MailScanner and Zimbra

Thomas Stephen Lee lee.iitb at gmail.com
Tue Nov 5 07:52:48 UTC 2019 

Thanks all.

---
Thomas Stephen Lee

On Mon, Nov 4, 2019 at 7:55 PM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> I can give the Zimbra folks a hand.  I will try to reach out to them.
> They definitely need to be adhering DMARC specs.
>
> On Mon, Nov 4, 2019 at 1:55 AM Thomas Stephen Lee <lee.iitb at gmail.com>
> wrote:
>
>> Hi David,
>>
>> You can download and install Zimbra opensource edition from.
>>
>> https://www.zimbra.com/try/zimbra-collaboration-open-source/
>>
>> for free
>>
>> But we don't know how exactly to submit a bug report.
>>
>> There are forums and bugzilla.
>>
>> thanks
>>
>>
>> ---
>> Thomas Stephen Lee
>>
>> On Mon, Nov 4, 2019 at 7:00 AM David Jones <djones at ena.com> wrote:
>>
>>> Those Zimbra rules are better than nothing but they aren’t correct on
>>> lines 88, 93, and 98.  The DMARC specification says that DKIM should pass
>>> and align with the From: domain OR SPF should pass and align with the
>>> envelope-from domain.  Those rules at those lines say it’s an AND but it
>>> should be OR like
>>>
>>>
>>>
>>> (DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_*
>>>
>>>
>>>
>>> It’s not that critical since they are only subtracting a few points for
>>> the DMARC_PASS_* rules.  Then again, passing DMARC doesn’t have a direct
>>> relationship to spam and ham.  It only asserts the email was authentic
>>> (DKIM) or authorized (SPF).  You can take any of those DKIM_VALID_AU and
>>> SPF_PASS and create whitelist_auth entries which actually have value
>>> towards allowing/blocking.
>>>
>>>
>>>
>>> The best way to get DMARC support into SA is to install opendmarc and
>>> integrate it into your MTA (plenty of HOWTOs out there) and then add rules
>>> similar to these (adjust regex for your opendmarc.conf AuthservID setting):
>>>
>>>
>>>
>>> /etc/opendmarc.conf
>>>
>>> AuthservID = smtp.example.com
>>>
>>> RejectFailures true
>>>
>>> Socket inet:8893 at localhost
>>>
>>> SoftwareHeader true
>>>
>>> SPFIgnoreResults true
>>>
>>> SPFSelfValidate true
>>>
>>>
>>>
>>>
>>>
>>> /etc/mail/spamassassin/10_opendmarc.cf
>>>
>>> header                  DMARC_PASS    Authentication-Results =~
>>> /smtp\.example\.com; dmarc=pass/
>>>
>>> describe               DMARC_PASS    DMARC check passed
>>>
>>> score                     DMARC_PASS    -0.01
>>>
>>>
>>>
>>> header                  DMARC_FAIL      Authentication-Results =~
>>> /smtp\.example\.com; dmarc=fail/
>>>
>>> describe               DMARC_FAIL      DMARC check failed
>>>
>>> score                     DMARC_FAIL      0.01
>>>
>>>
>>>
>>> header                  DMARC_NONE  Authentication-Results =~
>>> /smtp\.example\.com; dmarc=none/
>>>
>>> describe               DMARC_NONE  DMARC check neutral
>>>
>>> score                     DMARC_NONE  0.01
>>>
>>>
>>>
>>> header                  __DMARC_FAIL_REJECT Authentication-Results =~
>>> /smtp\.example\.com; dmarc=fail \(p=reject/
>>>
>>> meta                      DMARC_FAIL_REJECT      __DMARC_FAIL_REJECT
>>>
>>> describe               DMARC_FAIL_REJECT      DMARC check failed and the
>>> sending domains says to reject this message
>>>
>>> score                     DMARC_FAIL_REJECT      9.0
>>>
>>>
>>>
>>> Then create meta rules based off of the rules above or use MailScanner’s
>>> “SpamAssassin Rule Actions” form more precision.
>>>
>>>
>>>
>>> DMARC_PASS != ham and DMARC_FAIL != spam.  These should be used to make
>>> safe whitelist_auth entries.
>>>
>>>
>>>
>>>
>>>
>>> *From: *Thomas Stephen Lee <lee.iitb at gmail.com>
>>> *Date: *Sunday, November 3, 2019 at 9:10 AM
>>> *To: *MailScanner Discussion <mailscanner at lists.mailscanner.info>
>>> *Cc: *Shawn Iverson <iversons at rushville.k12.in.us>, David Jones <
>>> djones at ena.com>
>>> *Subject: *Re: MailScanner and Zimbra
>>>
>>>
>>>
>>> Hi All,
>>>
>>> The DMARC rules are in
>>>
>>> https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in
>>>
>>> Sorry, Zimbra does not have a MailScanner rule.
>>> We added it extra.
>>>
>>> vim /opt/zimbra/data/spamassassin/localrules/sauser.cf
>>>
>>> -----------------
>>> header    LOCAL_MAILSCANNER_SPAM   X-Organization-MailScanner-SpamScore
>>> =~ /sssss/
>>> describe  LOCAL_MAILSCANNER_SPAM   MailScanner marked SPAM
>>> score     LOCAL_MAILSCANNER_SPAM   4.123
>>> -----------------
>>>
>>>
>>> thanks
>>>
>>> ---
>>>
>>> Thomas Stephen Lee
>>>
>>>
>>>
