Difference between revisions of "CentOS 7.x Configure or optimize new Zimbra installation"

From Notes_Wiki
(Created page with "<yambe:breadcrumb self="Configure or optimize new zimbra installation">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb> =CentOS 7.x Configure or optimiz...")
Line 108: Line 108:
* https://www.linuxbabe.com/mail-server/block-email-spam-postfix
* https://www.linuxbabe.com/mail-server/block-email-spam-postfix

If issue is related to Zimbra server being used to send SPAM from compromised internal accounts then refer [[Prevent spam problem with Zimbra server]]

Revision as of 16:55, 15 March 2019

<yambe:breadcrumb self="Configure or optimize new zimbra installation">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb>

CentOS 7.x Configure or optimize new Zimbra installation

Disable skype related com_zimbra_phone zimlet

Skype zimlet is useful only for skype based calling. If skype based calling is not used it can be disabled using:

  1. Go to configure -> Class of service
  2. Right click Default and choose edit
  3. Under Zimlets, disable com_zimbra_phone and click save.

Enable compression of email data

Enable compression of email data (adds to CPU usage) using:

  1. Go to configure -> Servers
  2. Right click on server and click edit
  3. Go to volumes.
  4. Choose the data volume (while avoiding compression of index volume) and click edit
  5. Enable checkmark for "Compress blobs" and click ok.

Configure Zimbra for relay for another servers

Refer CentOS 7.x Zimbra MTA configuration and use command-line as corresponding UI is buggy.

Configure Zimbra to log subjects in zimbra.log

It might make it easier to debug issues if subjects are also logged in zimbra.log. To achieve that use:

   su - zimbra
   echo '/^subject:/ WARN' > /opt/zimbra/conf/custom_header_check
   zmprov ms `hostname` zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks regexp:/opt/zimbra/conf/custom_header_check'
   zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
   zmmtactl restart 


Disable SSL connections from Proxy to upstream servers

Do not use this as it is. This caused https access to webUI to fail.

To disable proxy to upstream secure connections use:

   zmprov ms `hostname` zimbraReverseProxySSLToUpstreamEnabled FALSE
   zmproxyctl restart

Increase number of IMAP threads and connections

In case of considerable IMAP usage, it might make sense to do the following:

   zmprov ms `hostname` zimbraImapMaxConnections 500
   zmprov ms `hostname` zimbraImapNumThreads 500

Enable automatic anti-spam definitions update

It is useful feature to have automatic definition download and update. To enable it use:

   zmlocalconfig -e antispam_enable_rule_updates=true
   zmlocalconfig -e antispam_enable_restarts=true
   zmlocalconfig -e antispam_enable_rule_compilation=true
   zmamavisdctl restart
   zmmtactl restart


Configure Zimbra to use various anti-spam blacklists

To configure Zimbra to use various anti-spam blacklists use:

  1. Go to Configure -> Global Settings -> MTA
  2. Add following as client RBLs
    • dsn.rfc-ignorant.org
    • dul.dnsbl.sorbs.net
    • sbl-xbl.spamhaus.org or zen.spamhaus.org
    • bl.spamcop.net
    • cbl.abuseat.org
    • ix.dnsbl.manitu.net
    • combined.rbl.msrbl.net
    • rabl.nuclearelephant.com
    • psbl.surriel.com
    • b.barracudacentral.org
    • bl.spamcop.net
  3. Add following as Client RHSBLs
    • dbl.spamhaus.org
  4. Add following as Reverse client RHSBLs
    • dbl.spamhaus.org
  5. Add following as Sender RHSBLs
    • dbl.spamhaus.org
  6. Use following command as zimbra user:
    zmmtactl restart

On types of blacklists note:

Client RBLs
This is an IP-based blacklist. When the client IP address is backlisted, reject the email.
Client RHSBLs
Reject email when the client HELO or EHLO hostname is blacklisted.
Reverse client RHSBLs
Reject the email when the unverified reverse client hostname is blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is blacklisted, reject the email.
Sender RHSBLs
: Reject email when the MAIL FROM domain is blacklisted.

Some spammers use Google’s mail server, so reject_rhsbl_helo is ineffective, but most of them use their own domain names in the MAIL FROM header, so reject_rhsbl_sender will be effective.


If issue is related to Zimbra server being used to send SPAM from compromised internal accounts then refer Prevent spam problem with Zimbra server


<yambe:breadcrumb self="Configure or optimize new zimbra installation">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb>