Antivirus & Antispam Management

Antivirus & Antispam Management#

Guidance on Disabling Antivirus and Antispam Services

Disabling Carbonio’s internal Antivirus (AV) and Antispam (AS) services should only be performed if your infrastructure is protected by an external mail filtering system (e.g., an email security gateway, cloud-based filtering service, or upstream MTA with integrated AV/AS capabilities).

These services play a critical role in scanning inbound and outbound mail for malware and unsolicited content. If no equivalent protection is enforced externally, disabling them may expose your mail system to threats and significantly reduce the overall security posture of your environment.

Recommendation: Keep AS/AV services enabled by default unless explicitly offloaded to an external system that ensures equivalent or stronger protections.

Disable Amavis virus check

Execute the following commands as the zextras user to disable Amavis from the CLI

zextras$ carbonio prov mcf carbonioAmavisDisableVirusCheck TRUE
zextras$ zmlocalconfig -e zmtrainsa_cleanup_host=false

Restart the service on every MTA Node to make sure the new value is picked up by the system

zextras$ zmamavisdctl restart

You can check at any time the status of the variable and of the service with

zextras$ carbonio prov gcf carbonioAmavisDisableVirusCheck

Note

If you never modified the value of the variable, this command may return no output, meaning that amavis is running.

Disable ClamAV

To disable ClamAV, execute the following commands as the root user

# systemctl disable carbonio-clamav-sidecar.service

Restart the following service as the root user to let systemd pick up the changes

  • Carbonio Mesh

    # systemctl restart service-discover

  • The services on the MTA Node

    As the zextras user execute

    zextras$ zmcontrol restart

    As the root user execute

    # systemctl restart carbonio-mta.target

    As the zextras user execute

    zextras$ zmcontrol restart

    As the root user execute

    # systemctl restart carbonio-mta.target

Amavis is required if you want to use an e-mail disclaimer in Carbonio CE, because Amavis processes and modifies any outgoing email to append the disclaimer.

If you do not need a disclaimer and you want to disable Amavis, run the following command on every MTA Node

zextras$ carbonio prov ms $(zmhostname) \
-zimbraServiceEnabled amavis

Additionally, you can also disable the other related services, by executing on every MTA Node the command

zextras$ carbonio prov ms $(zmhostname) \
-zimbraServiceEnabled antivirus \
-zimbraServiceEnabled antispam
Disable OpenDKIM

If your emails are sent through an external MTA relay that already adds an OpenDKIM signature, you must disable the OpenDKIM service on Carbonio CE to prevent signature conflicts.

To disable OpenDKIM, execute the following commands.

First, as the zextras user execute

zextras$ zextras$ carbonio prov ms \
$(zmhostname) -zimbraServiceEnabled opendkim

Then, depending on the OS you installed

As the zextras user execute

zextras$ zmcontrol restart

As the root user execute

# systemctl restart carbonio-mta.target

As the zextras user execute

zextras$ zmcontrol restart

As the root user execute

# systemctl restart carbonio-mta.target

Note

Disabling OpenDKIM means Carbonio will no longer sign outgoing emails with DKIM. Ensure your external MTA is handling DKIM signing correctly.

Completely remove ClamAV

To prevent Carbonio Mesh from reporting a service that is not running, remove from the MTAs the ClamAV definition file for service-discover:

Warning

This file will be restored during future upgrades of ClamAV or Carbonio CE, so make sure to remove it each time you upgrade.

# rm /etc/zextras/service-discover/carbonio-clamav.hcl