In this article you will learn how to use Spamhaus Hash Blocklist (HBL) to improve email protection in Zimbra. For a long time administrators of Zimbra have relied on Spamhaus to fight incoming spam by configuring Postfix using traditional blacklists. These traditional blocklists work by blocking IP (ranges) and domains of known spammers.
When an email is sent from free email providers such as Gmail, Hotmail or Protonmail it is not always possible to list the sending IP or domain on a blocklist as this would affect many other legitimate users. By using hashes Spamhaus can list specific, compromised email addresses that are sending spam or otherwise malicious content.
Spamhaus Hash Blocklist (HBL) integrates with SpamAssasin which is available by default in Zimbra. If you are not using SpamAssasin you can also set-up HBL using a Milter see: https://wiki.zimbra.com/wiki/Spamhaus_HBL_Milter
Step one get a DQS account
To be able to use Spamhaus HBL you need to register for a DQS account and get a commercial subscription.
Setting up Zimbra
cd /tmp git clone https://github.com/spamhaus/spamassassin-dqs cd spamassassin-dqs cd 3.4.1+
Next, configure your DQS key, assuming your key is aip7yig6sahg6ehsohn5shco3z, execute the following commands:
sed -i -e 's/your_DQS_key/aip7yig6sahg6ehsohn5shco3z/g' sh.cf sed -i -e 's/your_DQS_key/aip7yig6sahg6ehsohn5shco3z/g' sh_hbl.cf
Next you have to make sure your DQS key is HBL enabled, if not, you should not continue as then SpamAssasin may block legitimate email. Assuming the example key aip7yig6sahg6ehsohn5shco3z is DQS enabled, run the script and the output will confirm whether your key is HBL enabled:
./hbltest.sh Please input your DQS key: aip7yig6sahg6ehsohn5shco3z Looking up test record for HBL... done Your DQS key aip7yig6sahg6ehsohn5shco3z is enabled for HBL You can copy sh_hbl.cf and sh_hbl_scores.cf if you want HBL enabled
To set-up SpamAssasin in Zimbra you can run the following commands:
sed -i 's|<config_directory>|/opt/zimbra/data/spamassassin/localrules|g' sh.pre cp SH.pm /opt/zimbra/data/spamassassin/localrules cp sh.cf /opt/zimbra/data/spamassassin/localrules cp sh_scores.cf /opt/zimbra/data/spamassassin/localrules cp sh_hbl.cf /opt/zimbra/data/spamassassin/localrules cp sh_hbl_scores.cf /opt/zimbra/data/spamassassin/localrules cp sh.pre /opt/zimbra/data/spamassassin/localrules sudo su - zimbra zmamavisdctl restart
Confirming the installation
You can run SpamAssassin with the lint option to make sure no errors are in the configuration:
su zimbra -c "/opt/zimbra/common/bin/spamassassin --lint"
In the logs you can look for SH.pm, if listed it means the installation is correct, example:
cat /var/log/zimbra.log | grep -i plugin # Here SH.pm is not listed, meaning not installed Dec 12 10:01:56 dqstest amavis: extra modules loaded after daemonizing/chrooting: /etc/perl/Net/libnet.cfg, /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/randomize.al, IO/Socket/SSL.pm, IO/Socket/SSL/PublicSuffix.pm, Mail/SpamAssassin/Plugin/FreeMail.pm, Mail/SpamAssassin/Plugin/SpamCop.pm, Net/Cmd.pm, Net/Config.pm, Net/SMTP.pm, Net/SSLeay.pm # Here SH.pm is listed, meaning installation is completed Dec 12 12:04:08 dqstest amavis: extra modules loaded after daemonizing/chrooting: /etc/perl/Net/libnet.cfg, /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/randomize.al, /opt/zimbra/data/spamassassin/localrules/SH.pm, IO/Socket/SSL.pm, IO/Socket/SSL/PublicSuffix.pm, Mail/SpamAssassin/Plugin/FreeMail.pm, Mail/SpamAssassin/Plugin/SpamCop.pm, Net/Cmd.pm, Net/Config.pm, Net/SMTP.pm, Net/SSLeay.pm
To remove the Spamhaus HBL from SpamAssassin follow these steps:
rm -f /opt/zimbra/data/spamassassin/localrules/SH.pm rm -f /opt/zimbra/data/spamassassin/localrules/sh.cf rm -f /opt/zimbra/data/spamassassin/localrules/sh_scores.cf rm -f /opt/zimbra/data/spamassassin/localrules/sh_hbl.cf rm -f /opt/zimbra/data/spamassassin/localrules/sh_hbl_scores.cf rm -f /opt/zimbra/data/spamassassin/localrules/sh.pre sudo su - zimbra zmamavisdctl restart
for the install, one has to actually descent into the 3.4.1+ subdirectory (after cloning the repo – SA 4.0 has recently been released)
Also, how do I disable this again, if I only run it as a trial?
Otherwise, a great tutorial. This is why I really like Zimbra – the documentation, community and the general information provided has become really good in the last years.
I really hope you can continue doing this.
Thanks for your feedback, I have added uninstall steps to the blog and added the descent into the 3.4.1+ subdirectory as well.