MailScanner and Zimbra

Shawn Iverson iversons at rushville.k12.in.us
Mon Nov 4 14:24:47 UTC 2019 

I can give the Zimbra folks a hand.  I will try to reach out to them.  They
definitely need to be adhering DMARC specs.

On Mon, Nov 4, 2019 at 1:55 AM Thomas Stephen Lee <lee.iitb at gmail.com>
wrote:

> Hi David,
>
> You can download and install Zimbra opensource edition from.
>
> https://www.zimbra.com/try/zimbra-collaboration-open-source/
>
> for free
>
> But we don't know how exactly to submit a bug report.
>
> There are forums and bugzilla.
>
> thanks
>
>
> ---
> Thomas Stephen Lee
>
> On Mon, Nov 4, 2019 at 7:00 AM David Jones <djones at ena.com> wrote:
>
>> Those Zimbra rules are better than nothing but they aren’t correct on
>> lines 88, 93, and 98.  The DMARC specification says that DKIM should pass
>> and align with the From: domain OR SPF should pass and align with the
>> envelope-from domain.  Those rules at those lines say it’s an AND but it
>> should be OR like
>>
>>
>>
>> (DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_*
>>
>>
>>
>> It’s not that critical since they are only subtracting a few points for
>> the DMARC_PASS_* rules.  Then again, passing DMARC doesn’t have a direct
>> relationship to spam and ham.  It only asserts the email was authentic
>> (DKIM) or authorized (SPF).  You can take any of those DKIM_VALID_AU and
>> SPF_PASS and create whitelist_auth entries which actually have value
>> towards allowing/blocking.
>>
>>
>>
>> The best way to get DMARC support into SA is to install opendmarc and
>> integrate it into your MTA (plenty of HOWTOs out there) and then add rules
>> similar to these (adjust regex for your opendmarc.conf AuthservID setting):
>>
>>
>>
>> /etc/opendmarc.conf
>>
>> AuthservID = smtp.example.com
>>
>> RejectFailures true
>>
>> Socket inet:8893 at localhost
>>
>> SoftwareHeader true
>>
>> SPFIgnoreResults true
>>
>> SPFSelfValidate true
>>
>>
>>
>>
>>
>> /etc/mail/spamassassin/10_opendmarc.cf
>>
>> header                  DMARC_PASS    Authentication-Results =~
>> /smtp\.example\.com; dmarc=pass/
>>
>> describe               DMARC_PASS    DMARC check passed
>>
>> score                     DMARC_PASS    -0.01
>>
>>
>>
>> header                  DMARC_FAIL      Authentication-Results =~
>> /smtp\.example\.com; dmarc=fail/
>>
>> describe               DMARC_FAIL      DMARC check failed
>>
>> score                     DMARC_FAIL      0.01
>>
>>
>>
>> header                  DMARC_NONE  Authentication-Results =~
>> /smtp\.example\.com; dmarc=none/
>>
>> describe               DMARC_NONE  DMARC check neutral
>>
>> score                     DMARC_NONE  0.01
>>
>>
>>
>> header                  __DMARC_FAIL_REJECT Authentication-Results =~
>> /smtp\.example\.com; dmarc=fail \(p=reject/
>>
>> meta                      DMARC_FAIL_REJECT      __DMARC_FAIL_REJECT
>>
>> describe               DMARC_FAIL_REJECT      DMARC check failed and the
>> sending domains says to reject this message
>>
>> score                     DMARC_FAIL_REJECT      9.0
>>
>>
>>
>> Then create meta rules based off of the rules above or use MailScanner’s
>> “SpamAssassin Rule Actions” form more precision.
>>
>>
>>
>> DMARC_PASS != ham and DMARC_FAIL != spam.  These should be used to make
>> safe whitelist_auth entries.
>>
>>
>>
>>
>>
>> *From: *Thomas Stephen Lee <lee.iitb at gmail.com>
>> *Date: *Sunday, November 3, 2019 at 9:10 AM
>> *To: *MailScanner Discussion <mailscanner at lists.mailscanner.info>
>> *Cc: *Shawn Iverson <iversons at rushville.k12.in.us>, David Jones <
>> djones at ena.com>
>> *Subject: *Re: MailScanner and Zimbra
>>
>>
>>
>> Hi All,
>>
>> The DMARC rules are in
>>
>> https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in
>>
>> Sorry, Zimbra does not have a MailScanner rule.
>> We added it extra.
>>
>> vim /opt/zimbra/data/spamassassin/localrules/sauser.cf
>>
>> -----------------
>> header    LOCAL_MAILSCANNER_SPAM   X-Organization-MailScanner-SpamScore
>> =~ /sssss/
>> describe  LOCAL_MAILSCANNER_SPAM   MailScanner marked SPAM
>> score     LOCAL_MAILSCANNER_SPAM   4.123
>> -----------------
>>
>>
>> thanks
>>
>> ---
>>
>> Thomas Stephen Lee
>>
>>
>>
>> On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner <
