← Back to Knowledge Base

Installation Guide

Prerequisites

• Operating System: RHEL 8/9, Rocky Linux 8/9, Ubuntu 20.04+, Debian 11+
• Architecture: x86_64 or ARM64
• RAM: Minimum 1GB (4GB recommended)
• Disk: Minimum 10GB free space
• Network: Internet connection for license validation

One-Command Installation

Install SecZim with your license key:

curl -sSL https://seczim.com/install.sh | sudo bash -s YOUR_LICENSE_KEY

What the Installer Does

• Detects your Linux distribution and version
• Installs all required dependencies automatically
• Downloads and configures SecZim binaries
• Sets up systemd services for automatic startup
• Configures your mail server integration
• Validates your license

Installation Output

After successful installation, you'll see:

✅ SecZim installed successfully!

📊 Web Interface:    http://your-server-ip:8880
📧 Policy Server:    127.0.0.1:10035

Next steps:
1. Access the web interface at port 8880
2. Configure your mail server integration
3. Set up your security policies

Verifying Installation

Check that all services are running:

sudo systemctl status seczim-daemon
sudo systemctl status seczim-api

Next Steps

1. Access the web interface at http://your-server:8880
2. Configure Zimbra or Postfix integration
3. Set up your first policies
4. Configure Security Intelligence features

Troubleshooting

Installation Fails

• Ensure you have root/sudo access
• Check internet connectivity
• Verify your OS is supported

License Validation Error

• Verify the license key is correct
• Check that your server can reach the internet
• Contact support if the issue persists

Services Won't Start

• Check logs: sudo journalctl -u seczim-daemon -n 50
• Verify ports are not in use: sudo ss -tlnp | grep -E '8880|10035'
• Restart services: sudo systemctl restart seczim-daemon seczim-api

← Back to Knowledge Base

Upgrading SecZim

Keep your SecZim installation up to date with the latest features and security patches.

Quick Upgrade Command

To upgrade an existing SecZim installation to the latest version, use the --upgrade flag:

curl -sSL https://seczim.com/install.sh | sudo bash -s -- --upgrade

What the Upgrade Does

• Downloads the latest SecZim binaries
• Applies database migrations (safe and idempotent)
• Preserves your existing configuration and policies
• Restarts services automatically

Database Migrations

The upgrade process applies database migrations that are:

• Safe: Uses CREATE TABLE IF NOT EXISTS and conditional column additions
• Idempotent: Can be run multiple times without causing issues
• Non-destructive: Never removes existing data or tables

Verbose Mode

For troubleshooting upgrade issues, use verbose mode:

curl -sSL https://seczim.com/install.sh | sudo bash -s -- --verbose --upgrade

Full Reinstall

For major version updates or if you need to completely refresh your installation:

curl -sSL https://seczim.com/install.sh | sudo bash -s YOUR_LICENSE_KEY

This will update all components while preserving your database and configuration.

Troubleshooting

Upgrade Fails

• Ensure you have root/sudo access
• Check internet connectivity
• Verify SecZim is already installed
• Run with --verbose flag to see detailed output

Services Don't Restart

• Check logs: sudo journalctl -u seczim-daemon -n 50
• Manually restart: sudo systemctl restart seczim-daemon seczim-api

← Back to Knowledge Base

Quick Start Tutorial

Get SecZim up and running in 5 minutes.

Step 1: Install SecZim

curl -sSL https://seczim.com/install.sh | sudo bash -s YOUR_LICENSE_KEY

Step 2: Access Web Interface

Open your browser and navigate to http://your-server-ip:8880

You'll see the SecZim dashboard with real-time statistics and policy management.

Step 3: Verify Mail Integration

The installer automatically configures your mail server. Test the integration:

# Test policy server
echo -e "request=smtpd_access_policy\nprotocol_state=RCPT\nclient_address=1.2.3.4\nsender=test@example.com\nrecipient=user@yourdomain.com\n\n" | nc localhost 10035

Step 4: Configure Basic Policies

In the web interface:

1. Go to Policies section
2. Enable/disable features as needed (Greylisting, RBL, Geo-blocking)
3. Configure quotas for your domains

Step 5: Monitor Traffic

The dashboard shows real-time statistics:

• Total emails processed
• Acceptance rate
• Rejected emails
• Active policies

Common First Tasks

Whitelist Important Senders

Go to Access Control → Whitelist and add trusted domains or email addresses.

Configure Quota for Domain

Go to Quotas section and set daily sending limits per domain or user.

