Difference between revisions of "Ajcody-MTA-Postfix-Topics"

m (Understanding /var/log/zimbra.log And Postfix Log Events)
m
 
(18 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Unsupported}}{| width="100%" border="0"
+
{{BC|Zeta Alliance}}                         <!-- Note, this will also add [[Category: Zeta Alliance]] to bottom of wiki page. -->
| bgcolor="orange" | [[Image:Attention.png]] - This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information.
+
__FORCETOC__                              <!-- Will force a TOC regards of size of article. __NOTOC__ if no TOC is wanted. -->
|}
+
<div class="col-md-12 ibox-content">
 +
= Ajcody MTA Postfix Topics=            <!-- Normally will reflect page title. Is listed at very top of page. -->
 +
{{KB|{{ZETA}}|{{ZCS 8.5}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}            <!-- Can only handle 3 ZCS versions. -->
 +
{{WIP}}                                                <!-- For pages that are "work in progress". -->
 +
 
  
 
==Postfix - MTA==
 
==Postfix - MTA==
Line 26: Line 30:
  
 
====Authentication Log Events====
 
====Authentication Log Events====
 +
 +
Moved to [[Understanding_And_Troubleshooting_Authentication_Log_Events]]
  
 
=====IMAP And Authenticated SMTP [SSL] Example=====
 
=====IMAP And Authenticated SMTP [SSL] Example=====
  
* '''''For the examples below, the ZCS server being used has an ip address of 10.137.27.32 .'''''
+
Moved to [[Understanding_And_Troubleshooting_Authentication_Log_Events#IMAP_And_Authenticated_SMTP_.5BSSL.5D_Example]]
* '''Note, I included the client IP address [10.16.245.217] of the IMAP client and also the -C2 flag for egrep to show 2 lines proceeding and after the match for ip and username. I also trimmed the output using the time I did the initial IMAP setup and used the -F option for grep because of the : character. [ | grep -F 'Jun  4 08:4' ] '''
 
  
Using the test account above, ajcody@ , I configured it to use IMAP [Use SSL option] and authenticated SMTP [SSL and "password" option] with Apple's Mail.App.  My initially login creates these authentication events below.
+
======IMAP Test Via Telnet And Logging Events Of It - Proxy Included======
  
First, to give you a general impression what logs will hold information on a username and the ip address the client is connection from. The -l option for grep/egrep will just list the files names that have a math to the search.
+
Moved to [[Understanding_And_Troubleshooting_Authentication_Log_Events#IMAP_Test_Via_Telnet_And_Logging_Events_Of_It_-_Proxy_Included]]
  
<pre>
+
======IMAP Login Via Openssl - LOGIN TLS - Proxy Included======
[root@zcs723 log]# egrep -l 'ajcody|10.16.245.217' /opt/zimbra/log/*
 
/opt/zimbra/log/2013_05_31.trace.log  << Because of my ZWC login session
 
/opt/zimbra/log/2013_06_04.trace.log  << Because of my ZWC login session
 
/opt/zimbra/log/access_log.2013-05-31 << Because of my ZWC login session
 
/opt/zimbra/log/access_log.2013-06-04 << Because of my ZWC login session
 
/opt/zimbra/log/audit.log
 
/opt/zimbra/log/mailbox.log
 
  
[root@zcs723 log]# egrep -l 'ajcody|10.16.245.217' /var/log/*
+
Moved to [[Understanding_And_Troubleshooting_Authentication_Log_Events#IMAP_Login_Via_Openssl_-_LOGIN_TLS_-_Proxy_Included]]
## Removed not related matches because I've sshd into the server
 
/var/log/maillog
 
/var/log/maillog-20130602
 
/var/log/messages
 
/var/log/messages-20130602
 
/var/log/zimbra.log
 
</pre>
 
  
Now to see what the events are. In the /opt/zimbra/log/audit.log file we have:
+
===Network Tracing Between A Remote Host And A ZCS MTA===
  
<pre>
+
Moved to [[Network_Tracing_Between_A_Remote_Host_And_A_ZCS_MTA]]
# grep egrep -C2 'ajcody|10.16.245.217' /opt/zimbra/log/audit.log | grep -F 'Jun  4 08:4'
 
    [cut out prior events]
 
2013-06-04 08:43:01,943 INFO  [ImapServer-1] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;
 
2013-06-04 08:43:04,031 INFO  [ImapServer-2] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;
 
2013-06-04 08:43:07,078 INFO  [ImapServer-3] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]  
 
  security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;
 
2013-06-04 08:43:09,437 INFO  [ImapServer-4] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;
 
2013-06-04 08:43:11,645 INFO  [ImapServer-5] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]  
 
  security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;
 
</pre>
 
  
And in the /var/log/zimbra.log :
+
===Finding Messages - zmmsgtrace===
  
<pre>
+
See the following for details [for 7.1.1+]:
[root@zcs723 log]# egrep -C2 'ajcody|10.16.245.217' zimbra.log | grep -F 'Jun  4 08:4'
+
* zmmsgtrace replacement
    [cut out prior events]
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=41078
Jun  4 08:42:07 zcs723 zmmailboxdmgr[1389]: status requested
 
Jun  4 08:42:07 zcs723 zmmailboxdmgr[1389]: status OK
 
Jun  4 08:42:27 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:28 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: SSL_accept error from unknown[10.16.245.217]: -1
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: lost connection after STARTTLS from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:31 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:31 zcs723 postfix/smtpd[1487]: Anonymous TLS connection established from unknown[10.16.245.217]:
 
  TLSv1 with cipher AES128-SHA (128/128 bits)
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: Anonymous TLS connection established from unknown[10.16.245.217]:
 
  TLSv1 with cipher AES128-SHA (128/128 bits)
 
--
 
Jun  4 08:42:33 zcs723 saslauthd[8077]: auth_zimbra: ajcody auth OK
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1497]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1487]: lost connection after EHLO from unknown[10.16.245.217]
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:43:01 zcs723 zmmailboxdmgr[1583]: status requested
 
Jun  4 08:43:01 zcs723 zmmailboxdmgr[1583]: status OK
 
--
 
Jun  4 08:45:08 zcs723 zmmailboxdmgr[2353]: status requested
 
Jun  4 08:45:08 zcs723 zmmailboxdmgr[2353]: status OK
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection rate 3/60s for
 
  (smtp:10.16.245.217) at Jun  4 08:42:32
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection count 2 for
 
  (smtp:10.16.245.217) at Jun  4 08:42:32
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max cache size 1 at Jun  4 08:42:27
 
Jun  4 08:46:07 zcs723 zmmailboxdmgr[2706]: status requested
 
</pre>
 
  
In the /opt/zimbra/log/mailbox.log :
+
Documentation at [[CLI_zmmsgtrace]] . Note, if you get command not found as the zimbra user, try /opt/zimbra/libexec/zmmsgtrace instead.
  
<pre>
+
===How To Increase SMTP Debug Logging - MTA===
[root@zcs723 log]# egrep -C2 'ajcody|10.16.245.217' mailbox.log | grep -F 'Jun  4 08:4'
 
  
2013-06-04 08:43:00,343 INFO  [ImapServer-1] [] imap - [10.16.245.217] connected
+
Moved to [[How_To_Increase_SMTP_Debug_Logging_-_MTA]]
2013-06-04 08:43:01,999 INFO  [ImapServer-1] [name=ajcody@zcs723.EXAMPLE.com;ip=10.16.245.217;
 
  ua=Mac OS X Mail/6.2 (1499);] imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]
 
2013-06-04 08:43:02,640 INFO  [ImapServer-2] [] imap - [10.16.245.217] connected
 
2013-06-04 08:43:04,031 INFO  [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]
 
2013-06-04 08:43:04,721 WARN  [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  ConfigurationFactory - No configuration found. Configuring ehcache from ehcache-failsafe.xml 
 
  found in the classpath:
 
  jar:file:/opt/zimbra/jetty-6.1.22.z6/webapps/service/WEB-INF/lib/ehcache-core-2.5.1.jar!/ehcache-failsafe.xml
 
2013-06-04 08:43:05,010 WARN  [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]  
 
  ConfigurationFactory - No configuration found. Configuring ehcache from ehcache-failsafe.xml 
 
  found in the classpath:
 
  jar:file:/opt/zimbra/jetty-6.1.22.z6/webapps/service/WEB-INF/lib/ehcache-core-2.5.1.jar!/ehcache-failsafe.xml
 
2013-06-04 08:43:05,420 INFO  [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  imap - selected folder INBOX
 
2013-06-04 08:43:05,922 INFO  [ImapServer-3] [] imap - [10.16.245.217] connected
 
2013-06-04 08:43:07,390 INFO  [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]
 
2013-06-04 08:43:08,220 INFO  [ImapServer-4] [] imap - [10.16.245.217] connected
 
2013-06-04 08:43:09,437 INFO  [ImapServer-4] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]
 
2013-06-04 08:43:10,395 INFO  [ImapServer-1] [] imap - dropping connection for user
 
  ajcody@zcs723.EXAMPLE.com (server-initiated)
 
2013-06-04 08:43:10,395 INFO  [ImapServer-1] [] ProtocolHandler - Handler exiting normally
 
2013-06-04 08:43:10,447 INFO  [ImapServer-5] [] imap - [10.16.245.217] connected
 
2013-06-04 08:43:11,645 INFO  [ImapServer-5] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);]
 
  imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]
 
2013-06-04 08:43:12,521 INFO  [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Contacts
 
2013-06-04 08:43:12,685 INFO  [ImapServer-4] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Emailed Contacts
 
2013-06-04 08:43:13,813 INFO  [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Junk
 
2013-06-04 08:43:13,971 INFO  [ImapServer-5] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Sent
 
2013-06-04 08:43:15,614 INFO  [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Trash
 
2013-06-04 08:43:16,694 INFO  [ImapServer-4] [name=ajcody@zcs723.EXAMPLE.com;mid=15;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Chats
 
2013-06-04 08:43:17,211 INFO  [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Emailed Contacts
 
2013-06-04 08:43:17,344 INFO  [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;mid=15;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Drafts
 
2013-06-04 08:43:17,358 INFO  [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;mid=15;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder INBOX
 
2013-06-04 08:43:17,840 INFO  [ImapServer-4] [name=ajcody@zcs723.EXAMPLE.com;
 
  ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Emailed Contacts
 
2013-06-04 08:44:00,813 INFO  [MailboxPurge] [name=ajcody@zcs723.EXAMPLE.com;mid=15;]
 
  purge - Purging messages.
 
2013-06-04 08:44:41,428 INFO  [btpool0-28://zcs723.EXAMPLE.com/service/soap/NoOpRequest]
 
  [name=ajcody2@zcs723.EXAMPLE.com;mid=16;ip=10.16.245.217;ua=ZimbraWebClient - [unknown] (Win)/0.0;]
 
  soap - NoOpRequest elapsed=0
 
2013-06-04 08:45:00,818 INFO  [MailboxPurge] [name=ajcody2@zcs723.EXAMPLE.com;mid=16;]
 
  purge - Purging messages.
 
