AGibanelBtactic-Zimbra80X-Postscreen
Zimbra Postscreen in ZCS 8.6, ZCS 8.5 and ZCS 8.0.x
Introduction
This article covers adding Postscreen to Zimbra 8.0.X and some clues on how to add it to Zimbra 8.5+. If you want to use Postscreen with Zimbra 8.7 please check: Zimbra Collaboration Postscreen page instead.
Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.
Warning
- This is an unofficial documentation so have a backup ready of all the files which are modified of this howto prior to applying it.
- Be warned that these customisations might be lost while updating ZCS so please backup your modified files, just in case you need to apply these modifications after an update.
main.cf edit
As the zimbra user you should edit: /opt/zimbra/postfix/conf/main.cf file.
Add at its bottom the following:
postscreen_access_list = permit_mynetworks postscreen_bare_newline_action = ignore postscreen_bare_newline_enable = no postscreen_bare_newline_ttl = 30d postscreen_blacklist_action = ignore postscreen_cache_cleanup_interval = 12h postscreen_cache_map = hash:$data_directory/postscreen_cache postscreen_cache_retention_time = 7d postscreen_command_count_limit = 20 postscreen_dnsbl_action = ignore postscreen_dnsbl_reply_map = postscreen_dnsbl_sites = postscreen_dnsbl_threshold = 1 postscreen_dnsbl_ttl = 1h # Uncomment next lines on ZCS 8.5+ # postscreen_dnsbl_whitelist_threshold = 0 # postscreen_dnsbl_min_ttl = 60s # postscreen_dnsbl_max_ttl = # ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h postscreen_greet_action = ignore postscreen_greet_ttl = 1d postscreen_non_smtp_command_action = drop postscreen_non_smtp_command_enable = no postscreen_non_smtp_command_ttl = 30d postscreen_pipelining_action = enforce postscreen_pipelining_enable = no postscreen_pipelining_ttl = 30d postscreen_watchdog_timeout = 10s postscreen_whitelist_interfaces = static:all
About Zimbra 8.5+
You should use:
postscreen_cache_map = lmdb
instead of:
postscreen_cache_map = hash
master.cf.in edit
As the zimbra user you should edit: /opt/zimbra/postfix/conf/master.cf.in file.
First of all we need to comment these lines:
smtp inet n - n - - smtpd -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%% %%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030 %%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027 %%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
At the same place where those lines were we will add these lines instead:
smtp inet n - n - 1 postscreen tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog smtpd pass - - n - - smtpd -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%% %%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030 %%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027 %%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
Postscreen setup improvement
This step not only enables Postscreen but improves the default setup so that its policy is more restrictive with spam. Each scenario can be different, so please tune the next values according to your own Environment.
Once again as the zimbra user you should edit: /opt/zimbra/postfix/conf/main.cf file.
Add at its bottom the following:
postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 wl.mailspike.net=127.0.0.[18;19;20]*-2 dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 postscreen_dnsbl_threshold = 8 # Uncomment next line on ZCS 8.5+ #postscreen_dnsbl_timeout = 10s postscreen_dnsbl_ttl = 5m postscreen_enforce_tls = $smtpd_enforce_tls postscreen_expansion_filter = $smtpd_expansion_filter postscreen_forbidden_commands = $smtpd_forbidden_commands postscreen_greet_action = enforce postscreen_greet_banner = $smtpd_banner # Uncomment next line on ZCS 8.5+ # and check if it gives warnings or not # postscreen_greet_wait = ${stress?{2}:{6}}s postscreen_helo_required = $smtpd_helo_required postscreen_post_queue_limit = $default_process_limit postscreen_pre_queue_limit = $default_process_limit postscreen_reject_footer = $smtpd_reject_footer postscreen_tls_security_level = $smtpd_tls_security_level postscreen_upstream_proxy_protocol = postscreen_upstream_proxy_timeout = 5s postscreen_use_tls = $smtpd_use_tls
About RBLs
From Zimbra Administration Console you can setup Postfix to use RBLs by default. E.g. if an email comes from an ip which it's on a RBL then just reject it. You might want to disable that feature and just use Postscreen for that.
About Zimbra 8.7
As I said before you should check: Zimbra Collaboration Postscreen page instead. Zimbra 8.7 proper implementation of postscreen will let you to use Zimbra attributes (e.g. zimbraMtaPostscreenDnsblAction) so that your configuration does not reset after each Zimbra update. And, also, it won't require of you to edit neither main.cf file nor master.cf.in file.
Additional links
Useful links
- Jorge de la Cruz - Blog - Zimbra Collaboration Suite 8.7 ya la puedes descargar
- Postfix Postscreen Howto
- Zimbra Collaboration Postscreen
Discarded links
- Github - zimbra-postscreen
- Postfix Installation From Source Code
- Installing Postfix on Ubuntu using SQLite
Thank you
I want to thank JoBbZ from Zimbra's irc for his help on this issue.