View Logs

sudo journalctl -u seczim-daemon -f

← Back to Knowledge Base

System Requirements

Minimum Requirements

• CPU: 1 core (2.0 GHz)
• RAM: 1 GB
• Disk: 10 GB free space
• Network: 100 Mbps

Recommended by Plan

Starter Plan (500 accounts)

• CPU: 2 cores
• RAM: 2 GB
• Disk: 20 GB SSD

Professional Plan (2,000 accounts)

• CPU: 4 cores
• RAM: 4 GB
• Disk: 50 GB SSD

Business Plan (10,000 accounts)

• CPU: 8 cores
• RAM: 8 GB
• Disk: 100 GB SSD

Supported Operating Systems

• RHEL 8.x, 9.x
• Rocky Linux 8.x, 9.x
• AlmaLinux 8.x, 9.x
• Ubuntu Server 20.04 LTS, 22.04 LTS, 24.04 LTS
• Debian 11 (Bullseye), 12 (Bookworm)
• CentOS Stream 8, 9

Network Requirements

• Inbound: Port 10035 from mail server (localhost only)
• Outbound: Internet access for license validation and RBL queries
• Web Interface: Port 8880 for administration

Mail Server Compatibility

• Postfix: 3.5.x, 3.6.x, 3.7.x, 3.8.x
• Zimbra: 8.8.x, 9.x, 10.x
• Other: Any MTA supporting policy delegation protocol

← Back to Knowledge Base

License Activation

Automatic Activation

When you run the installer with your license key, activation is automatic:

curl -sSL https://seczim.com/install.sh | sudo bash -s YOUR_LICENSE_KEY

Verifying License Status

Check your license status via API:

curl http://localhost:8880/api/v1/license/status

Or view it in the web interface under Settings → License.

License Types

Trial License

• 14 days free trial
• Full feature access
• Limited to 100 accounts

Paid License

• Annual subscription
• Based on number of accounts
• Priority support

License Renewal

Your license renews automatically. If renewal fails:

1. Check your payment method at seczim.com
2. Verify internet connectivity
3. Contact support@seczim.com with your license key

Troubleshooting

License Validation Failed

• Verify the license key is correct (check for typos)
• Ensure your server can reach the internet
• Check firewall rules for outbound HTTPS

License Expired

• Renew at seczim.com/account
• After renewal, restart services: sudo systemctl restart seczim-daemon seczim-api

← Back to Knowledge Base

Configuring Zimbra with SecZim

SecZim integrates seamlessly with Zimbra 8.8.x, 9.x, and 10.x.

Automatic Configuration

The installer automatically configures Zimbra integration. To verify:

su - zimbra -c "postconf | grep check_policy_service"

You should see: check_policy_service inet:127.0.0.1:10035

Manual Configuration

If needed, configure manually:

Step 1: Configure Policy Service

su - zimbra -c "zmprov ms $(zmhostname) zimbraMtaSmtpdRecipientRestrictions 'check_policy_service inet:127.0.0.1:10035'"

Step 2: Reload Postfix

su - zimbra -c "zmmtactl restart"

Step 3: Verify Configuration

su - zimbra -c "postconf | grep smtpd_recipient_restrictions"

Should include: check_policy_service inet:127.0.0.1:10035

Testing the Integration

Check the SecZim logs while sending a test email:

sudo journalctl -u seczim-daemon -f

Advanced Configuration

Policy Time Limit

Increase timeout for slow networks:

su - zimbra -c "zmprov ms $(zmhostname) zimbraMtaSmtpRecipientLimit 1000"

Troubleshooting

Emails Not Being Filtered

• Verify SecZim is running: sudo systemctl status seczim-daemon
• Check Zimbra config: su - zimbra -c "postconf | grep policy"
• Review logs: sudo journalctl -u seczim-daemon | tail -20

Connection Refused Errors

If Zimbra can't connect to SecZim (port 10035):

• Check SecZim is running: sudo systemctl status seczim-daemon
• Verify port is listening: sudo ss -tlnp | grep 10035
• Check firewall (should allow localhost)

← Back to Knowledge Base

Configuring Postfix with SecZim

SecZim integrates with Postfix 3.5.x through 3.8.x using the policy delegation protocol.

Automatic Configuration

The installer automatically configures Postfix. To verify:

postconf | grep check_policy_service

Manual Configuration

Step 1: Backup Current Config

sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.backup

Step 2: Add Policy Service

sudo postconf -e "smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10035"

Step 3: Reload Postfix

sudo postfix reload

Step 4: Verify Configuration

postconf | grep smtpd_recipient_restrictions

Integration with Existing Restrictions

If you have existing restrictions, add SecZim to the chain:

smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_policy_service inet:127.0.0.1:10035,
    permit

Testing

# Test policy server directly
telnet localhost 10035

# Monitor logs while sending test email
sudo journalctl -u seczim-daemon -f

Performance Tuning

Connection Caching

sudo postconf -e "smtpd_policy_service_max_idle=60s"
sudo postconf -e "smtpd_policy_service_timeout=30s"

Troubleshooting

Policy Service Not Responding

• Check service: sudo systemctl status seczim-daemon
• Test connection: nc -zv localhost 10035
• View logs: sudo journalctl -u seczim-daemon -n 50

Emails Being Rejected

• Check SecZim dashboard for rejection reasons
• View policy logs for the specific sender
• Whitelist if necessary

← Back to Knowledge Base

Security Intelligence System

SecZim v3.0 includes a comprehensive Security Intelligence System that provides real-time threat detection, automated response, and security analytics.