>>> On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner <
>>> mailscanner at lists.mailscanner.info> wrote:
>>>
>>> Following...
>>>
>>>
>>>
>>> Would love to see those rules as well. I like that Zimbra has a
>>> MailScanner rule!
>>>
>>>
>>>
>>> On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner <
>>> mailscanner at lists.mailscanner.info> wrote:
>>>
>>> DMARC and BAYES blocked that email.
>>>
>>>
>>>
>>> It would be interesting to get/see the details of the “DMARC_” rules on
>>> the Zimbra server.  Zimbra must have added DMARC support to Spamassassin.
>>> I wonder if they used opendmarc with custom SA rules to read the opendmarc
>>> headers.
>>>
>>>
>>>
>>> Same for LOCAL_MAILSCANNER_SPAM.  I would like to see that rule.  In a
>>> Zimbra environment, you may want to use MailScanner to score only and not
>>> block to utilize the built-in Zimbra spam/ham handling.
>>>
>>>
>>>
>>> *From: *MailScanner <mailscanner-bounces+djones=
>>> ena.com at lists.mailscanner.info> on behalf of Thomas Stephen Lee <
>>> lee.iitb at gmail.com>
>>> *Reply-To: *MailScanner Discussion <mailscanner at lists.mailscanner.info>
>>> *Date: *Saturday, November 2, 2019 at 4:12 AM
>>> *To: *MailScanner Discussion <mailscanner at lists.mailscanner.info>
>>> *Subject: *Re: MailScanner and Zimbra
>>>
>>>
>>>
>>> Hi All,
>>>
>>> Thank you very much for all the suggestions.
>>> We will try out one by one.
>>>
>>> Given below is a partial output of a message Zimbra caught as spam.
>>>
>>>
>>>
>>> *----------------------------------------------------------------------------*
>>>
>>> Content analysis details:   (16.2 points, 5.0 required)
>>>
>>>  pts rule name              description
>>> ---- ----------------------
>>> --------------------------------------------------
>>> -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
>>>  3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
>>>                             [score: 1.0000]
>>>  0.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
>>>                             [score: 1.0000]
>>>  1.0 HK_RANDOM_REPLYTO      Reply-To username looks random
>>>  4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM
>>>  1.0 HK_RANDOM_FROM         From username looks random
>>>  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
>>> provider
>>>                             (hulsingcrm6[at]aliyun.com)
>>>  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
>>>                             domains are different
>>>  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
>>>  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
>>>                             (hulsingcrm6[at]aliyun.com)
>>>  0.0 HTML_MESSAGE           BODY: HTML included in message
>>>  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
>>>  6.0 DMARC_FAIL_QUAR        DMARC validation failed and policy is
>>> quarantine
>>>  0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and
>>> EnvelopeFrom
>>>                              freemail headers are different
>>>  0.8 RDNS_NONE              Delivered to internal network by a host with
>>> no rDNS
>>>
>>>
>>> *----------------------------------------------------------------------------*
>>>
>>>
>>> thanks
>>>
>>> ---
>>> Thomas Stephen Lee
>>>
>>>
>>>
>>> On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro <mark at msapiro.net> wrote:
>>>
>>> On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote:
>>> > +1
>>> >
>>> > We need to put this on the MailScanner website as "Things you can do to
>>> > enhance your MailScanner" :)
>>>
>>> +1
>>>
>>> The old web site used to have some tips. See
>>> <
>>> https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html
>>> <https://web.archive.org/web/20150315051129/http:/mailscanner.info/gettingthebest.html>
>>> >.
>>> Some of this is out of date, but we should have similar info on the
>>> current web site.
>>>
>>>
>>> --
>>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>
>>>
>>> --
>>>
>>> Shawn Iverson, CETL
>>>
>>> Rush County Schools
>>>
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>> *Error! Filename not specified.**Error! Filename not specified.**Error!
>>> Filename not specified.*
>>>
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>
>
> --
> Shawn Iverson, CETL
> Rush County Schools
> iversons at rushville.k12.in.us
>
> [image: Cybersecurity]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20191105/049ca9a4/attachment.html>

More information about the MailScanner mailing list