</pre>
 
  
The /var/log/messages and /var/log/maillog had the same events:
+
===Simple Troubleshooting For SMTP Via Telnet, Openssl===
  
<pre>
+
Moved to [[Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl]]
[root@zcs723 log]# egrep -C2 'ajcody|10.16.245.217' /var/log/messages | grep -F 'Jun  4 08:42'
 
Jun  4 08:42:07 zcs723 zmmailboxdmgr[1389]: status requested
 
Jun  4 08:42:07 zcs723 zmmailboxdmgr[1389]: status OK
 
Jun  4 08:42:27 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:28 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: SSL_accept error from unknown[10.16.245.217]: -1
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: lost connection after STARTTLS from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:31 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:31 zcs723 postfix/smtpd[1487]: Anonymous TLS connection established
 
  from unknown[10.16.245.217]: TLSv1 with cipher AES128-SHA (128/128 bits)
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: Anonymous TLS connection established
 
  from unknown[10.16.245.217]: TLSv1 with cipher AES128-SHA (128/128 bits)
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1497]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1487]: lost connection after EHLO from unknown[10.16.245.217]
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection rate 3/60s
 
  for (smtp:10.16.245.217) at Jun  4 08:42:32
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection count 2
 
  for (smtp:10.16.245.217) at Jun  4 08:42:32
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max cache size 1 at Jun  4 08:42:27
 
  
[root@zcs723 log]# egrep -C2 'ajcody|10.16.245.217' /var/log/maillog | grep -F 'Jun  4 08:42'
+
====First - Understanding Your Authentication Requirements In ZCS====
Jun  4 08:42:07 zcs723 zmmailboxdmgr[1389]: status requested
 
Jun  4 08:42:07 zcs723 zmmailboxdmgr[1389]: status OK
 
Jun  4 08:42:27 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:28 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: SSL_accept error from unknown[10.16.245.217]: -1
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: lost connection after STARTTLS from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:42:30 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:31 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:31 zcs723 postfix/smtpd[1487]: Anonymous TLS connection established
 
  from unknown[10.16.245.217]: TLSv1 with cipher AES128-SHA (128/128 bits)
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: connect from unknown[10.16.245.217]
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: setting up TLS connection from unknown[10.16.245.217]
 
Jun  4 08:42:32 zcs723 postfix/smtpd[1497]: Anonymous TLS connection established
 
  from unknown[10.16.245.217]: TLSv1 with cipher AES128-SHA (128/128 bits)
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1497]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1487]: lost connection after EHLO from unknown[10.16.245.217]
 
Jun  4 08:42:34 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection rate 3/60s
 
  for (smtp:10.16.245.217) at Jun  4 08:42:32
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection count 2
 
  for (smtp:10.16.245.217) at Jun  4 08:42:32
 
Jun  4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max cache size 1 at Jun  4 08:42:27
 
</pre>
 
  
======IMAP Test Via Telnet And Logging Events Of It - Proxy Included======
+
Moved to [[Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#First_-_Understanding_Your_Authentication_Requirements_In_ZCS]]
  
<pre>
+
====Second - Encoding Username And Passwords For AUTH Sequence====
  
### TELNET FROM CLIENT ###
+
Moved to [[Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#Second_-_Encoding_Username_And_Passwords_For_AUTH_Sequence]]
# telnet zcs806.DOMAIN.com 143
 
Trying 192.168.27.36...
 
Connected to zcs806.DOMAIN.com.
 
Escape character is '^]'.
 
* OK IMAP4 ready
 
01 LOGIN proxylogtest@zcs806.DOMAIN.com [REPLACE WITH ACCT PASSWORD]
 
01 OK [CAPABILITY IMAP4rev1 ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT
 
I18NLEVEL=1 ID IDLE LIST-EXTENDED LIST-STATUS LITERAL+ LOGIN-REFERRALS MULTIAPPEND
 
NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT
 
UIDPLUS UNSELECT WITHIN XLIST] LOGIN completed
 
01 logout
 
  
### LOGS ON ZCS SERVER ###
+
====For ESMTP Auth is LOGIN - Example====
  
[zimbra@zcs806 log]$ egrep "192\.168\.27\.37|proxylogtest" *
+
Moved to [[Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#For_ESMTP_Auth_is_LOGIN_-_Example]]
  
nginx.log:2014/02/28 09:32:16 [info] 25611#0: *2595 client 192.168.27.37 connected to 0.0.0.0:143
+
====For ESMTP Auth is Plain - Example====
nginx.log:2014/02/28 09:32:38 [info] 25611#0: *2595 client logged in, client: 192.168.27.37,
 
      server: 0.0.0.0:143, login: "proxylogtest@zcs806.DOMAIN.com", upstream: 192.168.27.36:7993
 
      (192.168.27.37:45080-192.168.27.36:143) <=> (192.168.27.36:53326-192.168.27.36:7993)
 
  
audit.log:2014-02-28 09:32:35,532 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
+
Moved to [[Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#For_ESMTP_Auth_is_Plain_-_Example]]
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] security - cmd=Auth;
 
      account=proxylogtest@zcs806.DOMAIN.com; protocol=imap;
 
  
mailbox.log:2014-02-28 09:32:35,527 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37; 
+
====For TLS/SSL - Example====
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] imap - ID elapsed=8
 
mailbox.log:2014-02-28 09:32:35,743 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailbox - Creating database
 
      mboxgroup50
 
mailbox.log:2014-02-28 09:32:37,986 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailbox -
 
      Creating mailbox with id 50 and group id 50 for proxylogtest@zcs806.DOMAIN.com.
 
mailbox.log:2014-02-28 09:32:37,986 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] cache - initializing folder
 
      and tag caches for mailbox 50
 
mailbox.log:2014-02-28 09:32:37,987 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder ROOT:
 
      id=11, parentId=11.
 
mailbox.log:2014-02-28 09:32:38,010 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Tags:
 
      id=8, parentId=11.
 
mailbox.log:2014-02-28 09:32:38,011 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder
 
      Conversations: id=9, parentId=11.
 
mailbox.log:2014-02-28 09:32:38,011 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder
 
      Comments: id=17, parentId=11.
 
mailbox.log:2014-02-28 09:32:38,012 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder
 
      USER_ROOT: id=1, parentId=11.
 
mailbox.log:2014-02-28 09:32:38,012 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Inbox:
 
      id=2, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,013 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Trash:
 
      id=3, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,013 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Junk:
 
      id=4, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,014 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Sent:
 
      id=5, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,014 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Drafts:
 
      id=6, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,015 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Contacts:
 
      id=7, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,023 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Calendar:
 
      id=10, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,023 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Tasks:
 
      id=15, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,024 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder
 
      Emailed Contacts: id=13, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,024 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder
 
      Chats: id=14, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,025 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder
 
      Briefcase: id=16, parentId=1.
 
mailbox.log:2014-02-28 09:32:38,038 INFO  [Index-8] [name=proxylogtest@zcs806.DOMAIN.com;mid=50;]
 
      index - Batch complete processed=0,failed=0,elapsed=1 (0.00 items/sec)
 
mailbox.log:2014-02-28 09:32:38,071 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] index - OpenLuceneIndex
 
      impl=NIOFSDirectory,dir=/opt/zimbra/index/0/50/index/0
 
mailbox.log:2014-02-28 09:32:38,071 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
 
      via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mbxmgr - Mailbox 50
 
      account 0028aab0-3d17-4c51-aad8-da7500247079 CREATED
 
mailbox.log:2014-02-28 09:32:38,079 INFO  [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;
 
      ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
      imap - user proxylogtest@zcs806.DOMAIN.com authenticated, mechanism=LOGIN [TLS]
 
mailbox.log:2014-02-28 09:32:38,079 INFO  [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;
 
      ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
      imap - LOGIN elapsed=2550
 
mailbox.log:2014-02-28 09:32:46,258 WARN  [ImapSSLServer-16] [name=proxylogtest@zcs806.DOMAIN.com;
 
      ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
      imap - BAD parse error: command not implemented
 
mailbox.log:2014-02-28 09:32:46,258 INFO  [ImapSSLServer-16] [name=proxylogtest@zcs806.DOMAIN.com;
 
      ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
      imap - EXIT elapsed=1
 
mailbox.log:2014-02-28 09:32:48,648 WARN  [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;
 
      ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
      imap - BAD parse error: command not implemented
 
mailbox.log:2014-02-28 09:32:48,648 INFO  [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;
 
      ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
      imap - QUIT elapsed=1
 
</pre>
 
  
======IMAP Login Via Openssl - LOGIN TLS - Proxy Included======
+
Moved to [[Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#For_TLS.2FSSL_-_Example]]
  
You would run from the CLI:
+
=====Testing Against Port 465=====
  
<pre> openssl s_client -crlf -connect zcs806.DOMAIN.com:993</pre>
+
Moved to [[Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#Testing_Against_Port_465]]
  
Once it shows  "* OK IMAP4 ready" you'll be able to give the login command:
+
====To Confirm An Auth User Can't Send With Another FROM Address====
  
<pre>tag login proxylogtest@zcs806.DOMAIN.com PASSWORD</pre>
+
Moved to [[Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#To_Confirm_An_Auth_User_Can.27t_Send_With_Another_FROM_Address]]
  
Another good example of this is at [http://delog.wordpress.com/2011/05/10/access-imap-server-from-the-command-line-using-openssl/ Access IMAP server from the command line using OpenSSL]
+
===Adding A New MTA Server===
  
The log events for this are:
+
Basic instructions can be found here:
 +
* http://www.zimbra.com/docs/ne/latest/multi_server_install/toc.html
 +
** See "Installing Zimbra MTA on a Server"
  
<pre>
+
Additional instructions needed beyond the above will follow as I hear about them.
$ egrep "192\.168\.27\.37|proxylogtest" * | grep "28 10"
 
  
audit.log:2014-02-28 10:37:51,207 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
+
===Load Balancing For SMTP - Out Bound Mail===
    via=192.168.27.36(nginx/1.2.0-zimbra); ua=Zimbra/8.0.6_GA_5922;] security - cmd=Auth;
 
    account=proxylogtest@zcs806.DOMAIN.com; protocol=imap;
 
  
mailbox.log:2014-02-28 10:37:51,204 INFO  [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;
+
Currently, '''5.x code''', you have the following options:
    via=192.168.27.36(nginx/1.2.0-zimbra); ua=Zimbra/8.0.6_GA_5922;] imap - ID elapsed=1
 
mailbox.log:2014-02-28 10:37:51,207 INFO  [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;
 
    ip=192.168.27.36;oip=192.168.27.37; via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
    imap - user proxylogtest@zcs806.DOMAIN.com authenticated, mechanism=LOGIN [TLS]
 
mailbox.log:2014-02-28 10:37:51,207 INFO  [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;
 
    ip=192.168.27.36;oip=192.168.27.37; via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
    imap - LOGIN elapsed=2
 
mailbox.log:2014-02-28 10:38:10,132 INFO  [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;
 
    ip=192.168.27.36;oip=192.168.27.37; via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;]
 
    imap - LIST elapsed=12
 
  
nginx.log:2014/02/28 10:32:01 [info] 25609#0: *2602 client 192.168.27.37 connected to 0.0.0.0:993
+
* Configure zimbraMtaRelayHost and zimbraSmtpHostname [[Ajcody-Server-Topics#Using_Different_SMTP_Server_For_Webclient_.28ZWC.29.2C_Mobiles.2C_And_ZCO|zimbraSmtpHostname Details]] to:
nginx.log:2014/02/28 10:37:07 [info] 25609#0: *2603 client 192.168.27.37 connected to 0.0.0.0:993
 
nginx.log:2014/02/28 10:37:51 [info] 25609#0: *2603 client logged in, client: 192.168.27.37, server: 0.0.0.0:993,
 
    login: "proxylogtest@zcs806.DOMAIN.com", upstream: 192.168.27.36:7993
 
    (192.168.27.37:41009-192.168.27.36:993) <=> (192.168.27.36:53613-192.168.27.36:7993)
 
</pre>
 
  
===Network Tracing Between A Remote Host And A ZCS MTA===
+
** An external load balancing device that will then split the traffic behind it
 +
** Setup a round-robin A record situation in your DNS for the external mta's you'll be using.
  
How to network trace between a remote host and a ZCS MTA. You can run the following on the MTA to get the trace:
+
In, '''GNR/6.x''', you are able to add multiple targets to the variables and we'll have some degree of "balancing" between them.
  