Key Features

• Alert System - Configurable rules for quota warnings, IP spikes, compromised accounts
• IP Reputation Tracking - Dynamic scoring with automatic blocking/whitelisting
• Anomaly Detection - Machine learning-based detection of unusual sender behavior
• Auto-Blacklist Rules - Automated IP blocking based on malicious patterns
• Multi-channel Notifications - Email, Webhook, and Slack alerts
• Security Analytics - Automated daily/weekly/monthly reports

Accessing the Intelligence Dashboard

Navigate to http://your-server:8880 and click on Intelligence in the navigation menu.

Dashboard Overview

The Intelligence Dashboard shows:

• Total alerts count and status
• Alerts by severity (info, warning, critical)
• Recent alerts list
• Auto-blacklisted IPs count
• Blocked senders count
• Low reputation IPs
• Recent anomalies

API Endpoints

# Dashboard summary
GET http://localhost:8880/api/v1/intelligence/dashboard

# Alerts
GET http://localhost:8880/api/v1/alerts
GET http://localhost:8880/api/v1/alerts/rules

# IP Reputation
GET http://localhost:8880/api/v1/ip-reputation
GET http://localhost:8880/api/v1/ip-reputation/config

# Anomalies
GET http://localhost:8880/api/v1/anomalies
GET http://localhost:8880/api/v1/anomalies/config

# Auto-Blacklist
GET http://localhost:8880/api/v1/auto-blacklist
GET http://localhost:8880/api/v1/auto-blacklist/rules

← Back to Knowledge Base

Alert System

The Alert System monitors your email infrastructure and generates alerts based on configurable rules.

Default Alert Rules

Rule	Description	Severity
Quota Warning 80%	Alert when user reaches 80% of quota	Warning
Quota Exceeded	Alert when quota is exceeded	High
IP Rejection Spike	Unusual rejection patterns from an IP	High
Compromised Account	Potential account compromise detected	Critical
High Rejection Rate	Sender with high rejection rate	Warning

Alert States

• New - Alert just generated
• Acknowledged - Admin reviewed the alert
• Resolved - Issue has been addressed

Managing Alerts

In the web interface, go to Intelligence → Alerts to:

• View all alerts with filtering by status and severity
• Acknowledge alerts you've reviewed
• Resolve alerts when fixed
• Configure alert rules

API Examples

# Get recent alerts
curl http://localhost:8880/api/v1/alerts?limit=10

# Get alert rules
curl http://localhost:8880/api/v1/alerts/rules

# Update alert status
curl -X PUT http://localhost:8880/api/v1/alerts/123/status \
  -H "Content-Type: application/json" \
  -d '{"status": "acknowledged"}'

← Back to Knowledge Base

IP Reputation Tracking

SecZim tracks the reputation of every IP that interacts with your mail server using a dynamic scoring system.

Scoring System

Action	Score Change
Initial Score	50 (neutral)
Email Accepted	+1 point
Email Rejected	-5 points
Email Deferred	-2 points

Automatic Actions

• Score ≤ 10: IP is blocked (REJECT)
• Score ≥ 80: Skip greylisting (trusted)
• Inactive IPs: Decay -5 points every 7 days

Manual Controls

In the web interface under Intelligence → IP Reputation:

• Whitelist: Always allow (score ignored)
• Blacklist: Always block (score ignored)
• View History: See score changes over time

API Examples

# Get all IP reputations
curl http://localhost:8880/api/v1/ip-reputation

# Get specific IP
curl http://localhost:8880/api/v1/ip-reputation/192.168.1.100

# Whitelist an IP
curl -X PUT http://localhost:8880/api/v1/ip-reputation/192.168.1.100/whitelist

# Blacklist an IP
curl -X PUT http://localhost:8880/api/v1/ip-reputation/192.168.1.100/blacklist

← Back to Knowledge Base

Anomaly Detection

SecZim uses machine learning-based detection to identify unusual sender behavior that may indicate compromised accounts or spam attacks.

Detection Types

Type	Description	Trigger
Volume Spike	Sender volume exceeds baseline	3x normal volume
New Recipients Spike	Sending to many new recipients	50+ new recipients
Out of Hours	Sending outside typical hours	Based on sender pattern

Baseline Learning

• Tracks each sender's normal patterns
• Requires minimum 7 days for baseline
• Automatically adapts to legitimate changes

Severity Levels

• Medium: Slightly unusual behavior
• High: Significantly abnormal
• Critical: Very likely compromised

Auto-Block (Optional)

Enable automatic blocking for critical anomalies:

• Configurable block duration (default: 60 minutes)
• Disabled by default for safety
• Enable when confident in baseline

API Examples

# Get recent anomalies
curl http://localhost:8880/api/v1/anomalies

# Get anomaly detection config
curl http://localhost:8880/api/v1/anomalies/config

# Update config
curl -X PUT http://localhost:8880/api/v1/anomalies/config \
  -H "Content-Type: application/json" \
  -d '{"auto_block_enabled": true}'

← Back to Knowledge Base

Auto-Blacklist Rules

Automated IP blocking based on malicious behavior patterns.

