Antivirus & Antispam Management#
Guidance on Disabling Antivirus and Antispam Services
Disabling Carbonio’s internal Antivirus (AV) and Antispam (AS) services should only be performed if your infrastructure is protected by an external mail filtering system (e.g., an email security gateway, cloud-based filtering service, or upstream MTA with integrated AV/AS capabilities).
These services play a critical role in scanning inbound and outbound mail for malware and unsolicited content. If no equivalent protection is enforced externally, disabling them may expose your mail system to threats and significantly reduce the overall security posture of your environment.
Recommendation: Keep AS/AV services enabled by default unless explicitly offloaded to an external system that ensures equivalent or stronger protections.
Execute the following commands as the zextras
user to disable Amavis from
the CLI
zextras$ carbonio prov mcf carbonioAmavisDisableVirusCheck TRUE
zextras$ zmlocalconfig -e zmtrainsa_cleanup_host=false
Restart the service on every MTA Node to make sure the new value is picked up by the system
zextras$ zmamavisdctl restart
You can check at any time the status of the variable and of the service with
zextras$ carbonio prov gcf carbonioAmavisDisableVirusCheck
Note
If you never modified the value of the variable, this
command may return no output, meaning that amavis
is running.
To disable ClamAV, execute the following commands as the root
user
# systemctl disable carbonio-clamav-sidecar.service
Restart the following service as the root
user to let systemd
pick
up the changes
-
Carbonio Mesh
# systemctl restart service-discover
-
The services on the MTA Node
As the
zextras
user executezextras$ zmcontrol restart
As the
root
user execute# systemctl restart carbonio-mta.target
As the
zextras
user executezextras$ zmcontrol restart
As the
root
user execute# systemctl restart carbonio-mta.target
Amavis is required if you want to use an e-mail disclaimer in Carbonio CE, because Amavis processes and modifies any outgoing email to append the disclaimer.
If you do not need a disclaimer and you want to disable Amavis, run the following command on every MTA Node
zextras$ carbonio prov ms $(zmhostname) \
-zimbraServiceEnabled amavis
Additionally, you can also disable the other related services, by executing on every MTA Node the command
zextras$ carbonio prov ms $(zmhostname) \
-zimbraServiceEnabled antivirus \
-zimbraServiceEnabled antispam
If your emails are sent through an external MTA relay that already adds an OpenDKIM signature, you must disable the OpenDKIM service on Carbonio CE to prevent signature conflicts.
To disable OpenDKIM, execute the following commands.
First, as the zextras
user execute
zextras$ zextras$ carbonio prov ms \
$(zmhostname) -zimbraServiceEnabled opendkim
Then, depending on the OS you installed
As the zextras
user execute
zextras$ zmcontrol restart
As the root
user execute
# systemctl restart carbonio-mta.target
As the zextras
user execute
zextras$ zmcontrol restart
As the root
user execute
# systemctl restart carbonio-mta.target
Note
Disabling OpenDKIM means Carbonio will no longer sign outgoing emails with DKIM. Ensure your external MTA is handling DKIM signing correctly.
To prevent Carbonio Mesh from reporting a service that is not running, remove from the MTAs the ClamAV definition file for service-discover:
Warning
This file will be restored during future upgrades of ClamAV or Carbonio CE, so make sure to remove it each time you upgrade.
# rm /etc/zextras/service-discover/carbonio-clamav.hcl