>> mailscanner at lists.mailscanner.info> wrote:
>>
>> Following...
>>
>>
>>
>> Would love to see those rules as well. I like that Zimbra has a
>> MailScanner rule!
>>
>>
>>
>> On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner <
>> mailscanner at lists.mailscanner.info> wrote:
>>
>> DMARC and BAYES blocked that email.
>>
>>
>>
>> It would be interesting to get/see the details of the “DMARC_” rules on
>> the Zimbra server.  Zimbra must have added DMARC support to Spamassassin.
>> I wonder if they used opendmarc with custom SA rules to read the opendmarc
>> headers.
>>
>>
>>
>> Same for LOCAL_MAILSCANNER_SPAM.  I would like to see that rule.  In a
>> Zimbra environment, you may want to use MailScanner to score only and not
>> block to utilize the built-in Zimbra spam/ham handling.
>>
>>
>>
>> *From: *MailScanner <mailscanner-bounces+djones=
>> ena.com at lists.mailscanner.info> on behalf of Thomas Stephen Lee <
>> lee.iitb at gmail.com>
>> *Reply-To: *MailScanner Discussion <mailscanner at lists.mailscanner.info>
>> *Date: *Saturday, November 2, 2019 at 4:12 AM
>> *To: *MailScanner Discussion <mailscanner at lists.mailscanner.info>
>> *Subject: *Re: MailScanner and Zimbra
>>
>>
>>
>> Hi All,
>>
>> Thank you very much for all the suggestions.
>> We will try out one by one.
>>
>> Given below is a partial output of a message Zimbra caught as spam.
>>
>>
>>
>> *----------------------------------------------------------------------------*
>>
>> Content analysis details:   (16.2 points, 5.0 required)
>>
>>  pts rule name              description
>> ---- ----------------------
>> --------------------------------------------------
>> -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
>>  3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
>>                             [score: 1.0000]
>>  0.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
>>                             [score: 1.0000]
>>  1.0 HK_RANDOM_REPLYTO      Reply-To username looks random
>>  4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM
>>  1.0 HK_RANDOM_FROM         From username looks random
>>  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
>> provider
>>                             (hulsingcrm6[at]aliyun.com)
>>  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
>>                             domains are different
>>  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
>>  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
>>                             (hulsingcrm6[at]aliyun.com)
>>  0.0 HTML_MESSAGE           BODY: HTML included in message
>>  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
>>  6.0 DMARC_FAIL_QUAR        DMARC validation failed and policy is
>> quarantine
>>  0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom
>>                              freemail headers are different
>>  0.8 RDNS_NONE              Delivered to internal network by a host with
>> no rDNS
>>
>>
>> *----------------------------------------------------------------------------*
>>
>>
>> thanks
>>
>> ---
>> Thomas Stephen Lee
>>
>>
>>
>> On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro <mark at msapiro.net> wrote:
>>
>> On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote:
>> > +1
>> >
>> > We need to put this on the MailScanner website as "Things you can do to
>> > enhance your MailScanner" :)
>>
>> +1
>>
>> The old web site used to have some tips. See
>> <
>> https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html
>> <https://web.archive.org/web/20150315051129/http:/mailscanner.info/gettingthebest.html>
>> >.
>> Some of this is out of date, but we should have similar info on the
>> current web site.
>>
>>
>> --
>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>>
>> --
>>
>> Shawn Iverson, CETL
>>
>> Rush County Schools
>>
>> iversons at rushville.k12.in.us
>>
>>
>>
>> *Error! Filename not specified.**Error! Filename not specified.**Error!
>> Filename not specified.*
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>

-- 
Shawn Iverson, CETL
Rush County Schools
iversons at rushville.k12.in.us

[image: Cybersecurity]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20191104/3f284082/attachment.html>

More information about the MailScanner mailing list