Default Rules

Rule	Trigger	Block Duration
High Rejection Rate	100+ rejections in 1 hour	24 hours
RBL Hits	10+ RBL hits per day	7 days
SPF Failures	50+ SPF failures in 1 hour	12 hours
Geo Block Attempts	20+ geo-blocked attempts in 1 hour	24 hours

Features

• Automatic expiration after block duration
• Manual release capability
• Option to make blocks permanent
• Detailed reason logging

Managing Blacklisted IPs

In the web interface under Intelligence → Auto-Blacklist:

• View currently blacklisted IPs
• See block reason and expiration
• Manually release an IP
• Make temporary blocks permanent

API Examples

# Get blacklisted IPs
curl http://localhost:8880/api/v1/auto-blacklist

# Get auto-blacklist rules
curl http://localhost:8880/api/v1/auto-blacklist/rules

# Release an IP
curl -X DELETE http://localhost:8880/api/v1/auto-blacklist/192.168.1.100

# Make permanent
curl -X PUT http://localhost:8880/api/v1/auto-blacklist/192.168.1.100/permanent

← Back to Knowledge Base

Notification System

Multi-channel alerting when threats are detected.

Notification Channels

Email Notifications

• SMTP configuration in web UI
• Supports TLS/STARTTLS
• Multiple recipients
• HTML formatted alerts

Webhook Notifications

• POST to custom URL
• JSON payload with alert details
• Custom headers support
• Ideal for SIEM/SOC integration

Slack Notifications

• Direct Slack webhook integration
• Customizable channel
• Rich message formatting

Configuration

Go to Intelligence → Settings in the web interface to configure notification channels.

Testing Notifications

# Test email notification
curl -X POST http://localhost:8880/api/v1/notifications/test/email

# Test webhook
curl -X POST http://localhost:8880/api/v1/notifications/test/webhook

# Test Slack
curl -X POST http://localhost:8880/api/v1/notifications/test/slack

Webhook Payload Format

{
  "alert_id": 123,
  "type": "ip_spike",
  "severity": "high",
  "title": "IP Rejection Spike Detected",
  "message": "IP 192.168.1.100 has 150 rejections in the last hour",
  "details": {...},
  "timestamp": "2025-11-30T23:00:00Z"
}

← Back to Knowledge Base

Greylisting

Greylisting temporarily defers emails from unknown senders, exploiting the fact that spammers rarely retry delivery.

How It Works

1. New sender/recipient combination arrives
2. SecZim returns DEFER (temporary rejection)
3. Legitimate servers retry after delay
4. On retry, email is accepted and sender is whitelisted

Configuration

In the web interface under Policies → Greylisting:

• Enable/Disable: Toggle greylisting
• Defer Time: How long to defer (default: 5 minutes)
• Whitelist Time: How long to remember trusted senders (default: 36 days)

Automatic Whitelisting

IPs with high reputation scores (≥80) automatically skip greylisting.

Manual Whitelisting

Whitelist specific domains or IPs that should never be greylisted:

# Via API
curl -X POST http://localhost:8880/api/v1/greylisting/whitelist \
  -H "Content-Type: application/json" \
  -d '{"type": "domain", "value": "trusted-company.com"}'

Statistics

curl http://localhost:8880/api/v1/greylisting/stats

← Back to Knowledge Base

Quota Management

Control email sending limits per user, domain, or globally.

Quota Types

• Per User: Limit individual sender
• Per Domain: Limit all users in a domain
• Global: Total daily limit for all senders

Configuration

In the web interface under Policies → Quotas:

1. Click Add Quota Rule
2. Select type (user/domain/global)
3. Enter the sender pattern
4. Set daily limit
5. Save

Checking Usage

# Check all quota usage
curl http://localhost:8880/api/v1/quotas/usage

# Check specific sender
curl "http://localhost:8880/api/v1/quotas/usage?sender=user@domain.com"

Quota Alerts

The Alert System monitors quotas and generates alerts at:

• 80%: Warning alert
• 100%: Quota exceeded alert

← Back to Knowledge Base

Access Control Lists

Manage whitelists and blacklists for senders and domains.

Whitelist

Emails from whitelisted senders/domains bypass all checks:

# Add to whitelist
curl -X POST http://localhost:8880/api/v1/acl/whitelist \
  -H "Content-Type: application/json" \
  -d '{"type": "email", "value": "ceo@partner-company.com"}'

# Add domain to whitelist
curl -X POST http://localhost:8880/api/v1/acl/whitelist \
  -H "Content-Type: application/json" \
  -d '{"type": "domain", "value": "trusted-company.com"}'

Blacklist

Emails from blacklisted senders/domains are always rejected:

# Add to blacklist
curl -X POST http://localhost:8880/api/v1/acl/blacklist \
  -H "Content-Type: application/json" \
  -d '{"type": "domain", "value": "spam-domain.com"}'

View Lists

curl http://localhost:8880/api/v1/acl/whitelist
curl http://localhost:8880/api/v1/acl/blacklist

Wildcard Support

Use wildcards for flexible matching:

• *@domain.com - All users from domain
• user@* - User from any domain
• *.subdomain.com - All subdomains

← Back to Knowledge Base

RBL (Realtime Blackhole Lists)

SecZim includes comprehensive RBL checking to block emails from known spam sources. RBLs are DNS-based blacklists that maintain databases of IP addresses known to send spam or malicious content.

