Archive for the ‘Mail Server’ Category

Add custom SMTP Port on Zimbra

05 Aug

Some of our clients are restricted to connect to port 25 TCP by their ISP. So to give them access to our Zimbra server for sending emails, I opened another SMTP port listener (on port 587 TCP). For that, here’s the thing you will need to do.

Edit inside /opt/zimbra/postfix/conf/, you will see config line like below

smtp      inet  n       -       n       -       -       smtpd

Under that line, add the following config.

587      inet  n       -       n       -       -       smtpd

Done, now you can setup your mail client to use your Zimbra server with that custom 587 port instead of the standard 25. The standard 25 port will still be accessible, so technically you can use either.


Integrate Zimbra With Amazon SES

04 Aug

I’ve been working to integrate Zimbra with Amazon SES since the last two weeks. I finally finished that task today (yay!). Maybe some of you having the need to do the same thing, so I will try to write down what I had done to accomplished this. Just for notice, this might not the best practice, but it’s been tested to work.

Before you started, you will need to prepare Amazon SES API which you can download it here. In this example, I extracted the package and put it in /opt/SES. You will also need to install required PERL modules to be able to use it, so first make sure the script works by sending test email manually using the Amazon SES script.

After the SES script is ready, there are few configurations in Zimbra we need to change, and inside /opt/zimbra/postfix/conf/ and localconfig.xml inside /opt/zimbra/conf/.

First, Add this line of codes at the end of the file.

aws-email unix - n n - - pipe
    flags=R user=hana argv=/opt/ses/ -r -k /opt/ses/aws-credentials.txt -e -f ${sender} ${recipient}

Please notice the empty space at the beginning of the second line. You need to have that space or you will get a config error on restart. You can just copy paste those two lines to be safe.

Secondly, edit and add this line at the end.

sender_dependent_default_transport_maps = regexp:/opt/zimbra/conf/sdd_transport_maps.regexp

Now you will need to edit localconfig.xml, so you won’t loose above option added to when Zimbra restarted. Add these codes to localconfig.xml.


Now, the last thing you need to do is create the file /opt/zimbra/conf/sdd_transport_maps.regexp. As you should know, SES only accept emails from registered sender. So you need to register all of email addresses you planned to send via SES. Now we would like every sender which are registered to SES to send via SES, and the rest is send via normal SMTP sending. To be able to do so, Zimbra need to know, which addresses are suppose to be routed to SES and which aren’t. So we are gonna list all the registered addresses here inside this file (sdd_transport_maps.regexp).

The format of the file is like example below

/^hana@evilangelist\.com$/ aws-email:
/^admin@evilangelist\.com$/ aws-email:

The first part of the line is the registered email address written in regular expression, and the second part of the line is the route it suppose to be send to, in this example, “aws-email” route which we configured inside

Okay, now you’re all set. Restart Zimbra and try sending email from the registered SES address. Zimbra will invoke the SES script to send it through Amazon SES. While the rest of the addresses which are not registered will be send via normal SMTP sending.

Note : Tested with Zimbra 7.1.1 RHEL5 64bit version running on 64 bit CentOS 5.6


Improving Zimbra Spam Filter

30 Jun

The built in Zimbra anti-spam system is quite a neat bundle of Amavisd-new, SpamAssassin and ClamAV with some fancy automated ham/spam training based on messages being moved in and out of a “Junk” mailbox under each user’s account, but it lacks a few nice to have extra features. Luckily, it’s quite easy to enhance the Zimbra Amavisd and SpamAssassin with a new plugins such as DCC, Pyzor and Razor as well as enabling SPF record checking and turning on DSPAM.

Zimbra includes DSPAM as well, but doesn’t use it by default. You can change this quite simply by updating the Zimbra LDAP configuration with the following:
zmlocalconfig -e amavis_dspam_enabled=true

I’d recommend upgrading to 6.0.5 if you are going to use DSPAM as there are annoying bugs in earlier versions such as needing to chown the DSPAM folder as zmfixperms used to set the permissions incorrectly. There is also an updated version of DSPAM in Zimbra 6.0.5.
The beauty of DSPAM with Zimbra is that the zmtrainsa utility run nightly on the spam/ham mailboxes also trains DSPAM from the same messages.

Now I’m presuming that you don’t already have the RPMforge (formerly Dag Wieers) and Atomic Rocket Turtle yum repositories installed on your Zimbra server and that you’re using CentOS/Red Hat like I am. We will install these two repositories but restrict them to only provide the packages that we are interested in so that they don’t clash with each other or the base vendor repositories.

wget -q -O – | wget
rpm -Uvh rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm

Now you need to edit /etc/yum.repos.d/rpmforge.repo to add the line includepkgs=perl-Error perl-NetAddr-IP perl-version perl-Mail-SPF as well as /etc/yum.repos.d/atomic.repo to have includepkgs=dcc pyzor razor-agents under the [atomic] section
Now the packages we need are available through a normal yum install:

yum install dcc pyzor razor-agents perl-Mail-SPF

Now we just need to create a custom SpamAssassin configuration file to tweak the settings for the plugins that we just installed. To do this, go to /opt/zimbra/conf/spamassassin/ and create a new .cf file with the following:

loadplugin Mail::SpamAssassin::Plugin::DCC
score SPF_FAIL 10.000

The Zimbra SpamAssassin configurations already load the Pyzor and Razor plugins if present, but don’t load DCC by default (even if it is present) as it isn’t open source. Rather than edit files that Zimbra will then reset on an upgrade, we create a new .cf file that does this as well as settings the scores given by DCC, Pyzor, Razor and SPF. You might want to tweak these depending on how much you trust each service/test or you might want to skip these lines altogether and leave the scores set as the SpamAssassin defaults.
Remember to chown the file to zimbra:zimbra and chmod it to 0444 to be in line with the other SpamAssassin .cf configuration files.

The last thing that you need to do is restart the Zimbra MTA and Amavisd-new so that it loads the new configuration.

su – zimbra
zmantispamctl reload

If you want to test your new SpamAssassin setup then run the following (test and Debug mode) on the GTUBE sample provided by SpamAssassin

/opt/zimbra/zimbramon/bin/spamassassin -D -t < gtube.txt

Like the EICAR signiture for anti-virus scanners, GTUBE is a signature for anti-spam systems that will always show as spam so you can easily test your anti-spam setup. Among others, you should see RAZOR2_CHECK, PYZOR_CHECK and DCC_CHECK flagged with their appropriate scores if everything is working properly.
You will need to test DSPAM in the same way as you would with SpamAssassin’s bayesian filtering as well as checking SPF failures manually by sending a message from a server not designated in the SPF records.

Source :