AGibanelBtactic-Zimbra80X-Postscreen

Revision as of 09:55, 13 November 2018 by Adrian.Gibanel (talk | contribs) (Adrian.Gibanel moved page AGibanelBtacticZimbra80XPostscreen to AGibanelBtactic-Zimbra80X-Postscreen: Better wiki indexing)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Zimbra Postscreen in ZCS 8.6, ZCS 8.5 and ZCS 8.0.x

   KB 22655        Last updated on 2018-11-13  




0.00
(0 votes)

Introduction

This article covers adding Postscreen to Zimbra 8.0.X and some clues on how to add it to Zimbra 8.5+. If you want to use Postscreen with Zimbra 8.7 please check: Zimbra Collaboration Postscreen page instead.

Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.

Warning

  • This is an unofficial documentation so have a backup ready of all the files which are modified of this howto prior to applying it.
  • Be warned that these customisations might be lost while updating ZCS so please backup your modified files, just in case you need to apply these modifications after an update.

main.cf edit

As the zimbra user you should edit: /opt/zimbra/postfix/conf/main.cf file.

Add at its bottom the following:

postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = hash:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_command_count_limit = 20                                                                                                                
postscreen_dnsbl_action = ignore                                                                                                                   
                                                                   
postscreen_dnsbl_reply_map =                                                                                                                       
postscreen_dnsbl_sites =                                                                                                                           
postscreen_dnsbl_threshold = 1                                                                                                                     
postscreen_dnsbl_ttl = 1h                                                                                                                          
# Uncomment next lines on ZCS 8.5+
# postscreen_dnsbl_whitelist_threshold = 0
# postscreen_dnsbl_min_ttl = 60s
# postscreen_dnsbl_max_ttl =
# ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_greet_action = ignore                                                                                                                   
postscreen_greet_ttl = 1d                                                                                                                          
postscreen_non_smtp_command_action = drop                                                                                                          
postscreen_non_smtp_command_enable = no                                                                                                            
postscreen_non_smtp_command_ttl = 30d                                                                                                              
postscreen_pipelining_action = enforce                                                                                                             
postscreen_pipelining_enable = no                                                                                                                  
postscreen_pipelining_ttl = 30d                                                                                                                    
postscreen_watchdog_timeout = 10s                                                                                                                  
postscreen_whitelist_interfaces = static:all

About Zimbra 8.5+

You should use:

postscreen_cache_map = lmdb

instead of:

postscreen_cache_map = hash

master.cf.in edit

As the zimbra user you should edit: /opt/zimbra/postfix/conf/master.cf.in file.

First of all we need to comment these lines:

smtp inet  n - n - - smtpd
   -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
%%uncomment SERVICE:opendkim%%  -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust

At the same place where those lines were we will add these lines instead:

smtp      inet  n -       n       - 1 postscreen
tlsproxy  unix  - -       n       - 0 tlsproxy
dnsblog   unix  - -       n       - 0 dnsblog
smtpd     pass  - -       n       - - smtpd
   -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust


Postscreen setup improvement

This step not only enables Postscreen but improves the default setup so that its policy is more restrictive with spam. Each scenario can be different, so please tune the next values according to your own Environment.


Once again as the zimbra user you should edit: /opt/zimbra/postfix/conf/main.cf file.

Add at its bottom the following:


postscreen_dnsbl_action = enforce

postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7
   dnsbl.inps.de=127.0.0.2*7
   zen.spamhaus.org=127.0.0.[10;11]*8
   zen.spamhaus.org=127.0.0.[4..7]*6
   zen.spamhaus.org=127.0.0.3*4
   zen.spamhaus.org=127.0.0.2*3
   list.dnswl.org=127.0.[0..255].0*-2
   list.dnswl.org=127.0.[0..255].1*-3
   list.dnswl.org=127.0.[0..255].2*-4
   list.dnswl.org=127.0.[0..255].3*-5
   bl.mailspike.net=127.0.0.2*5
   bl.mailspike.net=127.0.0.[10;11;12]*4
   wl.mailspike.net=127.0.0.[18;19;20]*-2
   dnsbl.sorbs.net=127.0.0.10*8
   dnsbl.sorbs.net=127.0.0.5*6
   dnsbl.sorbs.net=127.0.0.7*3
   dnsbl.sorbs.net=127.0.0.8*2
   dnsbl.sorbs.net=127.0.0.6*2
   dnsbl.sorbs.net=127.0.0.9*2
postscreen_dnsbl_threshold = 8
# Uncomment next line on ZCS 8.5+
#postscreen_dnsbl_timeout = 10s
postscreen_dnsbl_ttl = 5m
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
# Uncomment next line on ZCS 8.5+
# and check if it gives warnings or not
# postscreen_greet_wait = ${stress?{2}:{6}}s
postscreen_helo_required = $smtpd_helo_required
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_upstream_proxy_protocol =
postscreen_upstream_proxy_timeout = 5s
postscreen_use_tls = $smtpd_use_tls

About RBLs

From Zimbra Administration Console you can setup Postfix to use RBLs by default. E.g. if an email comes from an ip which it's on a RBL then just reject it. You might want to disable that feature and just use Postscreen for that.

About Zimbra 8.7

As I said before you should check: Zimbra Collaboration Postscreen page instead. Zimbra 8.7 proper implementation of postscreen will let you to use Zimbra attributes (e.g. zimbraMtaPostscreenDnsblAction) so that your configuration does not reset after each Zimbra update. And, also, it won't require of you to edit neither main.cf file nor master.cf.in file.

Additional links

Useful links

Discarded links

Thank you

I want to thank JoBbZ from Zimbra's irc for his help on this issue.

Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 25/05/2016
Article ID: https://wiki.zimbra.com/index.php?title=AGibanelBtactic-Zimbra80X-Postscreen Date Modified: 2018-11-13



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search