<pre> tcpdump -w /root/tcpdump1.cap -s 15000 port 25 and host <Sending_host_IP> </pre>
+
* "allow list for zimbraSmtpHostname"
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=10695
 +
* "make zimbraSmtpHostname fault tolerant"
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=36173
  
===zmmsgtrace===
+
===User Alias Mapping And Mail Transport with Postfix & LDAP===
  
See the following for details [for 7.1.1+]:
+
See [[User_Alias_Mapping_and_Mail_Transport_with_Postfix_%26_LDAP]]
* zmmsgtrace replacement
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=41078
 
  
===How To Get SMTP Debug Logging===
+
====Multiple LDAP Servers?====
  
You can obtain this by modifying the master.cf.in which is located at /opt/zimbra/postfix/conf . 
+
Completed RFE:
Go to the smtpd line and at the end of the line add -vv
 
  
<pre> smtp      inet  n      -      n      -      -      smtpd -vv</pre>
+
* "mta should be able to take a list of LDAP servers to take advantage of replicas."
 
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=9353
restart the mta by running the following
+
*** zmmtainit to allow for multiple command line options that will set the URL. Grab the contents of the ldap_url localconfig variable.
  
<pre> zmmtactl restart</pre>
+
From :
  
===Simple Troubleshooting For SMTP Via Telnet, Openssl===
+
* http://www.postfix.org/ldap_table.5.html
  
====First - Understanding Your Authentication Requirements In ZCS====
+
<pre>
 +
        server_host (default: localhost)
 +
              The name of the host running the LDAP server,  e.g.
  
In the admin console, under the MTA tab, you see two options:
+
                  server_host = ldap.example.com
  
* Enable Authentication
+
              Depending  on the LDAP client library you're using,
** Attribute Name = zimbraMtaSaslAuthEnable [yes or no]
+
              it should be possible to specify  multiple servers
*** zmprov gacf zimbraMtaSaslAuthEnable or zmprov gs `zmhostname` zimbraMtaSaslAuthEnable
+
              here,  with the library trying them in order should
** Description = Value for postconf : smtpd_sasl_auth_enable = yes
+
              the first one fail. It should also be  possible  to
* TLS Authentication Only
+
              give  each  server  in  the  list  a different port
** Attribute Name = zimbraMtaTlsAuthOnly [TRUE or FALSE]
+
              (overriding server_port below), by naming them like
*** zmprov gacf zimbraMtaTlsAuthOnly or zmprov gs `zmhostname` zimbraMtaTlsAuthOnly
 
** Description Value for postconf : smtpd_tls_auth_only = yes
 
  
A good reference to understanding exactly what these options mean and do is the [http://www.postfix.org/SASL_README.html SASL_READ] at the postfix.org site. I'll include the highlights below.
+
                  server_host = ldap.example.com:1444
  
When you do the telnet test below and issue the EHLO state, you'll see a return that states [example]:
+
              With OpenLDAP, a (list of) LDAP URLs can be used to
 +
              specify both the hostname(s) and the port(s):
 +
 
 +
                  server_host = ldap://ldap.example.com:1444
 +
                              ldap://ldap2.example.com:1444
  
<pre>
+
              All LDAP URLs accepted by the OpenLDAP library  are
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25
+
              supported,  including  connections over UNIX domain
Trying 10.137.27.32...
+
              sockets, and LDAP SSL (the last one  provided  that
Connected to zcs723.EXAMPLE.com.
+
              OpenLDAP was compiled with support for SSL):
Escape character is '^]'.
 
220 zcs723.EXAMPLE.com ESMTP Postfix
 
helo myworkstation
 
250 zcs723.EXAMPLE.com
 
ehlo myworkstation
 
250-zcs723.EXAMPLE.com
 
250-PIPELINING
 
250-SIZE 10240000
 
250-VRFY
 
250-ETRN
 
250-STARTTLS
 
250-AUTH LOGIN PLAIN
 
250-AUTH=LOGIN PLAIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
</pre>
 
  
When you check, "Enable Authentication" [remember its specific to SASL] in the admin console and reload postfix you will then see the AUTH line when you do the telnet test above and AUTH will say LOGIN and PLAIN. AUTH supports a number of different types of protocols: PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI. Zimbra only supports the use of LOGIN and PLAIN though.
+
                  server_host = ldapi://%2Fsome%2Fpath
 +
                              ldaps://ldap.example.com:636
  
What is LOGIN and PLAIN and the difference?
+
**my note**
 +
This thread - http://archives.neohapsis.com/archives/postfix/2004-09/1763.html
 +
give me the impression they made a mistake in modifying the help file on this
 +
and they dropped the use/need of the command:
  
<pre>
+
   server_host = ldap://ldap.example.com:1444, ldap://ldap2.example.com:1444
--enable-login   You wish to support the Outlook Express
 
                  5.x client, which uses the non-standard,
 
                  undocumented LOGIN protocol.  Passwords
 
                  are passed over the wire in the clear.
 
                  This is disabled by default.
 
--disable-plain  Do not use the PLAIN protocol, which
 
                  sends the password in plaintext. This
 
                  is enabled by default and should only
 
                  be used for testing unless you are
 
                  encrypting the session via TLS, IPsec,
 
                  or other mechanism.
 
 
</pre>
 
</pre>
  
So, the above might be alarming. The postfix SASL_README gives us some context though, '''''"Plaintext mechanisms (PLAIN, LOGIN) send credentials unencrypted. This information should be protected by an additional security layer such as a TLS-encrypted SMTP session (see: [http://www.postfix.org/TLS_README.html TLS_README])."''''' Also note, both PLAIN and LOGIN use BASE64 encoding of the username and password but those strings can be ran through a mime-decoder to discover what they are. You see this in my telnet examples below.
+
Just a small note on where var shows up:
  
The other variable/options for the '''"Postfix SMTP Server policy - SASL mechanism properties"''' you will need to know about are:
 
 
* /opt/zimbra/postfix/conf/main.cf
 
** smtpd_sasl_security_options =
 
** smtpd_sasl_tls_security_options = [note, this can reuse smtpd_sasl_security_options with $smtpd_sasl_security_options]
 
*** noanonymous Don't use mechanisms that permit anonymous authentication.
 
**** Always set at least the noanonymous option. Otherwise, the Postfix SMTP server can give strangers the same authorization as a properly-authenticated client.
 
*** noplaintext Don't use mechanisms that transmit unencrypted username and password information.
 
*** nodictionary Don't use mechanisms that are vulnerable to dictionary attacks.
 
*** forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions).
 
*** mutual_auth Use only mechanisms that authenticate both the client and the server to each other.
 
 
'''Mail relay authorization options to know are:''' [http://www.postfix.org/SASL_README.html [From the SASL_READ]] With permit_sasl_authenticated the Postfix SMTP server can allow SASL-authenticated SMTP clients to send mail to remote destinations. Examples:
 
 
<pre>
 
<pre>
    # With Postfix 2.10 and later, the mail relay policy is
+
[root@mail3 conf]# pwd
    # preferably specified under smtpd_relay_restrictions.
+
/opt/zimbra/conf
    /opt/zimbra/postfix/conf/main.cf:
+
[root@mail3 conf]# grep server_host *
        smtpd_relay_restrictions =
+
amavisd.conf.in:$myhostname = '@@zimbra_server_hostname@@';  # must be a fully-qualified domain name!
    permit_mynetworks
+
ldap-scm.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
    permit_sasl_authenticated
+
ldap-transport.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
    reject_unauth_destination
+
ldap-vad.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
 
+
ldap-vam.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
    # Older configurations combine relay control and spam control under
+
ldap-vmd.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
    # smtpd_recipient_restrictions. To use this example with Postfix ≥
+
ldap-vmm.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
    # 2.10 specify "smtpd_relay_restrictions=".
+
localconfig.xml:  <key name="zimbra_server_hostname">
    /opt/zimbra/postfix/conf/main.cf:
+
zmmta.cf: LOCAL zimbra_server_hostname
        smtpd_recipient_restrictions =
+
zmmta.cf: POSTCONF myhostname LOCAL zimbra_server_hostname
    permit_mynetworks
 
    permit_sasl_authenticated
 
    reject_unauth_destination
 
    ...other rules...
 
 
</pre>
 
</pre>
  
'''Envelope sender address authorization options:'''  [http://www.postfix.org/SASL_README.html [From the SASL_READ]] By default an SMTP client may specify any envelope sender address in the MAIL FROM command. That is because the Postfix SMTP server only knows the remote SMTP client hostname and IP address, but not the user who controls the remote SMTP client.
+
References:
  
This changes the moment an SMTP client uses SASL authentication. Now, the Postfix SMTP server knows who the sender is. Given a table of envelope sender addresses and SASL login names, the Postfix SMTP server can decide if the SASL authenticated client is allowed to use a particular envelope sender address:
+
* http://archives.neohapsis.com/archives/postfix/2000-04/0200.html
<pre>
 
    /opt/zimbra/postfix/conf/main.cf:
 
        virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
 
        smtpd_sender_login_maps = $virtual_mailbox_maps
 
  
        smtpd_recipient_restrictions =
+
===Traditional Aliases Use - /etc/aliases Type Lookups===
            ...
 
            reject_sender_login_mismatch
 
    permit_sasl_authenticated
 
            ...
 
</pre>
 
The controlled_envelope_senders table specifies the binding between a sender envelope address and the SASL login names that own that address [see above, ZCS will have in main.cf a line showing virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf]:
 
<pre>
 
    /opt/zimbra/conf/ldap-vmm.cf
 
        server_host = ldap://zcs723.EXAMPLE.com:389
 
        server_port = 389
 
        search_base =
 
        query_filter = (&(zimbraMailDeliveryAddress=%s)(zimbraMailStatus=enabled))
 
        result_attribute = zimbraMailDeliveryAddress
 
        version = 3
 
        start_tls = yes
 
        tls_ca_cert_dir = /opt/zimbra/conf/ca
 
        bind = yes
 
        bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
 
        bind_pw = XXXXXXXXXXX
 
        timeout = 30
 
</pre>
 
  
A default postfix install [non-ZCS] might have something like:
+
Moved to [[Traditional_Aliases_Use_-_/etc/aliases_Type_Lookups]]
<pre>
 
    /etc/postfix/controlled_envelope_senders
 
        # envelope sender          owners (SASL login names)
 
        john@example.com            john@example.com
 
        helpdesk@example.com        john@example.com, mary@example.com
 
        postmaster                  admin@example.com
 
        @example.net                barney, fred, john@example.com, mary@example.com
 
</pre>
 
With this, the reject_sender_login_mismatch restriction above will reject the sender address in the MAIL FROM command if smtpd_sender_login_maps does not specify the SMTP client's login name as an owner of that address.
 
