Conf-tips

https://wiki.zimbra.com/wiki/Category:Certified

ALL configure

Postfix "access" control for whitelisting and blacklisting

The following method works for both whitelisting (for example, to allow IPs that may be blocked by RBLs) and blacklisting. Also reference:http://www.postfix.org/access.5.html

The method of configuration is slightly different for ZCS 7.x and earlier, and 8.x and later:

7.x and earlier

1. Edit /opt/zimbra/conf/postfix_recipient_restrictions.cf and add these lines: check_recipient_access hash:/opt/zimbra/conf/access check_client_access hash:/opt/zimbra/conf/access

result:

%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:127.0.0.1:10031%% reject_non_fqdn_recipient check_recipient_access hash:/opt/zimbra/conf/access check_client_access hash:/opt/zimbra/conf/access ...

2. Edit /opt/zimbra/conf/access

Example:

10.11.12.13 OK recipient@example.com 550 User Unknown spammer@domain.com 530 Go Away

3. Rebuild the access.db:

cd /opt/zimbra/conf postmap access

4. Confirm access.db:

$ ls -ld access.db -rw-r----- 1 zimbra zimbra 12288 Jan 27 09:58 access.db

8.x and later

1. Edit /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and add these lines: check_recipient_access hash:/opt/zimbra/conf/access check_client_access hash:/opt/zimbra/conf/access

result:

2. Edit /opt/zimbra/conf/access

Example:

10.11.12.13 OK recipient@example.com 550 User Unknown spammer@domain.com 530 Go Away

3. Rebuild the access.db:

cd /opt/zimbra/conf postmap access

4. Confirm access.db:

$ ls -ld access.db -rw-r----- 1 zimbra zimbra 12288 Jan 27 09:58 access.db

Postfix whitelist when using RBL's

--Bertie uk 09:32, 4 May 2010 (UTC)

If you are using RBLs (such as zen.spamhaus.org) to block spam, the whitelist method above does not work, because it is for spamassasin not postfix.

Postfix will check incoming messages against the RBL first, and allow/reject accordingly. So if you have a sender listed on a RBL, you need to whitelist them in Postfix.

To do this in Zimbra: {commands in italics}

vi /opt/zimbra/conf/postfix_rbl_override

list all IP addresses or host names (one per line!) that you want to whitelist:

1.2.3.4 OK 1.2.3.5 OK mail.freemailer.tld OK

postmap /opt/zimbra/conf/postfix_rbl_override

vi /opt/zimbra/conf/postfix_recipient_restrictions.cf

in 8.0.x the file to edit is /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf

under:

reject_unauth_destination

add:

check_client_access hash:/opt/zimbra/conf/postfix_rbl_override check_recipient_access hash:/opt/zimbra/conf/postfix_rbl_override

e.g.:

reject_unauth_destination check_client_access hash:/opt/zimbra/conf/postfix_rbl_override reject_unlisted_recipient

zmmtactl restart

Each time you add a new one, you need to do the postmap command then zmmtactl restart (Also, this may be removed after a Zimbra upgrade)

Domain level blocking of users

ZCS 8.8

# vi /opt/zimbra/conf/postfix_reject_sender

user@domain.com REJECT domainX.com REJECT

# vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%

# su - zimbra

# zmprov ms 'worldcm.tk' +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender"

# /opt/zimbra/common/sbin/postmap /opt/zimbra/conf/postfix_reject_sender

# zmmtactl restart

[date / hostname] postfix/smtpd[####] NOQUEUE: reject: RCPT from [remote mta]: 554 5.7.1 <senders-email@DOMAIN>: Sender address rejected: Access denied: from=<senders-email@DOMAIN> to=<local-zimbra-user@domain> proto=ESMTP helo=<remote mta>

ZCS 8.7 and later

- Create file /opt/zimbra/common/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

user@domain.com REJECT domainX.com REJECT

- execute the zimbraMtaSmtpdSenderRestrictions

zmprov ms 'yourzimbraservername' +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender"

- postmap it

/opt/zimbra/common/sbin/postmap /opt/zimbra/conf/postfix_reject_sender

ZCS 8.5 and 8.6

Create the postmap database as defined below Modify /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf, by adding this as the second line of the file:

%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender%%

Then execute:

zmprov ms <zmhostname> +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender"

- Create file /opt/zimbra/postfix/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

user@domain.com REJECT domainX.com REJECT

- postmap it and restart postfix

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/postfix_reject_sender zmmtactl stop && zmmtactl start

ZCS 8.7 and later

- Create file /opt/zimbra/postfix/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

user@domain.com REJECT domainX.com REJECT

- postmap it

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/postfix_reject_sender

Verification

Check the Postfix configuration with postconf | grep smtpd_sender_restrictions

You'll be able to see the changes show up in /opt/zimbra/log/zmconfigd.log .

Reject messages will be logged in /var/log/zimbra.log ; format looks like this:

The sender will receive a returned email declaring the rejection.

Discarding Emails Sent to Invalid Addresses

For ZCS 8.x and above, the correct way to do this is:

su - zimbra zmlocalconfig -e postfix_smtpd_reject_unlisted_recipient=yes zmmtactl restart

This is a persistent (accross upgrades) change.

Below is what you have to do for ZCS < 8.x.

To reject email to accounts that don't exist on your server you need to make the following change to zmmta.cf (this change does not persisst and will need to be done after each Zimbra upgrade):

POSTCONF smtpd_reject_unlisted_recipient no

-The setting above is the default and it needs to be changed to 'yes' as per the folling line:

POSTCONF smtpd_reject_unlisted_recipient yes

-This rejects the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. (ie: there's no such user account on the server), you'll also see entries in your log file showing that the message has been rejected.

If 5.0.12+ using alias domains enable set postfix_enable_smtpd_policyd=yes instead. ManagingDomains#Email_to_non-existant_accounts

One email server I administered got 400,000 messages a day. 99.2% of them were sent to addresses that didn't exist on my domain. However, my server happily scanned all of them for spam, viruses, etc. You can configure Zimbra to reject such messages with 450, saying the address doesn't exist. In addition, once an RCPT TO: command is sent specifying an invalid address, Zimbra delays about 5 seconds before it accepts another command, slowing down the spammer.

Add the following lines to /opt/zimbra/conf/postfix_recipient_restrictions.cf:

reject_unknown_recipient_domain

-Which rejects when:

a) the RCPT TO address has no DNS A or MX record

b) when Postfix is not final destination for the recipient address

c) or when it has a malformed MX record such as a record with a zero-length MX hostname

reject_unverified_recipient

-Rejects the request when mail to the RCPT TO address is known to bounce, or when the recipient address destination is not reachable.

I add these lines just after the first line, which should be reject_non_fqdn_recipient.

Restart Zimbra and enjoy. :)

--BJ Quinn

Caveat: There is a possible downside to this. These mass e-mailings to non-existant addresses at your domain are often part of a directory harvesting attack. By enabling this feature you will reveal legitimate addresses at your domain (through process of elimination). These will then be sold to spammers, or worse used as sender addresses by spammers.