How RBL Checking Works

When an email arrives, SecZim:

1. Extracts the sender's IP address
2. Reverses the IP octets (e.g., 1.2.3.4 becomes 4.3.2.1)
3. Queries each enabled RBL by appending the reversed IP to the RBL hostname
4. If a DNS response is received (typically 127.0.0.x), the IP is blacklisted
5. Results are cached for 1 hour to reduce DNS lookups

Example DNS Query

For IP 192.168.1.100 checking against zen.spamhaus.org:

Query: 100.1.168.192.zen.spamhaus.org
Response: 127.0.0.2 (listed) or NXDOMAIN (not listed)

Available RBL Sources (12 Total)

Enabled by Default

Name	Host	Description
Spamhaus ZEN	zen.spamhaus.org	The most comprehensive Spamhaus list. Combines SBL (known spam sources), XBL (exploited systems/proxies), and PBL (policy block list for dynamic IPs). Recommended as primary RBL.
Barracuda	b.barracudacentral.org	Maintained by Barracuda Networks. Covers spam sources, known bad actors, and compromised systems. High accuracy with low false positives.

Disabled by Default

Name	Host	Description
Spamhaus SBL	sbl.spamhaus.org	Spamhaus Block List - contains IP addresses of verified spam sources and spam operations. Very accurate but covered by ZEN.
Spamhaus XBL	xbl.spamhaus.org	Exploits Block List - lists IP addresses of hijacked computers, open proxies, and other compromised systems. Also covered by ZEN.
SpamCop	bl.spamcop.net	Community-driven RBL based on user spam reports. Good for catching recent spam campaigns.
SORBS	dnsbl.sorbs.net	Spam and Open Relay Blocking System - comprehensive list covering spam, relays, and exploited systems.
UCEPROTECT Level 1	dnsbl-1.uceprotect.net	Lists individual IP addresses that have sent spam. Most precise UCEPROTECT level.
UCEPROTECT Level 2	dnsbl-2.uceprotect.net	Lists entire /24 IP ranges when multiple IPs from the range are spamming. More aggressive than L1.
UCEPROTECT Level 3	dnsbl-3.uceprotect.net	Lists entire ASNs (Autonomous System Numbers) with poor reputation. Most aggressive - use with caution.
Invaluement	dnsbl.invaluement.com	Anti-spam DNSBL focused on detecting snowshoe spam and botnet operations.
PSBL	psbl.surriel.com	Passive Spam Block List - automatically lists IPs that send spam to honeypots.
Mailspike	bl.mailspike.net	Reputation-based RBL maintained by Mailspike with IP reputation scoring.

Recommendations

Small/Medium Organizations

Keep Spamhaus ZEN and Barracuda enabled (default). These provide excellent protection with minimal false positives.

High-Security Environments

Consider enabling additional RBLs:

• SpamCop - Good for recent spam campaigns
• UCEPROTECT Level 1 - Individual bad IPs
• PSBL - Catches bots sending to honeypots

Aggressive Filtering

For maximum spam blocking (may have more false positives):

• Enable SORBS
• Enable UCEPROTECT Level 2
• UCEPROTECT Level 3 - Only if you accept potential over-blocking

Configuration via Dashboard

In the web interface under RBL:

1. Toggle RBL sources on/off as needed
2. View statistics for each RBL source
3. Monitor which RBLs are blocking the most spam

Manual RBL Check

To manually check if an IP is listed:

# For IP 181.111.252.219 against Spamhaus ZEN
dig 219.252.111.181.zen.spamhaus.org +short

# Response 127.0.0.2 = Listed
# No response = Not listed

Troubleshooting

RBL Not Blocking Listed IPs

1. Check if RBL is enabled in the dashboard
2. Verify DNS resolution works from your server
3. Check daemon logs: grep "RBL" /var/log/seczim-daemon.log

High False Positive Rate

1. Check which RBL is causing blocks in the dashboard
2. Consider disabling aggressive RBLs (UCEPROTECT L2/L3, SORBS)
3. Add trusted senders to the Access Control whitelist

← Back to Knowledge Base

Geographic Blocking

Block or allow emails based on the geographic location of the sending IP.

Configuration

In the web interface under Policies → Geo-Blocking:

• Mode: Whitelist (allow only) or Blacklist (block only)
• Countries: Select countries to allow or block

Use Cases

• Whitelist Mode: Only accept email from specific countries
• Blacklist Mode: Block known spam source countries

GeoIP Database

SecZim uses the MaxMind GeoLite2 database for IP geolocation. The database is updated automatically.

← Back to Knowledge Base

Dashboard

The SecZim dashboard provides real-time visibility into your email security.

Accessing the Dashboard

Open your browser and navigate to http://your-server:8880

Dashboard Widgets

• Total Requests: Emails processed today
• Acceptance Rate: Percentage of accepted emails
• Rejected: Emails blocked
• Active Connections: Current mail server connections
• Uptime: Service uptime

Navigation

• Dashboard: Overview statistics
• Policies: Configure security rules
• Intelligence: Threat detection and alerts
• Access Control: Whitelist/Blacklist management
• Quotas: Sending limits
• Logs: Email processing logs
• Settings: System configuration

← Back to Knowledge Base

API Reference

SecZim provides a REST API for programmatic access. The API runs on port 8880.

