CentOS 7.x Configure or optimize new Zimbra installation
Skype zimlet is useful only for skype based calling. If skype based calling is not used it can be disabled using:
- Go to configure -> Class of service
- Right click Default and choose edit
- Under Zimlets, disable com_zimbra_phone and click save.
Enable compression of email data
Enable compression of email data (adds to CPU usage) using:
- Go to configure -> Servers
- Right click on server and click edit
- Go to volumes.
- Choose the data volume (while avoiding compression of index volume) and click edit
- Enable checkmark for "Compress blobs" and click ok.
Configure Zimbra for relay for another servers
Refer CentOS 7.x Zimbra MTA configuration and use command-line as corresponding UI is buggy.
Configure Zimbra to log subjects in zimbra.log
It might make it easier to debug issues if subjects are also logged in zimbra.log. To achieve that use:
su - zimbra echo '/^subject:/ WARN' > /opt/zimbra/conf/custom_header_check zmprov ms `zmhostname` zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks regexp:/opt/zimbra/conf/custom_header_check' zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE zmmtactl restart
Configure Zimbra to put authenticated username in Email headers
This can be very useful to detect which account is compromised, if compromised account is being used by attackers to send SPAM:
zmprov mcf zimbraMtaSmtpdSaslAuthenticatedHeader yes
Disable SSL connections from Proxy to upstream servers
Do not use this as it is. This caused https access to webUI to fail.
To disable proxy to upstream secure connections use:
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled FALSE zmproxyctl restart
Increase number of IMAP threads and connections
In case of considerable IMAP usage, it might make sense to do the following:
zmprov ms `zmhostname` zimbraImapMaxConnections 500 zmprov ms `zmhostname` zimbraImapNumThreads 500
Enable automatic anti-spam definitions update
It is useful feature to have automatic definition download and update. To enable it use:
zmlocalconfig -e antispam_enable_rule_updates=true zmlocalconfig -e antispam_enable_restarts=true zmlocalconfig -e antispam_enable_rule_compilation=true zmamavisdctl restart zmmtactl restart
Configure Zimbra to use various anti-spam blacklists
To configure Zimbra to use various anti-spam blacklists use:
- Go to Configure -> Global Settings -> MTA
- Instead of using Client RBLs refer CentOS 8.x Zimbra Configure spamassasin email score based on client RBL
- Add following as Client RHSBLs
- Add following as Reverse client RHSBLs
- Add following as Sender RHSBLs
- Use following command as zimbra user:
- zmmtactl restart
On types of blacklists note:
- Client RBLs
- This is an IP-based blacklist. When the client IP address is backlisted, reject the email.
- Client RHSBLs
- Reject email when the client HELO or EHLO hostname is blacklisted.
- Reverse client RHSBLs
- Reject the email when the unverified reverse client hostname is blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is blacklisted, reject the email.
- Sender RHSBLs
- : Reject email when the MAIL FROM domain is blacklisted.
Some spammers use Google’s mail server, so reject_rhsbl_helo is ineffective, but most of them use their own domain names in the MAIL FROM header, so reject_rhsbl_sender will be effective.
If issue is related to Zimbra server being used to send SPAM from compromised internal accounts then refer Prevent spam problem with Zimbra server
Training Zimbra anti-spam engine
Zimbra server has in-built anti-spam and anti-virus engines. However, every user has option of training the system by marking emails as SPAM or not-SPAM (also referred as HAM).
To indicate an email as SPAM move it to Junk folder. Avoid deleting SPAM emails by moving them to Trash. If SPAM emails are deleted then system does not learns that particular email was SPAM.
Similarly look at Junk folder regularly. Any useful email should be moved to Inbox. Email incorrectly marked as SPAM should be keet in inbox at least overnight (preferably 48 hours) so that nightly training job picks up the email incorrectly marked as SPAM from inbox. If incorrectly marked SPAM (false-positive) email is moved from Junk to folder other than Inbox (eg archives) then training will not happen.
If all users do this quite often then the systems ability to detect SPAM would improve considerably.
For urgent cases where waiting for training is not possible, there is a option available after logging into web interface. Go to Preferences -> Mail -> Spam Mail Options. If you add anybody in any of the two lists (blacklist or whitelist), then Zimbra respects that configuration for that specific account. Anybody added in allow messages from would be able to send email to corresponding account irrespective of spam/virus scoring. Similarly anybody added in block messages from would be definitely blocked.