Integrating Zimbra with an external e-mail security platform
SMTP is for spam, but occasionally people send legitimate email. It has been known to happen.
Zimbra is the leader in open source email and collaboration with over 50 million paid for mailboxes worldwide, this is the core technology we use to power our hosted email platform.
Pinpoint Securemail is our flagship e-mail security platform with 6 years of R&D and innovation now processing over 400 million mails per month.
Integration of Zimbra and Pinpoint Securemail was required for various reasons, namely saving resources on our hosted email platform, better security and reporting for our customers.
Zimbra and Pinpoint Securemail are based on a range of different open source products so the integration was easily achieved, here's what we did...
Zimbra modifications
Amavisd was set to listen on an additional port that does not perform spam or virus checks.
/opt/zimbra/conf/amavisd.conf.in
$inet_socket_port = [10024,10026]; # listen on this local TCP port(s) (see $protocol)
$interface_policy{'10026'} = 'MSCHKD'; # Email has already been determined as SPAM
$policy_bank{'MSCHKD'} = {
bypass_spam_checks_maps = [1],
bypass_banned_checks_maps = [1],
bypass_header_checks_maps = [1],
remove_existing_x_scanned_headers = 0,
remove_existing_spam_headers = 0,
remove_existing_spam_headers_maps = [0],
};Header checks in Postfix to ensure mail from Pinpoint is sent to Amavisd port 10026 if "X-Spam-Flag" header is set
/opt/zimbra/conf/postfix_header_checks.in
/X-Spam-Flag: (YES*|NO*)/ FILTER smtp-amavis:[127.0.0.1]:10026
Modify Postifx to ensure we only accept mail if SMTP Authentication is used or if the sending host is on our trusted network (Pinpoint)
Note: This will stop semi intelligent spammers who think they can just add an "X-Spam-Flag" header to bypass our security checks
/opt/zimbra/postfix/conf/master.cf.in
smtp inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,rejectIntegration for "Junk" and "Not Junk" Zimbra option to train Pinpoint Securemail Bayesian database
/opt/zimbra/conf/salocal.cf.in
use_bayes 1 bayes_auto_expire 0 bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:bayes:[hostname] bayes_sql_username [username] bayes_sql_password [password] bayes_sql_override_username [username]
Pinpoint Securemail Modifications
Pinpoint uses MailScanner at the heart of the system, so making changes to add the headers required was simple.
We chose to use the "X-Spam-Flag" header after analyzing how Zimbra puts spam in the Junk folder.
non.spam.actions.rules
To: *@domain.com deliver header "X-Spam-Flag: NO"
spam.actions.rules
To: *@domain.com store deliver header "X-Spam-Flag: YES"
spam.high.actions.rules
To: *@domain.com store deliver header "X-Spam-Flag: YES"
Recap what we have achieved
- No spam and virus checks performed locally on our Zimbra hosted email platform
- This resulted in reduced server resource utilization
- Tight integration with our users training spam and ham for the benefit of all Pinpoint Securemail customers
- Outbound e-mail is still scanned for spam and virii
- If mail is received from another trusted network that is not Pinpoint, spam and virus scanning will occur
We hope the info above gives some insight on how to better integrate Zimbra with your favourite e-mail security platform. Let's STOP Spam.
Tags: Email Security, pinpoint securemail, zimbra