Navigation

Improve email Zimbra protection with Spamhaus HBL

By on February 22, 2023 in Product News, PowerTips – Admins, Security & Privacy

In this article you will learn how to use Spamhaus Hash Blocklist (HBL) to improve email protection in Zimbra. For a long time administrators of Zimbra have relied on Spamhaus to fight incoming spam by configuring Postfix using traditional blacklists. These traditional blocklists work by blocking IP (ranges) and domains of known spammers.

When an email is sent from free email providers such as Gmail, Hotmail or Protonmail it is not always possible to list the sending IP or domain on a blocklist as this would affect many other legitimate users. By using hashes Spamhaus can list specific, compromised email addresses that are sending spam or otherwise malicious content.

Spamhaus Hash Blocklist (HBL) integrates with SpamAssasin which is available by default in Zimbra. If you are not using SpamAssasin you can also set-up HBL using a Milter see: https://wiki.zimbra.com/wiki/Spamhaus_HBL_Milter

Step one get a DQS account

To be able to use Spamhaus HBL you need to register for a DQS account and get a commercial subscription.

Setting up Zimbra

cd /tmp
git clone https://github.com/spamhaus/spamassassin-dqs
cd spamassassin-dqs
cd 3.4.1+

Next, configure your DQS key, assuming your key is aip7yig6sahg6ehsohn5shco3z, execute the following commands:

sed -i -e 's/your_DQS_key/aip7yig6sahg6ehsohn5shco3z/g' sh.cf
sed -i -e 's/your_DQS_key/aip7yig6sahg6ehsohn5shco3z/g' sh_hbl.cf

Next you have to make sure your DQS key is HBL enabled, if not, you should not continue as then SpamAssasin may block legitimate email. Assuming the example key aip7yig6sahg6ehsohn5shco3z is DQS enabled, run the script and the output will confirm whether your key is HBL enabled:

./hbltest.sh
    Please input your DQS key: aip7yig6sahg6ehsohn5shco3z
    Looking up test record for HBL... done
    Your DQS key aip7yig6sahg6ehsohn5shco3z is enabled for HBL
    You can copy sh_hbl.cf and sh_hbl_scores.cf if you want HBL enabled

To set-up SpamAssasin in Zimbra you can run the following commands:

sed -i 's|<config_directory>|/opt/zimbra/data/spamassassin/localrules|g' sh.pre

cp SH.pm /opt/zimbra/data/spamassassin/localrules
cp sh.cf /opt/zimbra/data/spamassassin/localrules
cp sh_scores.cf /opt/zimbra/data/spamassassin/localrules
cp sh_hbl.cf /opt/zimbra/data/spamassassin/localrules
cp sh_hbl_scores.cf /opt/zimbra/data/spamassassin/localrules
cp sh.pre /opt/zimbra/data/spamassassin/localrules

sudo su - zimbra
zmamavisdctl restart

Confirming the installation

You can run SpamAssassin with the lint option to make sure no errors are in the configuration:

su zimbra -c "/opt/zimbra/common/bin/spamassassin --lint"

In the logs you can look for SH.pm, if listed it means the installation is correct, example:

cat /var/log/zimbra.log  | grep -i plugin

# Here SH.pm is not listed, meaning not installed
Dec 12 10:01:56 dqstest amavis[26103]: extra modules loaded after daemonizing/chrooting: /etc/perl/Net/libnet.cfg, /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/randomize.al, IO/Socket/SSL.pm, IO/Socket/SSL/PublicSuffix.pm, Mail/SpamAssassin/Plugin/FreeMail.pm, Mail/SpamAssassin/Plugin/SpamCop.pm, Net/Cmd.pm, Net/Config.pm, Net/SMTP.pm, Net/SSLeay.pm

# Here SH.pm is listed, meaning installation is completed
Dec 12 12:04:08 dqstest amavis[120645]: extra modules loaded after daemonizing/chrooting: /etc/perl/Net/libnet.cfg, /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/randomize.al, /opt/zimbra/data/spamassassin/localrules/SH.pm, IO/Socket/SSL.pm, IO/Socket/SSL/PublicSuffix.pm, Mail/SpamAssassin/Plugin/FreeMail.pm, Mail/SpamAssassin/Plugin/SpamCop.pm, Net/Cmd.pm, Net/Config.pm, Net/SMTP.pm, Net/SSLeay.pm

Uninstalling

To remove the Spamhaus HBL from SpamAssassin follow these steps:

rm -f /opt/zimbra/data/spamassassin/localrules/SH.pm
rm -f /opt/zimbra/data/spamassassin/localrules/sh.cf
rm -f /opt/zimbra/data/spamassassin/localrules/sh_scores.cf
rm -f /opt/zimbra/data/spamassassin/localrules/sh_hbl.cf
rm -f /opt/zimbra/data/spamassassin/localrules/sh_hbl_scores.cf
rm -f /opt/zimbra/data/spamassassin/localrules/sh.pre

sudo su - zimbra
zmamavisdctl restart

Further reading

, ,

2 Responses to Improve email Zimbra protection with Spamhaus HBL

  1. Rainer February 28, 2023 at 12:41 AM #

    Hi,

    for the install, one has to actually descent into the 3.4.1+ subdirectory (after cloning the repo – SA 4.0 has recently been released)

    Also, how do I disable this again, if I only run it as a trial?

    Otherwise, a great tutorial. This is why I really like Zimbra – the documentation, community and the general information provided has become really good in the last years.

    I really hope you can continue doing this.

    • Avatar photo
      Barry de Graaff March 7, 2023 at 4:44 AM #

      Hello Rainer,

      Thanks for your feedback, I have added uninstall steps to the blog and added the descent into the 3.4.1+ subdirectory as well.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures