In this article you will learn how to use Spamhaus Hash Blocklist (HBL) to improve email protection in Zimbra. For a long time administrators of Zimbra have relied on Spamhaus to fight incoming spam by configuring Postfix using traditional blacklists. These traditional blocklists work by blocking IP (ranges) and domains of known spammers.
When an email is sent from free email providers such as Gmail, Hotmail or Protonmail it is not always possible to list the sending IP or domain on a blocklist as this would affect many other legitimate users. By using hashes Spamhaus can list specific, compromised email addresses that are sending spam or otherwise malicious content.
If you prefer you can also use Spamhaus HBL using SpamAssassin, this is documented at https://wiki.zimbra.com/index.php?title=Spamhaus_HBL
Step one get a DQS account
To be able to use Spamhaus HBL you need to register for a DQS account and get a commercial subscription.
How does the Milter work
Whenever an email passes through Postfix, the Milter will query the Spamhaus HBL using DNS. It will do lookups for the email address in the From and Sender header. In case an email address is listen in HBL the X-Spam-Flag header will be added and set to YES.
Installing the Milter
These instructions have been validated on Ubuntu 20.04. Run as root:
apt install python3-milter supervisor python3-dnspython mkdir /etc/milter wget https://raw.githubusercontent.com/Zimbra/spamhaus-hbl-milter/main/spamhaushbl.py -O /etc/milter/spamhaushbl.py wget https://raw.githubusercontent.com/Zimbra/spamhaus-hbl-milter/main/spamhaushbl.conf -O /etc/supervisor/conf.d/spamhaushbl.conf chmod +rx /etc/milter/spamhaushbl.py sed -i -e 's/PUT_DQS_KEY_HERE/aip7yig6sahg6ehsohn5shco3z/g' /etc/milter/spamhaushbl.py #replace aip7yig6sahg6ehsohn5shco3z with your real key systemctl restart supervisor tail -f /var/log/spamhaushbl.log
Configuring Zimbra
su - zimbra # check if you already have Milters: zmprov gs `zmhostname` zimbraMtaSmtpdMilters zmprov gs `zmhostname` zimbraMtaNonSmtpdMilters #if not proceed like so: zmprov ms `zmhostname` zimbraMtaSmtpdMilters inet:127.0.0.1:8802 zmprov ms `zmhostname` zimbraMtaNonSmtpdMilters inet:127.0.0.1:8802 #if you use Milters already you can daisy chain them like so #zmprov ms `zmhostname` zimbraMtaSmtpdMilters "inet:existing-ip:port, inet:127.0.0.1:8802" #zmprov ms `zmhostname` zimbraMtaNonSmtpdMilters "inet:existing-ip:port, inet:127.0.0.1:8802" zmprov ms `zmhostname` zimbraMilterServerEnabled TRUE zmmtactl restart #Check if you already use Milters postconf smtpd_milters #Example output: smtpd_milters = inet:127.0.0.1:8802, inet:127.0.0.1:7026 #if you have no milter running at 7026, you can: postconf -e 'smtpd_milters = inet:127.0.0.1:8802'
Try sending some emails and:
tail -f /var/log/spamhaushbl.log tail -f /var/log/zimbra.log
You can also run the milter without supervisord, stop supervisord and just run it like python3 /etc/milter/spamhaushbl.py.
Depending on your set-up messages with the X-Spam-Flag set to YES will be delivered in the Spam/Junk folder. If not you can add the following Sieve filter:
if header :contains "X-Spam-Flag" "YES" {
fileinto "Junk";
stop;
}
More information on setting up Sieve is at: https://blog.zimbra.com/2022/07/zimbra-skillz-using-sieve-filters-on-zimbra-via-the-admin-console/
Comments are closed.