the server level has three ways to block spam:
- Formation of black lists
- SpamAssassin training
- Regulating the ratings of emails
How Antivirus Works
ClamAV is powerful antivirus software that can scan your email and your server for malicious files. It works like an antivirus program on your computer, but ClamAV scans your server. Specifically, ClamAV looks for malicious email attachments and malicious server files.
Basic features of ClamAV:
- ClamAV is designed to scan files quickly.
- Real time protection (Linux only). The ClamOnAcc client for the ClamD scanning daemon provides on-access scanning on modern versions of Linux. This includes an optional capability to block file access until a file has been scanned (on-access prevention).
- ClamAV detects millions of viruses, worms, trojans, and other malware, including Microsoft Office macro viruses, mobile malware, and other threats.
- ClamAV’s bytecode signature runtime, powered by either LLVM or our custom bytecode interpreter, allows the ClamAV signature writers to create and distribute very complex detection routines and remotely enhance the scanner’s functionality.
- Signed signature databases ensure that ClamAV will only execute trusted signature definitions.
- ClamAV scans within archives and compressed files but also protects against archive bombs
To enable antivirus service in Zimbra:
$ zmprov -l ms <mail.example.com> -zimbraServiceEnabled antivirus
To configure virus definition update frequency:
$ zmprov mcf zimbraVirusDefinitionsUpdateFrequency 2h
As like an end-user workstation, an email server also needs some security. Antispam and Antivirus service provides essential support in this regard. Someone may compare it with other paid antispam or antivirus solutions, but so far these two are our best options to protect the Zimbra OSE server from any email-borne threat.
Have a good day.
To read more on this subject please refer to