  
See also reject_authenticated_sender_login_mismatch and reject_unauthenticated_sender_login_mismatch for additional control over the SASL login name and the envelope sender.
+
===Allowing Accounts To Change The From Address===
  
====Second - Encoding Username And Passwords For AUTH Sequence====
+
Please see:
  
Here is an example of getting the base64 encoding for a username and also how to check if the encoding was correct. This might expose how special characters threw off the encoding.
+
* [http://www.zimbra.com/forums/installation/18171-solved-setting-up-email-response-aliases-non-system-domains.html#post92121 Changing The From Field]
  
<pre>
+
====Related BUG/RFE's====
[USERNAME EXAMPLE - If you use the domainname, you'll have to \ the @]
 
# perl -MMIME::Base64 -le 'print encode_base64("ajcody\@zcs723.EXAMPLE.com");'
 
    YWpjb2R5QHpjczcyMy5FWEFNUExFLmNvbQ==
 
# perl -MMIME::Base64 -le 'print decode_base64("YWpjb2R5QHpjczcyMy5FWEFNUExFLmNvbQ==");'
 
    ajcody@zcs723.EXAMPLE.com
 
  
[PASSWORD EXAMPLE]
+
* Identities: Auto verify user settable from address [marked as dup of 29974]
# perl -MMIME::Base64 -le 'print encode_base64("MySimplePa33");'
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=12094
    TXlTaW1wbGVQYTMz
+
* persona/external account from field address verification
# perl -MMIME::Base64 -le 'print decode_base64("TXlTaW1wbGVQYTMz");'
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=29974
    MySimplePa33
+
* ZCO Support for zimbraAllowAnyFromAddress
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=31278
  
[USERNAME And PASSWORD - For Auth PLAIN. The \000 is for a space .]
+
===Creating A Domain Alias===
# perl -MMIME::Base64 -le 'print encode_base64("ajcody\@zcs723.EXAMPLE.com\000MySimplePa33");'
 
    YWpjb2R5QHpjczcyMy5FWEFNUExFLmNvbQBNeVNpbXBsZVBhMzM=
 
# perl -MMIME::Base64 -le 'print decode_base64("YWpjb2R5QHpjczcyMy5FWEFNUExFLmNvbQBNeVNpbXBsZVBhMzM=");'
 
    ajcody@zcs723.EXAMPLE.comMySimplePa33
 
</pre>
 
  
====For ESMTP Auth is LOGIN - Example====
+
Please see [[ManagingDomains#Creating_a_Domain_Alias]]
  
If you are using TLS you will need to encrypt your username & password before transiting it.
+
===Relay Domain Forwarding===
  
For Auth is LOGIN you'll need to get the login encoding as described above. When AUTH is Login, it requires username and password to be separate :
+
Please see [[ManagingDomains#Relaying.2FDomain_Forwarding]]
  
For example [I've mangled the hash below by the way]:
+
===Domain Catchall===
  
perl -MMIME::Base64 -e 'print encode_base64("ajcody\@zcs723.EXAMPLE.com");'
+
Please see [[ManagingDomains#Domain_Catchall]]
  YYYYYYY5QHpjczcyMy51cy56aW1icmFsYWIuY29t
 
perl -MMIME::Base64 -e 'print encode_base64("Somepasswd");'
 
  YYYYYYYkMW0=
 
  
The working example now using telnet:
+
===Rewriting From Address For Outbound Email===
  
<pre>
+
Please see [[ManagingDomains#Domain_Masquerading]]
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25
+
 
Trying 10.137.27.32...
+
===Rewrite Recipient Address For Incoming Email===
Connected to zcs723.EXAMPLE.com.
+
 
Escape character is '^]'.
+
There is a way to rewrite the incoming mail, but it's not a standard Zimbra feature. You can implement it as a configuration change in Postfix. Here's what you do:
220 zcs723.EXAMPLE.com ESMTP Postfix
+
 
helo myworkstation
+
# Create a file in /opt/zimbra/conf named 'postfix_recipientmap'.
250 zcs723.EXAMPLE.com
+
#* The format is a single line that reads something like: @alias.domain.com @domain.com
ehlo myworkstation
+
# Run 'postmap postfix_recipientmap' in the conf directory.
250-zcs723.EXAMPLE.com
+
# Run "postconf -e recipient_canonical_maps=hash:/opt/zimbra/conf/postfix_recipientmap".
250-PIPELINING
+
# Run 'postfix reload'.
250-SIZE 10240000
 
250-VRFY
 
250-ETRN
 
250-STARTTLS
 
250-AUTH LOGIN PLAIN
 
250-AUTH=LOGIN PLAIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
AUTH LOGIN
 
334 VXNlcm5hbWU6
 
YYYYYYY5QHpjczcyMy51cy56aW1icmFsYWIuY29t
 
334 UGFzc3dvcmQ6
 
YYYYYYYkMW0=
 
235 2.7.0 Authentication successful
 
mail from: <ajcody@zcs723.EXAMPLE.com>
 
250 2.1.0 Ok
 
rcpt to: <ajcody2@zcs723.EXAMPLE.com>
 
250 2.1.5 Ok
 
data
 
354 End data with <CR><LF>.<CR><LF>
 
From: Adam <ajcody@zcs723.EXAMPLE.com>
 
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com>
 
Subject: Test ESMTP Auth LOGIN
 
testing
 
.
 
250 2.0.0 Ok: queued as 361C11E78D1
 
quit
 
221 2.0.0 Bye
 
Connection closed by foreign host.
 
</pre>
 
  
====For ESMTP Auth is Plain - Example====
+
This will cause postfix to map any incoming mail with a recipient of '@alias.domain.com' to '@domain.com'.  You will need to re-apply this postconf change after upgrades, though the postfix_recipientmap file should survive.
  
If you are using TLS you will need to encrypt your username & password before transiting it.
+
===Automatic BCC===
  
When AUTH is PLAIN, the username and password will be in the same encoding. For example [I've mangled the hash below by the way]:
+
====Option 1 - Via Postfix Customization====
  
perl -MMIME::Base64 -e 'print encode_base64("\000ajcody\@zcs723.EXAMPLE.com\000mypassword");'
+
From the postfix website:
  AGFqY29keUB6Y3M3MjMXXXXXXXXXXXXXXXXXX5MzkzMWQxbQ==
 
  
The working example now using telnet:
+
*always_bcc = address
 +
** Deliver a copy of all mail to the specified address. In Postfix versions before 2.1, this feature is implemented by smtpd(8), qmqpd(8), or pickup(8).
 +
* sender_bcc_maps = type:table
 +
** Search the specified "type:table" lookup table with the envelope sender address for an automatic BCC address. This feature is available in Postfix 2.1 and later.
 +
* recipient_bcc_maps = type:table
 +
** Search the specified "type:table" lookup table with the envelope recipient address for an automatic BCC address. This feature is available in Postfix 2.1 and later.
 +
* Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC recipients are not generated for mail that Postfix forwards internally, nor for mail that Postfix generates itself.
 +
 
 +
Please see the following:
  
<pre>
+
* A very nice forum post on the subject from our very own mmorse
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25
+
** http://www.zimbra.com/forums/administrators/28606-master-incoming-outgoing-archive.html#post134490
Trying 10.137.27.32...
+
* Postfix workaround
Connected to zcs723.EXAMPLE.com.
+
** http://www.postfix.com/ADDRESS_REWRITING_README.html#auto_bcc
Escape character is '^]'.
+
* "User defined auto bcc"
220 zcs723.EXAMPLE.com ESMTP Postfix
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=15306
helo myworkstation
+
* "Next rev of (mail) identities preferences management (server side)"
250 zcs723.EXAMPLE.com
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=17320
ehlo myworkstation
 
250-zcs723.EXAMPLE.com
 
250-PIPELINING
 
250-SIZE 10240000
 
250-VRFY
 
250-ETRN
 
250-STARTTLS
 
250-AUTH LOGIN PLAIN
 
250-AUTH=LOGIN PLAIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
AUTH PLAIN AGFqY29keUB6Y3M3MjMXXXXXXXXXXXXXXXXXX5MzkzMWQxbQ==
 
235 2.7.0 Authentication successful
 
mail from: <ajcody@zcs723.EXAMPLE.com>
 
250 2.1.0 Ok
 
rcpt to: <ajcody2@zcs723.EXAMPLE.com>
 
250 2.1.5 Ok
 
data
 
354 End data with <CR><LF>.<CR><LF>
 
From: Adam <ajcody@zcs723.EXAMPLE.com>
 
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com>
 
Subject: Test ESMTP Auth PLAIN
 
testing
 
.
 
250 2.0.0 Ok: queued as 804E01E78D1
 
quit
 
221 2.0.0 Bye
 
Connection closed by foreign host.
 
</pre>
 
  
====For TLS/SSL - Example====
+
====Option 2 - Via ZCS Legal Intercept====
  
Basic telnet does not support SSL or TLS, so you have to use openssl or stunnel to make your connection to the smtp server. To connect to a server using TLS/SSL run something like this:
+
Generally used for [[Ajcody-User-Management-Topics#Managing_Legal_Requests_for_Information|Managing Legal Requests for Information]]
  
openssl s_client -starttls smtp -crlf -connect zcs723.EXAMPLE.com:25
+
Description:
 +
:: The ZCS legal intercept feature is used to obtain copies of email messages that are sent, received, or saved as drafts from targeted accounts and send these message to a designated “shadow” email address. Legal Intercept can be configured to send the complete content of the message or to send only the header information. When a targeted account sends, receives, or saves a draft message, an intercept message is automatically created to forward copies of the messages as attachments to the specified email address.
  
Now you can run one of the above telnet sessions like you had before. You will most likely still need to log in.
+
Please see:
 +
* http://www.zimbra.com/docs/ne/latest/administration_guide/managing_other_zcs_features.8.1.html
 +
* http://wiki.zimbra.com/index.php?title=Legal_Intercept
 +
* http://bugzilla.zimbra.com/show_bug.cgi?id=17539
 +
 
 +
====Option 3 - Zimbra's Archiving And Discovery====
  
Default zimbra [[Ports|ports]] to be aware of and test:
+
See [[Ajcody-Notes-Archive-Discovery]] concerning A&D setup and options.
  
* port 25
+
===Limiting Or Increasing Number Of Recipents / Messages===
** smtp [mta] - incoming mail to postfix
 
* port 465
 
** smtps [mta] - incoming mail to postfix over ssl '''(Outlook only)'''
 
* port 587
 
** smtp [mta] - Mail '''submission port''' over tls
 
* "RFC 3207 specifies only the well-known port 25 and the "Submission port," which is TCP port 587, for the STARTTLS command, the precursor for an encrypted SMTP session using TLS. It makes no mention of the unofficial port 465." [http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol SMTP on Wikipedia]
 
  
An example login is below :
+
====Mailing Lists - Distribution Lists====
  
<pre>
+
Please see [[Ajcody-MailingLists-And-Mailman#Problems_Resolving_Virtual_Aliases_For_Members_Of_Large_Distribution_Lists]]
esx2:~ ajcody$ openssl s_client -starttls smtp -crlf -connect zcs723.EXAMPLE.com:25
+
 
 +
====Policy Daemon====
 +
 
 +
If you want to restrict messages per hour,  you can look into Policy Daemon:
 +
 
 +
* http://wiki.zimbra.com/wiki/Postfix_Policyd
 +
* http://wiki.zimbra.com/wiki/How-to_for_cbpolicyd
 +
* http://www.policyd.org/features.html
  
CONNECTED(00000003)
+
Beta release in ZCS 7 , see:
depth=0 /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com
 
verify error:num=20:unable to get local issuer certificate
 
verify return:1
 
depth=0 /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com
 
verify error:num=27:certificate not trusted
 
verify return:1
 
depth=0 /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com
 
verify error:num=21:unable to verify the first certificate
 
verify return:1
 
---
 
Certificate chain
 
0 s:/C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com
 
  i:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com
 
---
 
Server certificate
 
-----BEGIN CERTIFICATE-----
 
MIICsjCCAhugAwIBAgIFE2MYV2EwDQYJKoZIhvcNAQEFBQAwgZUxCzAJBgNVBAYT
 
[cut]
 
LrFtuUlX6mb5Uq8dx8D25QWqsyeDXA==
 
-----END CERTIFICATE-----
 
subject=/C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com
 
issuer=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com
 
---
 
No client certificate CA names sent
 
---
 
SSL handshake has read 1528 bytes and written 360 bytes
 
---
 
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
 
Server public key is 1024 bit
 
Secure Renegotiation IS supported
 
Compression: NONE
 
Expansion: NONE
 
SSL-Session:
 
    Protocol  : TLSv1
 
    Cipher    : DHE-RSA-AES256-SHA
 
    Session-ID: 06F03A7C2AB0EA3E97cut7CD4A4A6166D551B
 
    Session-ID-ctx:
 
    Master-Key: 1A2FF452C3E09F9D7B2DECEcutFB67158960BA6
 
    Key-Arg  : None
 
    Start Time: 1370375286
 
    Timeout  : 300 (sec)
 
    Verify return code: 21 (unable to verify the first certificate)
 
---
 
250 DSN
 
helo myworkstation
 
250 zcs723.EXAMPLE.com
 
ehlo myworkstation
 
250-zcs723.EXAMPLE.com
 
250-PIPELINING
 
250-SIZE 10240000
 
250-VRFY
 
250-ETRN
 
250-AUTH LOGIN PLAIN
 
250-AUTH=LOGIN PLAIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
AUTH LOGIN
 
334 VXNlcm5hbWU6
 
YYYYYYY5QHpjczcyMy51cy56aW1icmFsYWIuY29t
 
334 UGFzc3dvcmQ6
 
YYYYYYYkMW0=
 
235 2.7.0 Authentication successful
 
mail from:<ajcody@zcs723.EXAMPLE.com>
 
250 2.1.0 Ok
 
rcpt to: <ajcody2@zcs723.EXAMPLE.com>
 
250 2.1.5 Ok
 
data
 
354 End data with <CR><LF>.<CR><LF>
 
From: Adam <ajcody@zcs723.EXAMPLE.com>
 
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com>
 
Subject: Test Auth LOGIN TLS Example
 
test
 
.
 
250 2.0.0 Ok: queued as BA68B1E78D1
 
quit
 
221 2.0.0 Bye
 
closed
 
</pre>
 
  
=====Testing Against Port 465=====
+
* "make support for postfix-policyd easier"
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=8791
  
References on Port 465:
+
====Postfix====
  
* http://wiki.zimbra.com/wiki/Mail_client_Configuration#SMTP_over_SSL_port_465
+
Also, there are some default postfix parameters set to control sending a message to x amount recipients. The parameters you will need to look at are smtpd_recipient_limit & smtpd_recipient_overshoot_limit, these have a default value of 1000.
  
<pre>
+
Postfix defines these parameters as:
$ openssl s_client -crlf -connect zcs723.EXAMPLE.com:465
 
  
CONNECTED(00000003)
+
* smtpd_recipient_limit: The maximum number of recipients that the Postfix SMTP server accepts per message delivery request.
 +
* smtpd_recipient_overshoot_limit: The number of recipients that a remote SMTP client can send in excess of the limit specified with $smtpd_recipient_limit, before the Postfix SMTP server increments the per-session error count for each excess recipient.
  
[cut of repeated data above]
+
From the command line you can change the default values.
  
---
+
su - zimbra
250 DSN
+
postconf -e smtpd_recipient_limit=<new value>
helo myworkstation
+
postconf -e smtpd_recipient_overshoot_limit=<new value>
250 zcs723.EXAMPLE.com
+
postfix reload
ehlo myworkstation
 
250-zcs723.EXAMPLE.com
 
250-PIPELINING
 
250-SIZE 8388608
 
250-VRFY
 
250-ETRN
 
250-AUTH PLAIN LOGIN
 
250-AUTH=PLAIN LOGIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
AUTH PLAIN [cut - emailaddress/password string goes here]
 
  
!!! note - you get the auth plain string by doing [don't remove the \000 parts]:
+
====Bugs RFE's For Customers To Get Behind====
!!! perl -MMIME::Base64 -e 'print encode_base64("\000user\@mdomain.com\000your_password");'
 
  
235 2.7.0 Authentication successful
+
I'm wondering if policyd gives one the control everyone is looking for? I've not used it myself.
mail from:<ajcody@zcs723.EXAMPLE.com>
 
250 2.1.0 Ok
 
rcpt to: <ajcody2@zcs723.EXAMPLE.com>
 
250 2.1.5 Ok
 
data
 
354 End data with <CR><LF>.<CR><LF>
 
From: Adam <ajcody@zcs723.EXAMPLE.com>
 
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com>
 
Subject: Test Auth LOGIN TLS Example
 
test
 
.
 
250 2.0.0 Ok: queued as BA68B1E78D1
 
quit
 
221 2.0.0 Bye
 
closed
 
</pre>
 
  
Example of logs events in /var/log/zimbra.log on the mta server [different test from the one above]:
+
Policyd References:
 +
* http://www.policyd.org/tiki-index.php?page=Documentation
 +
* http://www.policyd.org/tiki-index.php?page=Quotas&structure=Documentation
 +
* http://www.policyd.org/tiki-index.php?page=Accounting&structure=Documentation
 +
* http://www.policyd.org/tiki-index.php?page=Policies%20%26%20Groups&structure=Documentation
 +
* http://wiki.zimbra.com/index.php?title=Postfix_Policyd
  
<pre>
+
There's other additions [add-on's] one can get for policyd.
Jun  7 08:28:52 zcs806 postfix/smtps/smtpd[8151]: connect from unknown[10.X.X.110]
 
Jun  7 08:28:52 zcs806 postfix/smtps/smtpd[8151]: Anonymous TLS connection established
 
  from unknown[10.1X.X.110]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 
Jun  7 08:31:53 zcs806 saslauthd[3317]: zmauth: authenticating against elected url
 
  https://zcs806.us.DOMAIN.com:7071/service/admin/soap/' ...
 
Jun  7 08:31:53 zcs806 saslauthd[3317]: zmpost: url='https://zcs806.us.DOMAIN.com:7071/
 
  service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="
 
  http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra">
 
  <change token="75599"/></context></soap:Header><soap:Body><AuthResponse
 
  xmlns="urn:zimbraAccount"><authToken>0_b47233e5e226eb1c0519cd9c35da2fc198f[cut]272
 
  613b</authToken><lifetime>172800000</lifetime><skin>serenity</skin></AuthResponse>
 
  </soap:Body></soap:Envelope>', hti->error=''
 
Jun  7 08:31:53 zcs806 saslauthd[3317]: auth_zimbra: admin@zcs806.us.DOMAIN.com auth OK
 
Jun  7 08:32:47 zcs806 postfix/smtps/smtpd[8151]: 0279C3434: client=unknown[10.X.X.110],
 
  sasl_method=PLAIN, sasl_username=admin@zcs806.us.DOMAIN.com
 
Jun  7 08:33:32 zcs806 postfix/qmgr[3484]: 0279C3434: from=<admin@zcs806.us.DOMAIN.com>,
 
  size=400, nrcpt=1 (queue active)
 
Jun  7 08:33:33 zcs806 postfix/dkimmilter/smtpd[9661]: connect from localhost[127.0.0.1]
 
Jun  7 08:33:33 zcs806 postfix/dkimmilter/smtpd[9661]: Anonymous TLS connection established
 
  from localhost[127.0.0.1]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
 
Jun  7 08:33:33 zcs806 postfix/dkimmilter/smtpd[9661]: 0F798344C: client=localhost[127.0.0.1]
 
Jun  7 08:33:33 zcs806 postfix/cleanup[9638]: 0F798344C: message-id=<20140607153247.0279C3434@DOMAIN.com>
 
Jun  7 08:33:33 zcs806 postfix/smtp[9660]: 0279C3434: to=<test@zcs806.us.DOMAIN.com>,
 
  relay=127.0.0.1[127.0.0.1]:10030, delay=63, delays=63/0.06/0.07/0.07, dsn=2.0.0, status=sent
 
  (250 2.0.0 Ok: queued as 0F798344C)
 
Jun  7 08:33:33 zcs806 postfix/dkimmilter/smtpd[9661]: disconnect from localhost[127.0.0.1]
 
Jun  7 08:33:33 zcs806 postfix/qmgr[3484]: 0F798344C: from=<admin@zcs806.us.DOMAIN.com>,
 
  size=627, nrcpt=1 (queue active)
 
Jun  7 08:33:33 zcs806 postfix/qmgr[3484]: 0279C3434: removed
 
Jun  7 08:33:38 zcs806 postfix/smtps/smtpd[8151]: disconnect from unknown[10.X.X.110]
 
</pre>
 
  
====To Confirm An Auth User Can't Send With Another FROM Address====
+
We have this RFE in regards to policyd support:
  
The below example is using an auth has for ajcody@zcs723.EXAMPLE.com .
+
* "make support for postfix-policyd easier"
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=8791
 +
*** Target Milestone currently for Helix release [ http://pm.zimbra.com ]
 +
 +
Other related rfe/bugs, specially to push variables into admin web console:
  
<pre>
+
* "rate limit amount of mail sent via web client"
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=22300
Trying 10.137.27.32...
+
*** *Target Milestone currently for Helix release
Connected to zcs723.EXAMPLE.com.
+
* "mta "advanced" tab"
Escape character is '^]'.
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=14645
220 zcs723.EXAMPLE.com ESMTP Postfix
+
*** Target Milestone currently for Helix release
helo myworkstation
+
* "Option to IP Blocking through UI"
250 zcs723.EXAMPLE.com
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=19240
ehlo myworkstation
+
*** Target Milestone currently for Helix release
250-zcs723.EXAMPLE.com
+
* "Mail policies and access control for sending to distribution lists"
250-PIPELINING
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=9620
250-SIZE 10240000
+
*** Target Milestone currently for GunsNRoses
250-VRFY
+
 
250-ETRN
+
===Controlling SMTPD Client Connections===
250-STARTTLS
+
 
250-AUTH LOGIN PLAIN
+
Mmorse did a good write up on these variables in the forum:
250-AUTH=LOGIN PLAIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
AUTH PLAIN AGFqY29[cut]bQA5MzkzMWQxbQ==
 
235 2.7.0 Authentication successful
 
mail from: <admin@zcs723.EXAMPLE.com>
 
250 2.1.0 Ok
 
rcpt to: <ajcody2@zcs723.EXAMPLE.com>     
 
553 5.7.1 <admin@zcs723.EXAMPLE.com>: Sender address rejected: not owned by user ajcody@zcs723.EXAMPLE.com
 
</pre>
 
  
Notice how this is different when I'm telnet'ing from the server [localhost] back to itself.
+
* http://www.zimbra.com/forums/administrators/13591-solved-limit-max-recipriants.html#post69582
  
<pre>
+
Postfix Resources At Their Site (All Clients/Connections):
[root@zcs723 ~]# telnet localhost 25
+
* [http://www.postfix.org/TUNING_README.html#conn_limit Measures against clients that make too many connections]
Trying ::1...
+
* [http://www.postfix.org/anvil.8.html  anvil - Postfix session count and request rate control]
telnet: connect to address ::1: Connection refused
+
* [http://www.postfix.org/postconf.5.html#anvil_rate_time_unit anvil_rate_time_unit - The time unit over which client connection rates and other rates are calculated.]
Trying 127.0.0.1...
+
* [http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit smtpd_client_connection_count_limit - How many simultaneous connections any client is allowed to make to this service. ]
Connected to localhost.
+
* [http://www.postfix.org/postconf.5.html#smtpd_client_message_rate_limit smtpd_client_message_rate_limit - The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages.]
Escape character is '^]'.
+
* [http://www.postfix.org/postconf.5.html#smtpd_client_recipient_rate_limit smtpd_client_recipient_rate_limit - The maximal number of recipient addresses that any client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those recipients.]
220 zcs723.EXAMPLE.com ESMTP Postfix
+
* [http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit smtpd_client_connection_rate_limit - The maximal number of connection attempts any client is allowed to make to this service per time unit.]
helo myworkstation
+
 
250 zcs723.EXAMPLE.com
+
Postfix Resources At Their Site (Exceptions To Clients/Connections Or Single Source):
ehlo myworkstation
+
* [http://www.postfix.org/postconf.5.html#smtpd_client_event_limit_exceptions smtpd_client_event_limit_exceptions - Clients that are excluded from connection count, connection rate, or SMTP request rate restrictions.]
250-zcs723.EXAMPLE.com
+
 
250-PIPELINING
+
===Restrictions===
250-SIZE 10240000
+
 
250-VRFY
+
Besides using external mailing list software, [[Ajcody-MailingLists-And-Mailman#Mailman_-_Mailing_List_Manager|Mailman]] or [[Ajcody-MailingLists-And-Mailman#Sympa_-_Mailing_List_Manager|Sympa]], here's some other topical items in regards to restrictions.
250-ETRN
 
250-STARTTLS
 
250-AUTH LOGIN PLAIN
 
250-AUTH=LOGIN PLAIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
AUTH PLAIN AGFqY29kAAAAAAAAAAAAAAAAAAAAAAAmNvbQA5MzkzMWQxbQ==
 
235 2.7.0 Authentication successful
 
mail from: <admin@zcs723.EXAMPLE.com>
 
250 2.1.0 Ok
 
rcpt to: <ajcody2@zcs723.EXAMPLE.com>
 
250 2.1.5 Ok
 
Subject: Test mynetwork bypasses From match to AUTH
 
221 2.7.0 Error: I can break rules, too. Goodbye.
 
Connection closed by foreign host.
 
</pre>
 
  
===Adding A New MTA Server===
+
Some user contributed articles:
  
Basic instructions can be found here:
+
* [[RestrictPostfixRecipients]]
* http://www.zimbra.com/docs/ne/latest/multi_server_install/toc.html
+
* [[Restrict_sending_to_certain_domains]]
** See "Installing Zimbra MTA on a Server"
+
* [[Restrict_users_to_certain_domain]]
 +
* [http://www.zimbra.com/forums/administrators/15041-guide-postifx-how-multiple-access-lists-protected-distribution-lists.html Forum Post: GUIDE: Postifx: HOW TO: Multiple access lists for protected Distribution-lists]
  
Additional instructions needed beyond the above will follow as I hear about them.
+
Some Postfix references:
  
===Load Balancing For SMTP - Out Bound Mail===
+
* http://www.postfix.org/RESTRICTION_CLASS_README.html#internal
 +
* http://www.postfix.org/SMTPD_POLICY_README.html
  
Currently, '''5.x code''', you have the following options:
+
Some RFE's related to mta based restrictions [targets are based upon today - July 21, 2010]:
  
* Configure zimbraMtaRelayHost and zimbraSmtpHostname [[Ajcody-Server-Topics#Using_Different_SMTP_Server_For_Webclient_.28ZWC.29.2C_Mobiles.2C_And_ZCO|zimbraSmtpHostname Details]] to:
+
* "Dynamic distribution lists - Internal Directory"
 
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=3884
** An external load balancing device that will then split the traffic behind it
+
* "per-domain send restriction" - Not Committed
** Setup a round-robin A record situation in your DNS for the external mta's you'll be using.
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=5595
 
+
*** These are marked as dup's of the above:
In, '''GNR/6.x''', you are able to add multiple targets to the variables and we'll have some degree of "balancing" between them.
+
**** "disable outbound e-mail for one user"
 
+
***** http://bugzilla.zimbra.com/show_bug.cgi?id=34654
* "allow list for zimbraSmtpHostname"
+
**** "Add an facility to detemine internal relay users in admin"
** http://bugzilla.zimbra.com/show_bug.cgi?id=10695
+
***** http://bugzilla.zimbra.com/show_bug.cgi?id=33255
* "make zimbraSmtpHostname fault tolerant"
+
* "policy for who can send to a distribution lists" - Helix
** http://bugzilla.zimbra.com/show_bug.cgi?id=36173
+
** http://bugzilla.zimbra.com/show_bug.cgi?id=9620
 
+
*** RFE 9620 is also a blocker for the following RFE:
===User Alias Mapping And Mail Transport with Postfix & LDAP===
+
**** "milter to check if sender can send to a distribution list"
 
+
***** http://bugzilla.zimbra.com/show_bug.cgi?id=46311
See [[User_Alias_Mapping_and_Mail_Transport_with_Postfix_%26_LDAP]]
+
*** These are marked as dup's of the above:
 
+
**** "Ability to Specify Mail Policy"
====Multiple LDAP Servers?====
+
***** http://bugzilla.zimbra.com/show_bug.cgi?id=5555
 +
**** "domain level filters rules"
 +
***** http://bugzilla.zimbra.com/show_bug.cgi?id=6128
 +
**** "Distribution List Restrictions"
 +
***** http://bugzilla.zimbra.com/show_bug.cgi?id=7104
 +
**** "Feature request - Mail Policies"
 +
***** http://bugzilla.zimbra.com/show_bug.cgi?id=9328
 +
**** "limit  "send from"  to certain domains"
 +
***** http://bugzilla.zimbra.com/show_bug.cgi?id=12038
 +
**** "'Internal email only' options in admin control panel"
 +
***** http://bugzilla.zimbra.com/show_bug.cgi?id=16671
 +
**** "Access control for free busy and resources (ie permission to invite)"
 +
***** http://bugzilla.zimbra.com/show_bug.cgi?id=22913
 +
**** "RFE: Admin GUI: Restrict the use of Distribution List among users."
 +
***** http://bugzilla.zimbra.com/show_bug.cgi?id=29305
 +
* "Implement smtpd_sender_restrictions"
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=15808
 +
* "How to restrict a user to only send via zwc"
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=16623
 +
* "enable configuration of  "smtpd_sender_restriction""
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=22363
  
Completed RFE:
+
===Spam Control And Related Issues===
  
* "mta should be able to take a list of LDAP servers to take advantage of replicas."
+
====High Over View Steps Of What To Do====
** http://bugzilla.zimbra.com/show_bug.cgi?id=9353
 
*** zmmtainit to allow for multiple command line options that will set the URL. Grab the contents of the ldap_url localconfig variable.
 
  
From :
+
* '''Step 1:''' Confirm your not an open relay and double check your postfix $mynetworks variable.
 +
** [[ZimbraMtaMyNetworks|ZimbraMtaMyNetworks And Postfix mynetworks]]
 +
** [[Ajcody-MTA-Postfix-Topics#Open_Relay_Check|Open Relay Check]]
 +
* '''Step 2:''' Stop or put on-hold mail queue.
 +
** Put all messages into HOLD queue:
 +
*** Get a report of your current mailq [can be useful if you clean out the queue later but need to identify what external mail hosts are now denying you and who you'll need to contact about getting removed from their denial list]
 +
**** Example: /opt/zimbra/postfix/sbin/mailq > /tmp/zimbra_mailq_report.txt
 +
*** /opt/zimbra/postfix/sbin/postsuper -h ALL
 +
** Or put all messages match compromised account into HOLD queue:
 +
*** /opt/zimbra/postfix/sbin/mailq | grep user_compromised@domain | awk '{ print $1 }' | tr -d '!*' | /opt/zimbra/postfix/sbin/postsuper -h -
 +
**** Note, this is an example - you might with the grep grab more than the compromised account with the match.
 +
** See whole section - [[Ajcody-MTA-Postfix-Topics#Managing_Postfix_Queue| Managing The Postfix Queue]]
 +
* '''Step 3:''' Check your mail log [On ZCS servers running MTA services] - /var/log/zimbra.log
 +
** [[Ajcody-MTA-Postfix-Topics#Understanding_.2Fvar.2Flog.2Fzimbra.log_And_Postfix_Log_Events| Understanding the zimbra.log file and Postfix log events.]] , see subsection about queue ID and message ID also.
 +
** [[Ajcody-MTA-Postfix-Topics#Who.27s_My_Spammer.3F| Who's My Spammer?]]
 +
* '''Step 4:''' Identify compromised account authenticating SMTP AUTH connection or block ip address where emails are coming from at firewall.
 +
** [[Ajcody-MTA-Postfix-Topics#Who.27s_My_Spammer.3F| Who's My Spammer?]]
 +
** Continue to monitor compromised account and block ip addresses:
 +
*** tail -f /var/log/zimbra.log | grep username | grep sasl
 +
**** Jun  8 18:14:10 mail postfix/smtpd[15794]: 004358EEB16: client=unknown[XXXX.236.197.216], sasl_method=LOGIN, sasl_username=username@domain
 +
* '''Step 5:''' Disable the exploited email account, expire auth session, etc.
 +
** [[Ajcody-User-Management-Topics#Resetting_A_User.27s_Account_From_CLI| Resetting Or Expiring User Auth]]
 +
** '''Note''' - Restarting the mta services will be important once you reset the password/s or lock the account. It's required to ensure the active connections will be closed and any existing auth tokens no longer are valid. See:
 +
*** Force currently active SMTP authenticated sessions to be renegotiated when locking an account
 +
**** https://bugzilla.zimbra.com/show_bug.cgi?id=80299
 +
* '''Step 6:''' Move the mail queue or delete the spam email
 +
** See whole section - [[Ajcody-MTA-Postfix-Topics#Managing_Postfix_Queue| Managing The Postfix Queue]]
 +
* '''Step 7:''' Release Mail queue
  
* http://www.postfix.org/ldap_table.5.html
+
====Who's My Spammer?====
  
<pre>
+
=====Getting Some Initial Summary Data=====
        server_host (default: localhost)
 
              The name of the host running the LDAP server,  e.g.
 
  
                  server_host = ldap.example.com
+
======zmdialyreport======
  
              Depending  on the LDAP client library you're using,
+
First, some notable bug/RFE's in regards to the zmdailyreport:
              it should be possible to specify  multiple  servers
 
              here,  with the library trying them in order should
 
              the first one fail. It should also be  possible  to
 
              give  each  server  in  the list  a different port
 
              (overriding server_port below), by naming them like
 
  
                  server_host = ldap.example.com:1444
+
* RFE - add explanations to Daily mail report / pflogsumm.pl output
 +
** https://bugzilla.zimbra.com/show_bug.cgi?id=86630
 +
* Daily mail report shows incorrect output because pflogsumm.pl doubles the result
 +
** https://bugzilla.zimbra.com/show_bug.cgi?id=84444
 +
* Descriptions of mta_counts numbers vs daily reports and other msg stats
 +
** https://bugzilla.zimbra.com/show_bug.cgi?id=79632
  
              With OpenLDAP, a (list of) LDAP URLs can be used to
+
You can first get some summary data by doing the following:
              specify both the hostname(s) and the port(s):
 
  
                  server_host = ldap://ldap.example.com:1444
+
<pre>
                              ldap://ldap2.example.com:1444
+
[zimbra@zcs806 ~]$ /opt/zimbra/libexec/zmdailyreport
  
              All LDAP URLs accepted by the OpenLDAP library  are
+
Grand Totals
              supported,  including  connections over UNIX domain
+
------------
              sockets, and LDAP SSL (the last one  provided  that
+
messages
              OpenLDAP was compiled with support for SSL):
 
  
                  server_host = ldapi://%2Fsome%2Fpath
+
      7  received
                              ldaps://ldap.example.com:636
+
    11  delivered
 +
      0  forwarded
 +
      0  deferred
 +
      0  bounced
 +
      3  rejected (21%)
 +
      0  reject warnings
 +
      0  held
 +
      0  discarded (0%)
  
**my note**
+
  2780  bytes received
This thread - http://archives.neohapsis.com/archives/postfix/2004-09/1763.html
+
  10914  bytes delivered
give me the impression they made a mistake in modifying the help file on this
+
      2  senders
and they dropped the use/need of the command:
+
      1  sending hosts/domains
 +
      1  recipients
 +
      1  recipient hosts/domains
  
  server_host = ldap://ldap.example.com:1444, ldap://ldap2.example.com:1444
 
</pre>
 
  
Just a small note on where var shows up:
+
Per-Hour Traffic Summary
 +
    time          received  delivered  deferred    bounced    rejected
 +
    --------------------------------------------------------------------
 +
    0000-0100          0          0          0          0          0
 +
    0100-0200          1          3          0          0          0
 +
    0200-0300          0          0          0          0          0
 +
    0300-0400          0          0          0          0          0
 +
    0400-0500          0          0          0          0          0
 +
    0500-0600          0          0          0          0          0
 +
    0600-0700          0          0          0          0          0
 +
    0700-0800          1          0          0          0          2
 +
    0800-0900          1          0          0          0          0
 +
    0900-1000          0          0          0          0          1
 +
    1000-1100          0          0          0          0          0
 +
    1100-1200          0          0          0          0          0
 +
    1200-1300          4          8          0          0          0
 +
    1300-1400          0          0          0          0          0
 +
    1400-1500          0          0          0          0          0
 +
    1500-1600          0          0          0          0          0
 +
    1600-1700          0          0          0          0          0
 +
    1700-1800          0          0          0          0          0
 +
    1800-1900          0          0          0          0          0
 +
    1900-2000          0          0          0          0          0
 +
    2000-2100          0          0          0          0          0
 +
    2100-2200          0          0          0          0          0
 +
    2200-2300          0          0          0          0          0
 +
    2300-2400          0          0          0          0          0
  