Base URL

http://localhost:8880/api/v1

Core Endpoints

Endpoint	Method	Description
/stats	GET	Get server statistics
/license/status	GET	Check license status
/policies	GET	List all policies

Greylisting Endpoints

Endpoint	Method	Description
/greylisting/config	GET	Get greylisting config
/greylisting/stats	GET	Get greylisting statistics
/greylisting/whitelist	GET/POST	Manage whitelist

Intelligence Endpoints

Endpoint	Method	Description
/intelligence/dashboard	GET	Dashboard summary
/alerts	GET	List alerts
/alerts/rules	GET	List alert rules
/ip-reputation	GET	List IP reputations
/anomalies	GET	List anomalies
/auto-blacklist	GET	List blacklisted IPs

ACL Endpoints

Endpoint	Method	Description
/acl/whitelist	GET/POST	Manage whitelist
/acl/blacklist	GET/POST	Manage blacklist

Quota Endpoints

Endpoint	Method	Description
/quotas	GET/POST	Manage quotas
/quotas/usage	GET	Check usage

← Back to Knowledge Base

Common Issues

Service Won't Start

Check the logs:

sudo journalctl -u seczim-daemon -n 50
sudo journalctl -u seczim-api -n 50

Common causes:

• Port already in use
• License validation failed
• Configuration error

Can't Access Web Interface

• Verify service is running: sudo systemctl status seczim-api
• Check port is listening: sudo ss -tlnp | grep 8880
• Check firewall: sudo firewall-cmd --list-ports

Mail Server Can't Connect

• Verify daemon is running: sudo systemctl status seczim-daemon
• Check port 10035: sudo ss -tlnp | grep 10035
• Test connection: nc -zv localhost 10035

High Memory Usage

• Check process: ps aux | grep seczim
• Consider increasing swap
• Contact support if persistent

Installation Interrupted or Failed

If the installation was interrupted, truncated, or failed midway, you may need to manually clean up before reinstalling. Run these commands:

# Stop services
sudo systemctl stop seczim seczim-api 2>/dev/null
sudo systemctl disable seczim seczim-api 2>/dev/null

# Stop and remove Docker containers
cd /opt/seczim && sudo docker compose down -v 2>/dev/null

# Remove systemd services
sudo rm -f /etc/systemd/system/seczim.service
sudo rm -f /etc/systemd/system/seczim-api.service
sudo systemctl daemon-reload

# Remove all SecZim directories
sudo rm -rf /opt/seczim
sudo rm -rf /etc/seczim
sudo rm -rf /var/log/seczim
sudo rm -rf /var/lib/seczim

# Remove uninstall script
sudo rm -f /usr/local/bin/seczim-uninstall
sudo rm -f /sbin/seczim-uninstall

After running these commands, you can reinstall SecZim with a fresh installation.

Port 10035 Already in Use

If the installer reports port 10035 is in use:

• Check what's using the port: sudo ss -tlnp | grep 10035
• If it's a previous SecZim installation: sudo seczim-uninstall
• If the uninstall script doesn't exist, use the manual cleanup commands above

← Back to Knowledge Base

Service Status

Check All Services

sudo systemctl status seczim-daemon
sudo systemctl status seczim-api

Check Ports

sudo ss -tlnp | grep -E '8880|10035'

Expected output:

• Port 8880: seczim-api (web interface)
• Port 10035: seczim-daemon (policy server)

Check API Health

curl http://localhost:8880/api/v1/stats

View Logs

# Daemon logs
sudo journalctl -u seczim-daemon -f

# API logs
sudo journalctl -u seczim-api -f

Restart Services

sudo systemctl restart seczim-daemon seczim-api

← Back to Knowledge Base

Getting Support

Email Support

Contact us at support@seczim.com

Information to Include

When contacting support, please include:

• Your license key
• SecZim version: curl http://localhost:8880/api/v1/version
• Operating system and version
• Mail server type and version
• Description of the issue
• Relevant log excerpts

Gathering Logs

# Export recent logs
sudo journalctl -u seczim-daemon --since "1 hour ago" > seczim-daemon.log
sudo journalctl -u seczim-api --since "1 hour ago" > seczim-api.log

Documentation

• Knowledge Base: docs.seczim.com
• Getting Started: seczim.com/docs

← Back to Knowledge Base

Policy Configuration

SecZim uses a priority-based policy system to evaluate incoming emails.

Policy Priority

Policies are evaluated in order of priority (highest first):

1. Auto-Blacklist Check (98) - Block known bad IPs
2. IP Reputation (95) - Check IP score
3. Anomaly Detection (92) - Check for unusual behavior
4. Whitelist/Blacklist (90) - Manual ACLs
5. RBL Check (80) - Check spam blacklists
6. Geo-Blocking (70) - Geographic filtering
7. Greylisting (60) - Temporary deferral
8. Quota Check (50) - Sending limits

Enable/Disable Policies

In the web interface under Policies:

• Toggle individual policies on/off
• Configure policy-specific settings
• View policy hit statistics

API Configuration

# Get all policies
curl http://localhost:8880/api/v1/policies

# Update policy
curl -X PUT http://localhost:8880/api/v1/policies/greylisting \
  -H "Content-Type: application/json" \
  -d '{"enabled": true, "defer_time": 300}'

← Back to Knowledge Base

General Settings

Accessing Settings

Go to the web interface at http://your-server:8880 and click Settings.

