CentOS 7.x Configure or optimize new Zimbra installation

From Notes_Wiki
Revision as of 13:35, 19 March 2020 by Saurabh (talk | contribs)

<yambe:breadcrumb self="Configure or optimize new zimbra installation">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb>

CentOS 7.x Configure or optimize new Zimbra installation

Disable skype related com_zimbra_phone zimlet

Skype zimlet is useful only for skype based calling. If skype based calling is not used it can be disabled using:

  1. Go to configure -> Class of service
  2. Right click Default and choose edit
  3. Under Zimlets, disable com_zimbra_phone and click save.

Enable compression of email data

Enable compression of email data (adds to CPU usage) using:

  1. Go to configure -> Servers
  2. Right click on server and click edit
  3. Go to volumes.
  4. Choose the data volume (while avoiding compression of index volume) and click edit
  5. Enable checkmark for "Compress blobs" and click ok.


Configure Zimbra for relay for another servers

Refer CentOS 7.x Zimbra MTA configuration and use command-line as corresponding UI is buggy.


Configure Zimbra to log subjects in zimbra.log

It might make it easier to debug issues if subjects are also logged in zimbra.log. To achieve that use:

   su - zimbra
   echo '/^subject:/ WARN' > /opt/zimbra/conf/custom_header_check
   zmprov ms `hostname` zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks regexp:/opt/zimbra/conf/custom_header_check'
   zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
   zmmtactl restart 

Refer


Configure Zimbra to put authenticated username in Email headers

This can be very useful to detect which account is compromised, if compromised account is being used by attackers to send SPAM:

zmprov mcf zimbraMtaSmtpdSaslAuthenticatedHeader yes


Disable SSL connections from Proxy to upstream servers

Do not use this as it is. This caused https access to webUI to fail.

To disable proxy to upstream secure connections use:

   zmprov ms `hostname` zimbraReverseProxySSLToUpstreamEnabled FALSE
   zmproxyctl restart


Increase number of IMAP threads and connections

In case of considerable IMAP usage, it might make sense to do the following:

   zmprov ms `hostname` zimbraImapMaxConnections 500
   zmprov ms `hostname` zimbraImapNumThreads 500


Enable automatic anti-spam definitions update

It is useful feature to have automatic definition download and update. To enable it use:

   zmlocalconfig -e antispam_enable_rule_updates=true
   zmlocalconfig -e antispam_enable_restarts=true
   zmlocalconfig -e antispam_enable_rule_compilation=true
   zmamavisdctl restart
   zmmtactl restart

Refer:


Configure Zimbra to use various anti-spam blacklists

To configure Zimbra to use various anti-spam blacklists use:

  1. Go to Configure -> Global Settings -> MTA
  2. Add following as client RBLs
    • dsn.rfc-ignorant.org
    • dul.dnsbl.sorbs.net
    • sbl-xbl.spamhaus.org or zen.spamhaus.org
    • bl.spamcop.net
    • cbl.abuseat.org
    • ix.dnsbl.manitu.net
    • combined.rbl.msrbl.net
    • rabl.nuclearelephant.com
    • psbl.surriel.com
    • b.barracudacentral.org
    • bl.spamcop.net
  3. Add following as Client RHSBLs
    • dbl.spamhaus.org
  4. Add following as Reverse client RHSBLs
    • dbl.spamhaus.org
  5. Add following as Sender RHSBLs
    • dbl.spamhaus.org
  6. Use following command as zimbra user:
    zmmtactl restart

On types of blacklists note:

Client RBLs
This is an IP-based blacklist. When the client IP address is backlisted, reject the email.
Client RHSBLs
Reject email when the client HELO or EHLO hostname is blacklisted.
Reverse client RHSBLs
Reject the email when the unverified reverse client hostname is blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is blacklisted, reject the email.
Sender RHSBLs
: Reject email when the MAIL FROM domain is blacklisted.

Some spammers use Google’s mail server, so reject_rhsbl_helo is ineffective, but most of them use their own domain names in the MAIL FROM header, so reject_rhsbl_sender will be effective.

Refer:

If issue is related to Zimbra server being used to send SPAM from compromised internal accounts then refer Prevent spam problem with Zimbra server


Training Zimbra anti-spam engine

Zimbra server has in-built anti-spam and anti-virus engines. However, every user has option of training the system by marking emails as SPAM or not-SPAM (also referred as HAM).

To indicate an email as SPAM move it to Junk folder. Avoid deleting SPAM emails by moving them to Trash. If SPAM emails are deleted then system does not learns that particular email was SPAM.

Similarly look at Junk folder regularly. Any useful email should be moved to Inbox. Email incorrectly marked as SPAM should be keet in inbox at least overnight (preferably 48 hours) so that nightly training job picks up the email incorrectly marked as SPAM from inbox. If incorrectly marked SPAM (false-positive) email is moved from Junk to folder other than Inbox (eg archives) then training will not happen.

If all users do this quite often then the systems ability to detect SPAM would improve considerably.

For urgent cases where waiting for training is not possible, there is a option available after logging into web interface. Go to Preferences -> Mail -> Spam Mail Options. If you add anybody in any of the two lists (blacklist or whitelist), then Zimbra respects that configuration for that specific account. Anybody added in allow messages from would be able to send email to corresponding account irrespective of spam/virus scoring. Similarly anybody added in block messages from would be definitely blocked.



Refer:



<yambe:breadcrumb self="Configure or optimize new zimbra installation">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb>