Zimbra not affected by log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn't contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability. Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.

Rspamd: A replacement for Spamassassin & Postscreen

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yawarniazi
Posts: 2
Joined: Thu Nov 18, 2021 9:53 am

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby yawarniazi » Fri Nov 19, 2021 11:22 am

No one is here to help me????? :oops: :oops:


chris_60
Posts: 20
Joined: Wed Mar 10, 2021 3:35 pm
Location: Ubuntu 18.04.5 LTS
ZCS/ZD Version: 9.0.0.ZEXTRAS.202007114.UBUNTU18.64

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby chris_60 » Fri Jan 14, 2022 5:47 pm

Good day all,

I would like to add a proxy element to Zimbra's nginx configuration to proxy requests to the Rspamd web UI. Per the Rspamd docs this is what is required for nginx:

Code: Select all

location /rspamd/
        {
          proxy_pass       http://localhost:11334/;

          proxy_set_header Host      $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For "";
        }


I thought to add it to

Code: Select all

nginx.conf.web.admin
inside one of my server configurations. However,

Code: Select all

zmproxyctl restart
causes that configuration file to be rewritten.

So... where to add this bit of configuration code so that it survives a restart?

Kind regards,
Chris
phoenix
Ambassador
Ambassador
Posts: 26912
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby phoenix » Fri Jan 14, 2022 6:52 pm

Zmproxyctl will always overwrite any modifications you make, it's part of the product design, I'd also suggest you do not use the Zimbra proxy as a general reverse proxy as your changes may not survive any ZCS upgrades. Why don't you just connect directly to your Rspamd instance?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
chris_60
Posts: 20
Joined: Wed Mar 10, 2021 3:35 pm
Location: Ubuntu 18.04.5 LTS
ZCS/ZD Version: 9.0.0.ZEXTRAS.202007114.UBUNTU18.64

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby chris_60 » Fri Jan 14, 2022 7:14 pm

phoenix wrote:Why don't you just connect directly to your Rspamd instance?


The native client has no SSL capabilities.
mgarbin
Posts: 29
Joined: Wed Jun 26, 2019 11:00 am

Re: Rspamd: A replacement for Spamassassin & Postscreen

Postby mgarbin » Sun Jan 23, 2022 10:29 am

To preserve the nginx custom configuration you need to change template config file.
You can modify the nginx template adding this code, it allow to connect to rspamd only from private network :

Code: Select all

   
    location /rspamd/ {
        proxy_pass http://YOUR_RSPAMD_IP:11334/;
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        allow 10.0.0.0/8;
        allow 192.168.37.0/24;
        allow 172.16.0.0/12;
        allow 127.0.0.1;

        proxy_http_version 1.1;
    }


File to modify :

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

Add the code before the nginx location :

Code: Select all

location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/


Zimbra upgrade the template file only if there will be a new zimbra-proxy-patch .
If you want to save your configuration in a smart way you can create a folder under /opt/zimbra/conf/your_folder and put it all the modified things that you want to add on nginx.
Then use an include like :

Code: Select all

include /opt/zimbra/conf/YOUR_FOLDER/*.conf;


Then if you upgrade zimbra you need to re-add only one line.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 31 guests