AGibanelBtactic-Zimbra80X-Postscreen: Difference between revisions

(Initial article)
 
m (Adrian.Gibanel moved page AGibanelBtacticZimbra80XPostscreen to AGibanelBtactic-Zimbra80X-Postscreen: Better wiki indexing)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Zimbra Postscreen in ZCS 8.6, ZCS 8.5 and ZCS 8.0.x=
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}}}
== Introduction ==
== Introduction ==
This article covers adding Postscreen to Zimbra 8.0.X and some clues on how to add it to Zimbra 8.5+. If you want to use Postscreen with Zimbra 8.7 please check: [[Zimbra_Collaboration_Postscreen|Zimbra Collaboration Postscreen]] page instead.
This article covers adding Postscreen to Zimbra 8.0.X and some clues on how to add it to Zimbra 8.5+. If you want to use Postscreen with Zimbra 8.7 please check: [[Zimbra_Collaboration_Postscreen|Zimbra Collaboration Postscreen]] page instead.


Line 6: Line 11:


== Warning ==
== Warning ==
* This is an unofficial documentation so have a backup ready of all the files which are modified of this howto prior to applying it.
* This is an unofficial documentation so have a backup ready of all the files which are modified of this howto prior to applying it.
* Be warned that these customisations might be lost while updating ZCS so please backup your modified files, just in case you need to apply these modifications after an update.
* Be warned that these customisations might be lost while updating ZCS so please backup your modified files, just in case you need to apply these modifications after an update.


== main.cf edit ==
== main.cf edit ==
As the zimbra user you should edit: ''/opt/zimbra/postfix/conf/main.cf'' file.
As the zimbra user you should edit: ''/opt/zimbra/postfix/conf/main.cf'' file.


Add at its bottom the following:
Add at its bottom the following:
  postscreen_access_list = permit_mynetworks
  postscreen_access_list = permit_mynetworks
  postscreen_bare_newline_action = ignore
  postscreen_bare_newline_action = ignore
Line 46: Line 48:
  postscreen_watchdog_timeout = 10s                                                                                                                   
  postscreen_watchdog_timeout = 10s                                                                                                                   
  postscreen_whitelist_interfaces = static:all
  postscreen_whitelist_interfaces = static:all


=== About Zimbra 8.5+ ===
=== About Zimbra 8.5+ ===
You should use:
You should use:
  postscreen_cache_map = lmbd
  postscreen_cache_map = lmdb
instead of:
instead of:
  postscreen_cache_map = hash
  postscreen_cache_map = hash


== master.cf.in edit ==
== master.cf.in edit ==
As the zimbra user you should edit: ''/opt/zimbra/postfix/conf/master.cf.in'' file.
As the zimbra user you should edit: ''/opt/zimbra/postfix/conf/master.cf.in'' file.


Line 79: Line 79:


== Postscreen setup improvement ==
== Postscreen setup improvement ==
This step not only enables Postscreen but improves the default setup so that its policy is more restrictive with spam. Each scenario can be different, so please tune the next values according to your own Environment.
This step not only enables Postscreen but improves the default setup so that its policy is more restrictive with spam. Each scenario can be different, so please tune the next values according to your own Environment.


Line 131: Line 130:


== About RBLs ==
== About RBLs ==
From Zimbra Administration Console you can setup Postfix to use RBLs by default. E.g. if an email comes from an ip which it's on a RBL then just reject it. You might want to disable that feature and just use Postscreen for that.
From Zimbra Administration Console you can setup Postfix to use RBLs by default. E.g. if an email comes from an ip which it's on a RBL then just reject it. You might want to disable that feature and just use Postscreen for that.


== About Zimbra 8.7 ==
== About Zimbra 8.7 ==
As I said before you should check: [[Zimbra_Collaboration_Postscreen|Zimbra Collaboration Postscreen]] page instead. Zimbra 8.7 proper implementation of postscreen will let you to use Zimbra attributes (e.g. ''zimbraMtaPostscreenDnsblAction'') so that your configuration does not reset after each Zimbra update. And, also, it won't require of you to edit neither ''main.cf'' file nor ''master.cf.in'' file.
As I said before you should check: [[Zimbra_Collaboration_Postscreen|Zimbra Collaboration Postscreen]] page instead. Zimbra 8.7 proper implementation of postscreen will let you to use Zimbra attributes (e.g. ''zimbraMtaPostscreenDnsblAction'') so that your configuration does not reset after each Zimbra update. And, also, it won't require of you to edit neither ''main.cf'' file nor ''master.cf.in'' file.


Line 144: Line 141:
* [http://www.postfix.org/POSTSCREEN_README.html Postfix Postscreen Howto]
* [http://www.postfix.org/POSTSCREEN_README.html Postfix Postscreen Howto]
* [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen Zimbra Collaboration Postscreen]
* [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen Zimbra Collaboration Postscreen]
=== Discarded links ===
=== Discarded links ===
* [https://github.com/thangnguyennang/zimbra-postscreen/ Github - zimbra-postscreen]
* [https://github.com/thangnguyennang/zimbra-postscreen/ Github - zimbra-postscreen]
Line 150: Line 148:


== Thank you ==
== Thank you ==
I want to thank JoBbZ from Zimbra's irc for his help on this issue.