<pre>
+
Host/Domain Summary: Message Delivery (top 50)
[root@mail3 conf]# pwd
+
sent cnt  bytes  defers  avg dly max dly host/domain
/opt/zimbra/conf
+
  -------- -------  -------  ------- ------- -----------
[root@mail3 conf]# grep server_host *
+
    11    10914        0    7.4 s  24.0 s  zcs806.DOMAIN.com
amavisd.conf.in:$myhostname = '@@zimbra_server_hostname@@'; # must be a fully-qualified domain name!
 
ldap-scm.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
 
ldap-transport.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
 
ldap-vad.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
 
ldap-vam.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
 
ldap-vmd.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
 
ldap-vmm.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
 
localconfig.xml:  <key name="zimbra_server_hostname">
 
zmmta.cf: LOCAL zimbra_server_hostname
 
zmmta.cf: POSTCONF myhostname LOCAL zimbra_server_hostname
 
</pre>
 
  
References:
+
Host/Domain Summary: Messages Received (top 50)
 +
msg cnt  bytes  host/domain
 +
-------- -------  -----------
 +
      5    2780  zcs806.DOMAIN.com
  
* http://archives.neohapsis.com/archives/postfix/2000-04/0200.html
+
top 50 Senders by message count
 +
-------------------------------
 +
      4  zimbra@zcs806.DOMAIN.com
 +
      1  admin@zcs806.DOMAIN.com
  
===Traditional Aliases Use - /etc/aliases type lookups===
+
top 50 Recipients by message count
 
+
----------------------------------
Filed this RFE:
+
    11  admin@zcs806.DOMAIN.com
* "Support traditional email aliases via aliases file or ldap - admin console view"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=33642
 
*** Aliases use without being tied into authentication methods or consuming a license file.
 
  
===Allowing Accounts To Change The From Address===
+
top 50 Senders by message size
 +
------------------------------
 +
  1974  zimbra@zcs806.DOMAIN.com
 +
    806  admin@zcs806.DOMAIN.com
  
Please see:
+
top 50 Recipients by message size
 +
---------------------------------
 +
  10914  admin@zcs806.DOMAIN.com
  
* [http://www.zimbra.com/forums/installation/18171-solved-setting-up-email-response-aliases-non-system-domains.html#post92121 Changing The From Field]
+
message deferral detail: none
  
====Related BUG/RFE's====
+
message bounce detail (by relay): none
  
* Identities: Auto verify user settable from address [marked as dup of 29974]
+
message reject detail
** http://bugzilla.zimbra.com/show_bug.cgi?id=12094
+
---------------------
* persona/external account from field address verification
+
  MAIL
** http://bugzilla.zimbra.com/show_bug.cgi?id=29974
+
    5.3.4 Message size exceeds fixed limit (total: 3)
* ZCO Support for zimbraAllowAnyFromAddress
+
          3  domain-ext.com
** http://bugzilla.zimbra.com/show_bug.cgi?id=31278
 
  
===Creating A Domain Alias===
+
message reject warning detail: none
  
Please see [[ManagingDomains#Creating_a_Domain_Alias]]
+
message hold detail: none
  
===Relay Domain Forwarding===
+
message discard detail: none
  
Please see [[ManagingDomains#Relaying.2FDomain_Forwarding]]
+
smtp delivery failures: none
  
===Domain Catchall===
+
Warnings
 +
--------
 +
  sendmail (total: 3)
 +
        1  or the command is run from a set-uid root process
 +
        1  the Postfix sendmail command has set-uid root file permissions
 +
        1  the Postfix sendmail command must be installed without set-uid ...
 +
  smtpd (total: 1)
 +
        1  7A735345A: queue file size limit exceeded
  
Please see [[ManagingDomains#Domain_Catchall]]
+
Fatal Errors: none
  
===Rewriting From Address For Outbound Email===
+
Panics: none
  
Please see [[ManagingDomains#Domain_Masquerading]]
+
Master daemon messages: none
 +
</pre>
  
===Rewrite Recipient Address For Incoming Email===
+
======client_usage_report.py======
  
There is a way to rewrite the incoming mail, but it's not a standard Zimbra feature. You can implement it as a configuration change in Postfix.  Here's what you do:
+
This will give some stats on your mail activity. Note, there are some issue with this script double reporting mail counts etc, but it's useful to identify the top 50 for activity.
  
# Create a file in /opt/zimbra/conf named 'postfix_recipientmap'.
+
<pre>
#* The format is a single line that reads something like: @alias.domain.com @domain.com
+
[zimbra@zcs806 ~]$ /opt/zimbra/libexec/client_usage_report.py
# Run 'postmap postfix_recipientmap' in the conf directory.
+
Reading /opt/zimbra/log/access_log.2014-04-17 ..
# Run "postconf -e recipient_canonical_maps=hash:/opt/zimbra/conf/postfix_recipientmap".
+
Reading /opt/zimbra/log/access_log.2014-04-18 ..
# Run 'postfix reload'.
+
Reading /opt/zimbra/log/access_log.2014-04-19 ..
 +
Reading /opt/zimbra/log/access_log.2014-04-20 ..
 +
Reading /opt/zimbra/log/access_log.2014-04-21 ..
 +
Reading /opt/zimbra/log/access_log.2014-04-22 ..
 +
Reading /opt/zimbra/log/access_log.2014-04-23 ..
 +
Writing /opt/zimbra/zmstat/client_usage_report_2014-04-24.csv ..
 +
</pre>
  
This will cause postfix to map any incoming mail with a recipient of '@alias.domain.com' to '@domain.com'. You will need to re-apply this postconf change after upgrades, though the postfix_recipientmap file should survive.
+
Then review the file it will create , it will give : "user_agent","client_IP","req_count"
  
===Automatic BCC===
+
<pre>
 +
[zimbra@zcs806 ~]$ cat /opt/zimbra/zmstat/client_usage_report_2014-04-24.csv
 +
"user_agent","client_IP","req_count"
 +
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","14"
 +
"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","93"
 +
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.174","6"
 +
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","71"
 +
</pre>
  
====Option 1 - Via Postfix Customization====
+
======qshape======
  
From the postfix website:
+
You can also look at the results of [[http://www.postfix.org/qshape.1.html qshape]] - the default is the active queue. For more on qshape, see [[http://www.postfix.org/QSHAPE_README.html Postfix Qshape Readme]] .
  
*always_bcc = address
+
<pre>
** Deliver a copy of all mail to the specified address. In Postfix versions before 2.1, this feature is implemented by smtpd(8), qmqpd(8), or pickup(8).
+
qshape deferred
* sender_bcc_maps = type:table
+
              T  5 10 20 40 80 160 320 640 1280 1280+
** Search the specified "type:table" lookup table with the envelope sender address for an automatic BCC address. This feature is available in Postfix 2.1 and later.  
+
        TOTAL 12  0  0  0  0  0  0  0  0    0    12
* recipient_bcc_maps = type:table
+
    gmail.com  9  0  0  0  0  0  0  0  0    0    9
** Search the specified "type:table" lookup table with the envelope recipient address for an automatic BCC address. This feature is available in Postfix 2.1 and later.  
+
    yahoo.com  3  0  0  0  0  0  0  0  0    0    3
* Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC recipients are not generated for mail that Postfix forwards internally, nor for mail that Postfix generates itself.
+
</pre>
  
Please see the following:
+
======3rd Party Log Reports - postfix-logwatch and amavis-logwatch======
  
* A very nice forum post on the subject from our very own mmorse
+
Created RFE for us to include these in ZCS:
** http://www.zimbra.com/forums/administrators/28606-master-incoming-outgoing-archive.html#post134490
 
* Postfix workaround
 
** http://www.postfix.com/ADDRESS_REWRITING_README.html#auto_bcc
 
* "User defined auto bcc"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=15306
 
* "Next rev of (mail) identities preferences management (server side)"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=17320
 
  
====Option 2 - Via ZCS Legal Intercept====
+
* Include postfix-logwatch_and_amavis-logwatch
 +
** https://bugzilla.zimbra.com/show_bug.cgi?id=89450
  
Generally used for [[Ajcody-User-Management-Topics#Managing_Legal_Requests_for_Information|Managing Legal Requests for Information]]
+
You can download them from http://logreporters.sourceforge.net/ . It's a fairly simply install, download and then extract - cd into extracted directory and as root type :
  
Description:
+
make install-standalone
:: The ZCS legal intercept feature is used to obtain copies of email messages that are sent, received, or saved as drafts from targeted accounts and send these message to a designated “shadow” email address. Legal Intercept can be configured to send the complete content of the message or to send only the header information. When a targeted account sends, receives, or saves a draft message, an intercept message is automatically created to forward copies of the messages as attachments to the specified email address.
 
  
Please see:
+
They will install to /usr/local/bin/amavis-logwatch & postfix-logwatch . The config files are in /usr/local/etc/amavis-logwatch.conf & postfix-logwatch.conf . Here's an example of the output.
* http://www.zimbra.com/docs/ne/latest/administration_guide/managing_other_zcs_features.8.1.html
 
* http://wiki.zimbra.com/index.php?title=Legal_Intercept
 
* http://bugzilla.zimbra.com/show_bug.cgi?id=17539
 
  
====Option 3 - Zimbra's Archiving And Discovery====
+
/usr/local/bin/amavis-logwatch output example:
  
See [[Ajcody-Notes-Archive-Discovery]] concerning A&D setup and options.
+
<pre>
 +
[root@zcs806 amavis-logwatch-1.51.02]# /usr/local/bin/amavis-logwatch /var/log/zimbra.log
 +
****** Summary *************************************************************************************
  
===Limiting Or Increasing Number Of Recipents / Messages===
+
      4  Total messages scanned ------------------  100.00%
 +
  1.926K  Total bytes scanned                          1,972
 +
========  ==================================================
  
====Mailing Lists - Distribution Lists====
+
      4  Passed ----------------------------------  100.00%
 +
      4    Clean passed                            100.00%
 +
========  ==================================================
  
Please see [[Ajcody-MailingLists-And-Mailman#Problems_Resolving_Virtual_Aliases_For_Members_Of_Large_Distribution_Lists]]
+
      4  Ham -------------------------------------  100.00%
 +
      4    Clean passed                            100.00%
 +
========  ==================================================
  
====Policy Daemon====
 
  
If you want to restrict messages per hour,  you can look into Policy Daemon:
+
==================================================================================
 +
Spam Score Percentiles        0%      50%      90%      95%      98%      100%
 +
----------------------------------------------------------------------------------
 +
Score Ham (4)            -1.900    -1.900    -1.900    -1.900    -1.900    -1.900
 +
==================================================================================
  
* http://wiki.zimbra.com/wiki/Postfix_Policyd
+
======================================================================================================
* http://wiki.zimbra.com/wiki/How-to_for_cbpolicyd
+
Spam Score Frequency      <= -10    <= -5      <= 0      <= 5    <= 10    <= 20    <= 30      > 30
* http://www.policyd.org/features.html
+
------------------------------------------------------------------------------------------------------
 +
Hits (4)                      0        0        4        0        0        0        0        0
 +
Percent of Hits            0.00%    0.00%  100.00%    0.00%    0.00%    0.00%    0.00%    0.00%
 +
======================================================================================================
 +
</pre>
  
Beta release in ZCS 7 , see:
+
/usr/local/bin/postfix-logwatch output example:
  