Available Settings

License

• View license status
• See account limits
• Renewal information

Notifications

• Email notification settings (SMTP)
• Webhook configuration
• Slack integration

System

• Log level
• Performance settings

Configuration File

Main configuration is stored in:

/etc/seczim/seczim.yaml

Restart After Changes

Most settings take effect immediately. For config file changes:

sudo systemctl restart seczim-daemon seczim-api

← Back to Knowledge Base

SecZim Logs

SecZim generates detailed logs for monitoring, troubleshooting, and auditing email security decisions. This guide covers all log file locations and how to use them effectively.

Log File Locations

Main SecZim Logs

Log File	Description	Location
Daemon Log	Policy daemon processing, module decisions	/var/log/seczim-daemon.log
API Log	REST API requests, dashboard activity	/var/log/seczim-api.log

Related System Logs

Log File	Description	Location
Postfix Mail Log	General mail delivery and SMTP activity	/var/log/mail.log or /var/log/maillog
Zimbra Mail Log	Zimbra-specific mail activity	/var/log/zimbra.log
System Journal	Systemd service logs	journalctl -u seczim-daemon

SecZim Daemon Log

Location: /var/log/seczim-daemon.log

This is the most important log for understanding email security decisions.

What It Contains

• Policy decisions for each email (ACCEPT, REJECT, DEFER)
• Module processing results (SPF, Greylisting, RBL, GeoIP, etc.)
• Connection information from Postfix
• Error messages and warnings

Log Format

TIMESTAMP LEVEL MODULE: MESSAGE

Example Entries

2024-12-04 10:23:45 INFO  SPF: PASS for sender@example.com from 192.168.1.100
2024-12-04 10:23:46 INFO  RBL: IP 10.20.30.40 is listed in Spamhaus ZEN: 127.0.0.2
2024-12-04 10:23:46 WARN  Greylisting: first attempt from unknown@spam.com -> user@domain.com (delay: 300s)
2024-12-04 10:23:47 DEBUG GeoIP: IP 203.0.113.50 -> Country: CN (blocked)

Log Levels

Level	Description
DEBUG	Detailed information for troubleshooting
INFO	Normal operational messages
WARN	Potential issues or blocked items
ERROR	Errors that need attention

SecZim API Log

Location: /var/log/seczim-api.log

Contains logs from the web dashboard and REST API.

What It Contains

• HTTP requests to the API
• Authentication events
• Configuration changes
• Background worker activity

Example Entries

2024-12-04 10:30:00 INFO  API: GET /api/v1/health -> 200
2024-12-04 10:30:15 INFO  API: POST /api/v1/settings -> 200
2024-12-04 10:30:20 INFO  Auth: Login successful for admin
2024-12-04 10:31:00 INFO  Worker: IP reputation decay completed

Viewing Logs

Real-time Log Monitoring

# Watch daemon log in real-time
sudo tail -f /var/log/seczim-daemon.log

# Watch API log in real-time
sudo tail -f /var/log/seczim-api.log

# Watch both logs simultaneously
sudo tail -f /var/log/seczim-daemon.log /var/log/seczim-api.log

View Recent Logs

# Last 100 lines of daemon log
sudo tail -100 /var/log/seczim-daemon.log

# Last 50 lines of API log
sudo tail -50 /var/log/seczim-api.log

Search Logs

# Find all RBL blocks
sudo grep "RBL:" /var/log/seczim-daemon.log | grep "listed"

# Find all rejected emails
sudo grep "REJECT" /var/log/seczim-daemon.log

# Find specific IP address
sudo grep "192.168.1.100" /var/log/seczim-daemon.log

# Find SPF failures
sudo grep "SPF: FAIL" /var/log/seczim-daemon.log

# Find greylisting events
sudo grep "Greylisting:" /var/log/seczim-daemon.log

Using journalctl (if using systemd)

# View daemon service logs
sudo journalctl -u seczim-daemon -f

# View API service logs
sudo journalctl -u seczim-api -f

# View logs since last hour
sudo journalctl -u seczim-daemon --since "1 hour ago"

# View logs with errors only
sudo journalctl -u seczim-daemon -p err

Troubleshooting with Logs

Email Not Being Delivered

Check what module blocked it:

sudo grep "REJECT\|DEFER" /var/log/seczim-daemon.log | tail -50

RBL Not Working

Check RBL activity:

sudo grep "RBL:" /var/log/seczim-daemon.log | tail -20

Greylisting Issues

Monitor greylisting decisions:

sudo grep "Greylisting:" /var/log/seczim-daemon.log

SPF Verification Problems

Check SPF results:

sudo grep "SPF:" /var/log/seczim-daemon.log | tail -30

Dashboard Not Working

Check API errors:

sudo grep "ERROR" /var/log/seczim-api.log

Service Not Starting

Check systemd logs:

sudo journalctl -u seczim-daemon -n 50 --no-pager
sudo journalctl -u seczim-api -n 50 --no-pager