I want to thank JoBbZ from Zimbra's irc for his help on this issue.
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0|25/05/2016}}
 
[[Category: Postscreen]]

Latest revision as of 09:55, 13 November 2018

Zimbra Postscreen in ZCS 8.6, ZCS 8.5 and ZCS 8.0.x

   KB 22655        Last updated on 2018-11-13  




0.00
(0 votes)

Introduction

This article covers adding Postscreen to Zimbra 8.0.X and some clues on how to add it to Zimbra 8.5+. If you want to use Postscreen with Zimbra 8.7 please check: Zimbra Collaboration Postscreen page instead.

Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.

Warning

  • This is an unofficial documentation so have a backup ready of all the files which are modified of this howto prior to applying it.
  • Be warned that these customisations might be lost while updating ZCS so please backup your modified files, just in case you need to apply these modifications after an update.

main.cf edit

As the zimbra user you should edit: /opt/zimbra/postfix/conf/main.cf file.

Add at its bottom the following:

postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = hash:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_command_count_limit = 20                                                                                                                
postscreen_dnsbl_action = ignore                                                                                                                   
                                                                   
postscreen_dnsbl_reply_map =                                                                                                                       
postscreen_dnsbl_sites =                                                                                                                           
postscreen_dnsbl_threshold = 1                                                                                                                     
postscreen_dnsbl_ttl = 1h                                                                                                                          
# Uncomment next lines on ZCS 8.5+
# postscreen_dnsbl_whitelist_threshold = 0
# postscreen_dnsbl_min_ttl = 60s
# postscreen_dnsbl_max_ttl =
# ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_greet_action = ignore                                                                                                                   
postscreen_greet_ttl = 1d                                                                                                                          
postscreen_non_smtp_command_action = drop                                                                                                          
postscreen_non_smtp_command_enable = no                                                                                                            
postscreen_non_smtp_command_ttl = 30d                                                                                                              
postscreen_pipelining_action = enforce                                                                                                             
postscreen_pipelining_enable = no                                                                                                                  
postscreen_pipelining_ttl = 30d                                                                                                                    
postscreen_watchdog_timeout = 10s                                                                                                                  
postscreen_whitelist_interfaces = static:all

About Zimbra 8.5+

You should use:

postscreen_cache_map = lmdb

instead of:

postscreen_cache_map = hash

master.cf.in edit

As the zimbra user you should edit: /opt/zimbra/postfix/conf/master.cf.in file.

First of all we need to comment these lines:

smtp inet  n - n - - smtpd
   -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
%%uncomment SERVICE:opendkim%%  -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust

At the same place where those lines were we will add these lines instead:

smtp      inet  n -       n       - 1 postscreen
tlsproxy  unix  - -       n       - 0 tlsproxy
dnsblog   unix  - -       n       - 0 dnsblog
smtpd     pass  - -       n       - - smtpd
   -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust


Postscreen setup improvement

This step not only enables Postscreen but improves the default setup so that its policy is more restrictive with spam. Each scenario can be different, so please tune the next values according to your own Environment.


Once again as the zimbra user you should edit: /opt/zimbra/postfix/conf/main.cf file.

Add at its bottom the following:


postscreen_dnsbl_action = enforce

postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7
   dnsbl.inps.de=127.0.0.2*7
   zen.spamhaus.org=127.0.0.[10;11]*8
   zen.spamhaus.org=127.0.0.[4..7]*6
   zen.spamhaus.org=127.0.0.3*4
   zen.spamhaus.org=127.0.0.2*3
   list.dnswl.org=127.0.[0..255].0*-2
   list.dnswl.org=127.0.[0..255].1*-3
   list.dnswl.org=127.0.[0..255].2*-4
   list.dnswl.org=127.0.[0..255].3*-5
   bl.mailspike.net=127.0.0.2*5
   bl.mailspike.net=127.0.0.[10;11;12]*4
   wl.mailspike.net=127.0.0.[18;19;20]*-2
   dnsbl.sorbs.net=127.0.0.10*8
   dnsbl.sorbs.net=127.0.0.5*6
   dnsbl.sorbs.net=127.0.0.7*3
   dnsbl.sorbs.net=127.0.0.8*2
   dnsbl.sorbs.net=127.0.0.6*2
   dnsbl.sorbs.net=127.0.0.9*2
postscreen_dnsbl_threshold = 8
# Uncomment next line on ZCS 8.5+
#postscreen_dnsbl_timeout = 10s
postscreen_dnsbl_ttl = 5m
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
# Uncomment next line on ZCS 8.5+
# and check if it gives warnings or not
# postscreen_greet_wait = ${stress?{2}:{6}}s
postscreen_helo_required = $smtpd_helo_required
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_upstream_proxy_protocol =
postscreen_upstream_proxy_timeout = 5s
postscreen_use_tls = $smtpd_use_tls

About RBLs

From Zimbra Administration Console you can setup Postfix to use RBLs by default. E.g. if an email comes from an ip which it's on a RBL then just reject it. You might want to disable that feature and just use Postscreen for that.

About Zimbra 8.7

As I said before you should check: Zimbra Collaboration Postscreen page instead. Zimbra 8.7 proper implementation of postscreen will let you to use Zimbra attributes (e.g. zimbraMtaPostscreenDnsblAction) so that your configuration does not reset after each Zimbra update. And, also, it won't require of you to edit neither main.cf file nor master.cf.in file.

Additional links

Useful links

Discarded links

Thank you

I want to thank JoBbZ from Zimbra's irc for his help on this issue.

Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 25/05/2016
Article ID: https://wiki.zimbra.com/index.php?title=AGibanelBtactic-Zimbra80X-Postscreen Date Modified: 2018-11-13



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search