This depends a great deal on:
1. what version of Zimbra you are currently running; and
2. what architecture you currently have in place (because some solutions are best implemented on a separate host);
3. the scale of your current implementation.
I have 20+ years of experience in Linux System Administration and managing mail servers from the basic underlying MTAs (Postfix, qmail, sendmail, exim) to DB integration for user management and spam solutions including spamassassin (and amavis), greylisting and RBLs.
There are two ways of doing this:
1. Implement directly on your Zimbra server. This could have a higher complexity and a greater chance of affecting the stability of your Zimbra server. You may also be limited in what can be done. But, it keeps everything on one box.
2. Move your MX to deliver your mail to a spam cleaning server that then delivers it onward to your Zimbra server once cleaned. This is architecturally much cleaner, gives you maximum flexibility and does not require any major changes to the Zimbra server.
I would recommend the latter approach:
- Depending on your hosting environment and mail volume, all that may be required is a mid-spec Virtual Server;
- If you have not implemented greylisting, this is a very effective and simple first step;
- Then, I would suggest the implementation of a suit of tools like spamassassin and amavis;
- Management console.
Finally, you should consider security of outgoing mail and investigate SPF, DMARC and DKIM.