Log Files Summary

File	Purpose	Check When
/var/log/seczim-daemon.log	Policy decisions	Email blocked/allowed questions
/var/log/seczim-api.log	Dashboard/API activity	Dashboard issues, API errors
/var/log/mail.log	General mail flow	Delivery issues
journalctl -u seczim-*	Service status	Service won't start

← Back to Knowledge Base

Statistics

Real-time Stats

curl http://localhost:8880/api/v1/stats

Returns:

{
  "total_requests": 1234,
  "accepted": 1100,
  "rejected": 134,
  "acceptance_rate": 89.14,
  "active_connections": 5,
  "uptime": 86400
}

Policy Statistics

curl http://localhost:8880/api/v1/policies/stats

Intelligence Statistics

curl http://localhost:8880/api/v1/intelligence/dashboard

Greylisting Statistics

curl http://localhost:8880/api/v1/greylisting/stats

Prometheus Metrics

Metrics are available at:

http://localhost:9090/metrics

← Back to Knowledge Base

Prometheus Metrics Exporter

SecZim includes a built-in Prometheus metrics exporter that exposes key metrics for monitoring your mail security infrastructure. This allows integration with Prometheus, Grafana, and other monitoring tools.

Endpoint

Metrics are exposed on port 8181 without authentication:

http://your-server:8181/metrics

Prometheus Configuration

Add SecZim to your Prometheus configuration:

scrape_configs:
  - job_name: 'seczim'
    static_configs:
      - targets: ['your-server:8181']
    scrape_interval: 30s

Available Metrics

Mail Traffic Metrics

These metrics track email flow through your server. Each metric includes a period label with values: 1h, 24h, 7d.

• seczim_mail_total - Total mail transactions
• seczim_mail_inbound - Inbound (external) mail count
• seczim_mail_outbound - Outbound (authenticated) mail count
• seczim_mail_accepted - Accepted mail count
• seczim_mail_rejected - Rejected mail count
• seczim_mail_deferred - Deferred mail count
• seczim_unique_ips - Unique connecting IP addresses

Security Metrics (24h)

• seczim_geo_blocked_total - Connections blocked by geographic filtering
• seczim_rbl_blocked_total - Connections blocked by RBL checks
• seczim_spf_failed_total - SPF verification failures
• seczim_greylist_deferred_total - Connections deferred by greylisting

Alert Metrics

Active alerts by severity level:

• seczim_alerts_active{severity="critical"}
• seczim_alerts_active{severity="high"}
• seczim_alerts_active{severity="medium"}
• seczim_alerts_active{severity="low"}

IP Reputation Metrics

• seczim_blacklisted_ips - Manually blacklisted IPs
• seczim_auto_blacklisted_ips - Auto-blacklisted IPs

Other Metrics

• seczim_anomalies_detected - Anomalies detected in last 24h
• seczim_users_near_quota - Users at >80% of their quota limit

Example Queries

Useful PromQL queries for Grafana dashboards:

Mail Rate (per minute)

rate(seczim_mail_total{period="1h"}[5m]) * 60

Rejection Rate Percentage

seczim_mail_rejected{period="24h"} / seczim_mail_total{period="24h"} * 100

Security Events Total

seczim_geo_blocked_total + seczim_rbl_blocked_total + seczim_spf_failed_total

Alert for High Rejection Rate

seczim_mail_rejected{period="1h"} / seczim_mail_total{period="1h"} > 0.1

Grafana Dashboard

You can create a Grafana dashboard to visualize these metrics. Key panels to include:

• Mail traffic over time (inbound vs outbound)
• Acceptance vs rejection rate
• Security events breakdown (geo, RBL, SPF)
• Active alerts by severity
• Unique IPs connecting

← Back to Knowledge Base

Emails Being Rejected

If legitimate emails are being rejected, follow these steps:

Step 1: Check the Logs

sudo journalctl -u seczim-daemon | grep "sender@domain.com"

Look for the rejection reason.

Step 2: Common Rejection Reasons

Greylisting

New senders are temporarily deferred. This is normal - the email will be delivered on retry.

To bypass: Add sender to whitelist.

RBL Listed

Sender IP is on a spam blacklist.

To bypass: Add IP to whitelist or disable RBL for that IP.

Low IP Reputation

Sender IP has low reputation score.

To fix: Whitelist the IP in Intelligence → IP Reputation.

Quota Exceeded

Sender has exceeded their daily limit.

To fix: Increase quota or wait for reset.

Geo-Blocked

Sender's country is blocked.

To fix: Add country to allowed list or whitelist sender.

Step 3: Whitelist the Sender

If the sender is legitimate:

curl -X POST http://localhost:8880/api/v1/acl/whitelist \
  -H "Content-Type: application/json" \
  -d '{"type": "email", "value": "sender@domain.com"}'