MailScanner and Zimbra
L.P.H. van Belle
belle at bazuin.nl
Fri Nov 1 13:21:33 UTC 2019
Beware of header rewriting/modifications if you using DKIM/SPF/DMARC
Then you need to install a Sender Framwork Policy program.
If you using spf/dkim/dmarc and your forwarding mails, it will get rejected to do modified headers.
if you using postfix, setup postsrsd - Sender Rewriting Scheme (SRS) lookup table for Postfix
Simple to integrate also.
My current mailscanner results, due to postfix settings.
Processed: 898 311.38MB
Clean: 896 99.8%
Spam: 2 0.2%
All othere 0.
No greylisting used, no postwhite used.
Best used of my server postfix postscreen + fail2ban.
I use this setup for postscreen.
Black and white lists are used to for postscreen its counter
postscreen_dnsbl_threshold = 7
postscreen_dnsbl_sites =
zen.spamhaus.org*4
b.barracudacentral.org*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
dnsbl.kempt.net*1
dnsbl.inps.de*2
bl.spamcop.net*2
srn.surgate.net=127.0.0.2*1
spam.dnsbl.sorbs.net*1
psbl.surriel.com*2
bl.mailspike.net*2
rep.mailspike.net=127.0.0.[13;14]*1
bl.suomispam.net*1
bl.blocklist.de*2
ix.dnsbl.manitu.net*2
dnsbl-1.uceprotect.net*1
dnsbl-2.uceprotect.net*1
dnsbl.justspam.org=127.0.0.2*2
blackholes.tepucom.nl=127.0.0.2*2
dnsbl.beetjevreemd.nl=127.0.0.2*2
multi.surbl.org*2
all.s5h.net=127.0.0.2*1
hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
rbl.abuse.ro=127.0.0.[2;4]*2
gl.suomispam.net=127.0.0.2*1
truncate.gbudb.net=127.0.0.2*1
dnsbl.zapbl.net=127.0.0.2*1
netblockbl.spamgrouper.to=127.0.0.2*1
dnsbl.spfbl.net=127.0.0.[2;4]*2
dnsrbl.org*1
# No RDNS
dnsbl.spfbl.net=127.0.0.3*1
hostkarma.junkemailfilter.com=127.0.0.3*1
# whitelists
swl.spamhaus.org*-6
dnswl.spfbl.net=127.0.0.[2;3;4]*-3
list.dnswl.org=127.0.[0..254].[0..3]*-4
rep.mailspike.net=127.0.0.[17;18]*-1
rep.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-4
nobl.junkemailfilter.com=127.0.0.5*-4
#
and a pretty simple fail2ban setup.
# /etc/fail2ban/filter.d/postfix-postscreen.conf
#
# Fail2Ban filter for Postfix's Postscreen blocks.
#
# You need to adjust the Rank number to what you please.
# make sure you match the first number [7-9] so the 7 with postfix/postscreen_dnsbl_threshold value=
# For now we have set rank 7 and up are getting blocked and put in the firewall
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/postscreen
failregex = DNSBL rank ([7-9]|[1-9][0-9]) for \[<HOST>\]
ignoreregex =
# Author: Louis van Belle
#######################################################
in Jail.local
[postfix-postscreen]
port = smtp
logpath = /var/log/mail.log
maxretry = 1
bantime = 86400
findtime = 3600
banaction = ufw
Works great (for me) :-)
Greetz,
Louis
Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Shawn Iverson via MailScanner
Verzonden: vrijdag 1 november 2019 14:06
Aan: MailScanner Discussion
CC: Shawn Iverson
Onderwerp: Re: MailScanner and Zimbra
+1
We need to put this on the MailScanner website as "Things you can do to enhance your MailScanner" :)
On Fri, Nov 1, 2019 at 8:55 AM David Jones via MailScanner <mailscanner at lists.mailscanner.info> wrote:
Great suggestions below. Here are some more:
1. Install greylisting (sqlgrey) and enable it slowly by doing selective greylisting
2. Enable Postfix postscreen with weighted method and add in dozens of RBLs (see spamassassin mailing list archives)
3. Setup postwhite (search github.com) to prevent blocking too much from #1 and #2 above.
4. Install/compile DCC (https://www.dcc-servers.net/dcc/). There are many howto’s out there for this.
5. Tune out the MTA (Postfix) settings for rejecting based on DHS and hostname (see spamassassin mailing list archives)
6. Make sure the RelayCountry plugin is enabled and working so you can add rules to bump up scores for certain countries that aren’t normal for your particular mail flow.
7. Advanced users can install postfwd and add headers in the MTA that spamassassin can use in local/custom rules.
8. Install opendmarc and policyd-spf into the MTA to add support for DMARC inside spamassassin with the addition of a few rules that use the headers added. (see spamassassin mailing list archives)
A well-tuned MTA (RBLs, greylisting, and DNS/HELO checks) should drop > 98% of the spam/junk before it has to reach spamassassin.
Dave
From: MailScanner <mailscanner-bounces+djones=ena.com at lists.mailscanner.info> on behalf of Shawn Iverson via MailScanner <mailscanner at lists.mailscanner.info>
Reply-To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Date: Friday, November 1, 2019 at 6:05 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: Shawn Iverson <iversons at rushville.k12.in.us>
Subject: Re: MailScanner and Zimbra
I don't know what Zimbra is using, but another suggestion is augmenting MailScanner with RBLs (such as ahead of it with Postfix Postscreen, which is very fast) is quite effective. MailScanner and SpamAssassin are just two of many other tools in your spam fighting arsenal.
On Fri, Nov 1, 2019 at 5:56 AM Thomas Stephen Lee <lee.iitb at gmail.com> wrote:
Thanks for the reply Thom.
We have updated SpamAssassin and added the cron.daily script.
For virus scanning we have installed the ClamAV unofficial sigs and Sophos AV for Linux.
thanks
---
Thomas Stephen Lee
On Fri, Nov 1, 2019 at 2:59 PM Thom van der Boon <thom at vdb.nl> wrote:
I have the same setup.
check the age of the files in /var/spamassassin/version_number/
check wether there is a spamassassin update script in /etc/cron.daily (you will find nothing in your logs to check wether sa-update is working)
If old files quick fix run as root: sa-update --verbose ; service mailscanner restart
Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/
In /etc/MailScanner/MailScanner.conf check and change the following parameters:
Log Spam = yes
Log SpamAssassin Rule Actions = yes
Max Spam Check Size = 20m
restart MailScanner after this and check your logs
Tip 1: Use KAM.cf
KAM.cf is a great collection of spamassassin rules
Rules are here: https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/
Tip 2: Use securiteinfo.com to improve ClamAV detection
It is an paid extension to ClamAV, but it costs less than € 30/USD 35 per year (You only need pro version to protect your mail server)
https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
Thom
Van: "Thomas Stephen Lee" <lee.iitb at gmail.com>
Aan: "MailScanner Discussion" <mailscanner at lists.mailscanner.info>
Verzonden: Vrijdag 1 november 2019 08:14:04
Onderwerp: MailScanner and Zimbra
Hi,
We use MailScanner on our mail server.
MailScanner scans the incoming mails and relays it to a VM with Zimbra 8.8.15 installed.
However we notice that Zimbra's spam software captures many spam mails which are not captured by MailScanner.
Why is this so ?
thanks
---
Thomas Stephen Lee
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
Shawn Iverson, CETL
Rush County Schools
iversons at rushville.k12.in.us
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
Shawn Iverson, CETL
Rush County Schools
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20191101/084bad9d/attachment-0001.html>
More information about the MailScanner
mailing list