Authentication Bypass in MailboxImportServlet vulnerability (reminder)
https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/

Rspamd: Fast, free and open-source spam filtering system

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yawarniazi
Posts: 2
Joined: Thu Nov 18, 2021 9:53 am

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby yawarniazi » Fri Nov 19, 2021 11:22 am

No one is here to help me????? :oops: :oops:


chris_60
Posts: 25
Joined: Wed Mar 10, 2021 3:35 pm
Location: Ubuntu 18.04.5 LTS
ZCS/ZD Version: 9.0.0.ZEXTRAS.202007114.UBUNTU18.64

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby chris_60 » Fri Jan 14, 2022 5:47 pm

Good day all,

I would like to add a proxy element to Zimbra's nginx configuration to proxy requests to the Rspamd web UI. Per the Rspamd docs this is what is required for nginx:

Code: Select all

location /rspamd/
        {
          proxy_pass       http://localhost:11334/;

          proxy_set_header Host      $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For "";
        }


I thought to add it to

Code: Select all

nginx.conf.web.admin
inside one of my server configurations. However,

Code: Select all

zmproxyctl restart
causes that configuration file to be rewritten.

So... where to add this bit of configuration code so that it survives a restart?

Kind regards,
Chris
phoenix
Ambassador
Ambassador
Posts: 27085
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby phoenix » Fri Jan 14, 2022 6:52 pm

Zmproxyctl will always overwrite any modifications you make, it's part of the product design, I'd also suggest you do not use the Zimbra proxy as a general reverse proxy as your changes may not survive any ZCS upgrades. Why don't you just connect directly to your Rspamd instance?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
chris_60
Posts: 25
Joined: Wed Mar 10, 2021 3:35 pm
Location: Ubuntu 18.04.5 LTS
ZCS/ZD Version: 9.0.0.ZEXTRAS.202007114.UBUNTU18.64

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby chris_60 » Fri Jan 14, 2022 7:14 pm

phoenix wrote:Why don't you just connect directly to your Rspamd instance?


The native client has no SSL capabilities.
mgarbin
Posts: 35
Joined: Wed Jun 26, 2019 11:00 am

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby mgarbin » Sun Jan 23, 2022 10:29 am

To preserve the nginx custom configuration you need to change template config file.
You can modify the nginx template adding this code, it allow to connect to rspamd only from private network :

Code: Select all

   
    location /rspamd/ {
        proxy_pass http://YOUR_RSPAMD_IP:11334/;
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        allow 10.0.0.0/8;
        allow 192.168.37.0/24;
        allow 172.16.0.0/12;
        allow 127.0.0.1;

        proxy_http_version 1.1;
    }


File to modify :

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

Add the code before the nginx location :

Code: Select all

location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/


Zimbra upgrade the template file only if there will be a new zimbra-proxy-patch .
If you want to save your configuration in a smart way you can create a folder under /opt/zimbra/conf/your_folder and put it all the modified things that you want to add on nginx.
Then use an include like :

Code: Select all

include /opt/zimbra/conf/YOUR_FOLDER/*.conf;


Then if you upgrade zimbra you need to re-add only one line.
chris_60
Posts: 25
Joined: Wed Mar 10, 2021 3:35 pm
Location: Ubuntu 18.04.5 LTS
ZCS/ZD Version: 9.0.0.ZEXTRAS.202007114.UBUNTU18.64

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby chris_60 » Mon Jan 24, 2022 1:29 pm

Thank-you mgarbin!

I almost have this working now.

I have put the location block into a include file as you suggested under a folder

Code: Select all

/opt/zimbra/conf/local


I have added an include statement to both of the following templates:

Code: Select all

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template


Question: Is it necessary to have the include statement in both of these template files or just the default?

This code is already in both the above mentioned templates:

Code: Select all

location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/


After doing this and restarting the proxy, the rspamd log on displays properly using

Code: Select all

https://mail.mysite.com/rspamd/


[s]However, upon entering creds and clicking the Connect button, things bork a bit. Basically the page submits the password to https://mail.mysite.com/rspamd/auth to which nginx responds with a 403 Forbidden.

Have I missed something in the configuration mods? Should the nginx location match regexp include a reference to 'auth' ?[/s]

UPDATE: The auth issue was due to a bad password. Once corrected, this mod works as expected.
MisterM74
Posts: 29
Joined: Sat Jul 16, 2016 3:09 pm
ZCS/ZD Version: Release 8.8.9_GA_2055.RHEL7_64_2018

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby MisterM74 » Thu May 26, 2022 8:26 pm

Hello

Yes, here I am again

Well, this replacement, compatible what version of Zimbra ?

Do you have a good tutorial ?

Mz
phoenix
Ambassador
Ambassador
Posts: 27085
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby phoenix » Thu May 26, 2022 8:31 pm

Did you read the first post in this thread or the wiki article on the subject? Both of those have instructions on how to instal Rspamd.

BTW, it makes no difference what version of ZCS you're using as there are no 'compatibility problems with Zimbra.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
MisterM74
Posts: 29
Joined: Sat Jul 16, 2016 3:09 pm
ZCS/ZD Version: Release 8.8.9_GA_2055.RHEL7_64_2018

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby MisterM74 » Thu May 26, 2022 8:36 pm

No, I did not look at it, sorry

Compatible with the latest version of zimbra?

Mz
phoenix
Ambassador
Ambassador
Posts: 27085
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby phoenix » Fri May 27, 2022 6:45 am

It will run with any version of Zimbra and there is no such requirement as 'compatibility' as it uses a milter in Postfix.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra

Return to “Administrators”

Who is online

Users browsing this forum: Newtman and 33 guests