Zimbra Best Practices: Incoming Mail Protection | Zimbra

Alert! This article is written for Zimbra OSE users. As of December 2023, Synacor will no longer be providing support for Zimbra OSE. You might want to consider trying out Carbonio Community Edition – Zextras’s free and open-source email and collaboration platform.

For additional guidance, check out our community articles detailing the process of migrating from your current platform to Carbonio CE.

I believe that one of the most important aspects related to e-mail is security management, both in terms of possible attacks, such as malware or viruses, and in terms of “invasion” of junk mail, spam and so on. We have seen, on the user side, how to manage spam within the Zimbra webmail in this article. Here, however, we want to deepen the topic by going to take a look at the tools that you can use to be able to defend at best and manage incoming mail.

If for what concerns virus or malware attacks the choice falls on the different solutions on the market both open source, as for example ClamAV, and paid, for what concerns spam and security in general we can take advantage of various types of resources that we are going to see together.


Zimbra introduced Postscreen starting with version 8.7, as an additional anti-spam strategy. It provides an extra protection against mail server overload. By preventing spambots, postscreen leaves more SMTP server processes available for trusted clients, thus delaying the risk of server overload conditions. You can read more about it in this article: What Is Zimbra Postscreen?

To understand how it works we can figure out two typical scenarios:

  1. Without Postscreen: the first one is scenario without Postscreen, nor any other Anti-SPAM security. In this case we have bot and zombies talking with all the smtpd listeners that Zimbra is offering. This leads to the risk of a timeout error for good connections that find themselves having to wait for bots and zombies to finish
  2. With Postscreen: in a scenario with Postscreen, we have bot and zombies talking with it. In this case, Postscreen will do all the basic checks, and can deny the connection if the message is clearly from a bot or zombie. It will also move an email to the local anti virus if the connection is not in the temporary whitelist. Unlike the previous scenario, in this scenario good connections pass Postscreen security and go directly to talk to the smtp daemon.

To fully understand how to use and configure this feature I would like to refer you to the article: How To Use Zimbra Postscreen?


Policyd is an anti-spam policy daemon for Postfix. It is included as a part of the Zimbra package, but it is not enabled by default. You can learn how to enable and configure it by reading the following article: Enabling CBPolicyD WebUI


DomainKeys Identified Mail (DKIM), is a method to combine the domain name and email, allowing a person or company to take responsibility for the email. It works through the use of a digital signature, tied to a domain name, for each sent email. This way you can verify that the email sent from a given domain is actually authorized by the owner. In Zimbra, DKIM can be used both to check incoming emails and to sign outgoing emails.

To learn how to configure SPF for incoming mails you can read this article: How To Configure Zimbra DKIM to Check Incoming Emails?


The Sender Policy Framework (SPF), is an email verification system, designed to avoid undesired emails using a spoofing system. The SPF record contains the information of only those mail servers that are authorized to send emails on behalf of your domain, while preventing spammers from spoofing it. This is possible through a comparison between the SPF record and the sender’s mail server information. If they do not match, the email will be identified as unauthorized and consequently sent to spam or totally rejected.

To learn how to configure SPF for incoming mails you can read this article: How To Configure Zimbra SPF to Check Incoming Emails?

Download Zextras Suite for Zimbra OSE

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

MTA: A General Overview | Zimbra
Zimbra Best Practices: Improve outgoing Email Security | Zimbra