* "make support for postfix-policyd easier"
+
<pre>
** http://bugzilla.zimbra.com/show_bug.cgi?id=8791
+
[root@zcs806 amavis-logwatch-1.51.02]# /usr/local/bin/postfix-logwatch /var/log/zimbra.log
  
====Postfix====
+
****** Summary *************************************************************************************
  
Also, there are some default postfix parameters set to control sending a message to x amount recipients.  The parameters you will need to look at are smtpd_recipient_limit & smtpd_recipient_overshoot_limit, these have a default value of 1000.
+
      1  *Warning: Queue file size limit exceeded
  
Postfix defines these parameters as:
+
  6.512K  Bytes accepted                              6,668
 +
  1.928K  Bytes sent via SMTP                          1,974
 +
  4.584K  Bytes sent via LMTP                          4,694
 +
========  ==================================================
  
* smtpd_recipient_limit: The maximum number of recipients that the Postfix SMTP server accepts per message delivery request.
+
      10  Accepted                                    76.92%
* smtpd_recipient_overshoot_limit: The number of recipients that a remote SMTP client can send in excess of the limit specified with $smtpd_recipient_limit, before the Postfix SMTP server increments the per-session error count for each excess recipient.
+
      3  Rejected                                    23.08%
 +
--------  --------------------------------------------------
 +
      13  Total                                      100.00%
 +
========  ==================================================
  
From the command line you can change the default values.
+
      3  5xx Reject message size                    100.00%
 +
--------  --------------------------------------------------
 +
      3  Total 5xx Rejects                          100.00%
 +
========  ==================================================
  
su - zimbra
+
      10  Connections
postconf -e smtpd_recipient_limit=<new value>
+
      10  Disconnections
postconf -e smtpd_recipient_overshoot_limit=<new value>
+
      8  Removed from queue
postfix reload
+
      4  Sent via SMTP
 +
      4  Sent via LMTP
 +
      4  Filtered
  
====Bugs RFE's For Customers To Get Behind====
+
****** Detail (10) *********************************************************************************
  
I'm wondering if policyd gives one the control everyone is looking for? I've not used it myself.
+
      3  5xx Reject message size -----------------------------------------------------------------
 +
      3      192.168.1.166    remote.domain.com
 +
      3        *unavailable
 +
      3            *unavailable
  
Policyd References:
+
      4  Sent via SMTP ---------------------------------------------------------------------------
* http://www.policyd.org/tiki-index.php?page=Documentation
+
      4      zcs806.DOMAIN.com
* http://www.policyd.org/tiki-index.php?page=Quotas&structure=Documentation
 
* http://www.policyd.org/tiki-index.php?page=Accounting&structure=Documentation
 
* http://www.policyd.org/tiki-index.php?page=Policies%20%26%20Groups&structure=Documentation
 
* http://wiki.zimbra.com/index.php?title=Postfix_Policyd
 
  
There's other additions [add-on's] one can get for policyd.
+
      4  Sent via LMTP ---------------------------------------------------------------------------
 +
      4      zcs806.DOMAIN.com
  
We have this RFE in regards to policyd support:
+
      4  Filtered --------------------------------------------------------------------------------
 +
      2      smtp-amavis:[127.0.0.1]:10024
 +
      2        Sender address
 +
      1            admin@zcs806.DOMAIN.com
 +
      1              admin@zcs806.DOMAIN.com
 +
      1                  192.168.1.166    remote.domain.com
 +
      1            user@DOMAIN.com
 +
      1              admin@zcs806.DOMAIN.com
 +
      1                  192.168.1.184    remote2.domain.com
 +
      2      smtp-amavis:[127.0.0.1]:10026
 +
      2        Sender address
 +
      1            admin@zcs806.DOMAIN.com
 +
      1              admin@zcs806.DOMAIN.com
 +
      1                  192.168.1.166    remote.domain.com
 +
      1            user@DOMAIN.com
 +
      1              admin@zcs806.DOMAIN.com
 +
      1                  192.168.1.184    remote2.domain.com
  
* "make support for postfix-policyd easier"
+
=== Delivery Delays Percentiles ============================================================
** http://bugzilla.zimbra.com/show_bug.cgi?id=8791
+
                    0%      25%      50%      75%      90%      95%      98%      100%
*** Target Milestone currently for Helix release [ http://pm.zimbra.com ]
+
--------------------------------------------------------------------------------------------
+
Before qmgr      0.04      0.09      0.11      0.11      0.23      0.35      0.43      0.48
Other related rfe/bugs, specially to push variables into admin web console:
+
In qmgr          0.00      0.00      0.01      0.01      0.04      0.07      0.08      0.09
 +
Conn setup        0.00      0.01      0.29      1.30      2.05      2.23      2.33      2.40
 +
Transmission      0.10      2.81      4.85      9.60    21.00    21.00    21.00    21.00
 +
Total            0.20      2.91      5.20    11.00    23.30    23.65    23.86    24.00
 +
============================================================================================
 +
</pre>
  
* "rate limit amount of mail sent via web client"
+
'''Note''' - First, look at the options each command has using the -h output. You might want to use --full when doing an investigation and also include a wildcard - /var/log/zimbra.lo* to take in all the log data. For example:
** http://bugzilla.zimbra.com/show_bug.cgi?id=22300
 
*** *Target Milestone currently for Helix release
 
* "mta "advanced" tab"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=14645
 
*** Target Milestone currently for Helix release
 
* "Option to IP Blocking through UI"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=19240
 
*** Target Milestone currently for Helix release
 
* "Mail policies and access control for sending to distribution lists"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=9620
 
*** Target Milestone currently for GunsNRoses
 
  
===Controlling SMTPD Client Connections===
+
<pre>
 +
[zimbra@zcs806 ~]$ /usr/local/bin/postfix-logwatch --full /var/log/zimbra.lo*
 +
****** Summary *************************************************************************************
  
Mmorse did a good write up on these variables in the forum:
+
      9  *Fatal:   General fatal
 +
      1  *Warning: Queue file size limit exceeded
 +
      21  Miscellaneous warnings
  
* http://www.zimbra.com/forums/administrators/13591-solved-limit-max-recipriants.html#post69582
+
710.888K  Bytes accepted                            727,949
 +
193.036K  Bytes sent via SMTP                        197,669
 +
520.114K  Bytes sent via LMTP                        532,597
 +
========  ==================================================
  
Postfix Resources At Their Site (All Clients/Connections):
+
    1041  Accepted                                    99.71%
* [http://www.postfix.org/TUNING_README.html#conn_limit Measures against clients that make too many connections]
+
      3  Rejected                                    0.29%
* [http://www.postfix.org/anvil.8.html  anvil - Postfix session count and request rate control]
+
--------  --------------------------------------------------
* [http://www.postfix.org/postconf.5.html#anvil_rate_time_unit anvil_rate_time_unit - The time unit over which client connection rates and other rates are calculated.]
+
    1044  Total                                      100.00%
* [http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit smtpd_client_connection_count_limit - How many simultaneous connections any client is allowed to make to this service. ]
+
========  ==================================================
* [http://www.postfix.org/postconf.5.html#smtpd_client_message_rate_limit smtpd_client_message_rate_limit - The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages.]
 
* [http://www.postfix.org/postconf.5.html#smtpd_client_recipient_rate_limit smtpd_client_recipient_rate_limit - The maximal number of recipient addresses that any client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those recipients.]
 
* [http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit smtpd_client_connection_rate_limit - The maximal number of connection attempts any client is allowed to make to this service per time unit.]
 
  
Postfix Resources At Their Site (Exceptions To Clients/Connections Or Single Source):
+
      3  5xx Reject message size                    100.00%
* [http://www.postfix.org/postconf.5.html#smtpd_client_event_limit_exceptions smtpd_client_event_limit_exceptions - Clients that are excluded from connection count, connection rate, or SMTP request rate restrictions.]
+
--------  --------------------------------------------------
 +
      3  Total 5xx Rejects                          100.00%
 +
========  ==================================================
  
===Restrictions===
+
      65  Connections
 +
      65  Disconnections
 +
    1041  Removed from queue
 +
    523  Sent via SMTP
 +
    517  Sent via LMTP
 +
      2  Bounced (local)
 +
      1  Bounced (remote)
 +
      9  Filtered
 +
      2  Notifications sent
  
Besides using external mailing list software, [[Ajcody-MailingLists-And-Mailman#Mailman_-_Mailing_List_Manager|Mailman]] or [[Ajcody-MailingLists-And-Mailman#Sympa_-_Mailing_List_Manager|Sympa]], here's some other topical items in regards to restrictions.
+
      4  Timeouts (inbound)
 +
      1  PIX workaround enabled
  
Some user contributed articles:
+
****** Detail (10) *********************************************************************************
  
* [[RestrictPostfixRecipients]]
+
      9  *Fatal:   General fatal -----------------------------------------------------------------
* [[Restrict_sending_to_certain_domains]]
+
      3      Queue report unavailable - mail system is down
* [[Restrict_users_to_certain_domain]]
+
      3      Usage: sendmail [options]
* [http://www.zimbra.com/forums/administrators/15041-guide-postifx-how-multiple-access-lists-protected-distribution-lists.html Forum Post: GUIDE: Postifx: HOW TO: Multiple access lists for protected Distribution-lists]
+
      2      The Postfix mail system is not running
 +
      1      Usage: send-mail [options]
  
Some Postfix references:
+
      21  Miscellaneous warnings ------------------------------------------------------------------
 
+
      7      or the command is run from a set-uid root process
* http://www.postfix.org/RESTRICTION_CLASS_README.html#internal
+
      7      the Postfix sendmail command has set-uid root file permissions
* http://www.postfix.org/SMTPD_POLICY_README.html
+
      7      the Postfix sendmail command must be installed without set-uid root file permissions
 +
 
 +
      3  5xx Reject message size -----------------------------------------------------------------
 +
      3      10.X.X.166    fence.DOMAIN.com
 +
      3        *unavailable
 +
      3            *unavailable
 +
 
 +
    523  Sent via SMTP ---------------------------------------------------------------------------
 +
    507      86.lab
 +
      15      zcs806.DOMAIN.com
 +
      1      domaina.com
  
Some RFE's related to mta based restrictions [targets are based upon today - July 21, 2010]:
+
    517  Sent via LMTP ---------------------------------------------------------------------------
 +
    507      86.lab
 +
      10      zcs806.DOMAIN.com
  
* "Dynamic distribution lists - Internal Directory"
+
      2  Bounced (local) -------------------------------------------------------------------------
** http://bugzilla.zimbra.com/show_bug.cgi?id=3884
+
      2      5.0.0: Permanent failure: Other/Undefined status: Other undefined status
* "per-domain send restriction" - Not Committed
+
      2        zcs806.DOMAIN.com
** http://bugzilla.zimbra.com/show_bug.cgi?id=5595
+
      2            Zcs806.DOMAIN.com
*** These are marked as dup's of the above:
+
      1              subject:test
**** "disable outbound e-mail for one user"
+
      1              zimbra
***** http://bugzilla.zimbra.com/show_bug.cgi?id=34654
+
 
**** "Add an facility to detemine internal relay users in admin"
+
      1  Bounced (remote) ------------------------------------------------------------------------
***** http://bugzilla.zimbra.com/show_bug.cgi?id=33255
+
      1      5.0.0: Permanent failure: Other/Undefined status: Other undefined status
* "policy for who can send to a distribution lists" - Helix
+
      1        domain.com
** http://bugzilla.zimbra.com/show_bug.cgi?id=9620
+
      1            user
*** RFE 9620 is also a blocker for the following RFE:
+
      1              64.X.X.28      sentry.DOMAIN.com
**** "milter to check if sender can send to a distribution list"
+
      1                  505 5.0.0 Unknown recipient: RCPT TO
***** http://bugzilla.zimbra.com/show_bug.cgi?id=46311
+
 
*** These are marked as dup's of the above:
+
      9  Filtered --------------------------------------------------------------------------------
**** "Ability to Specify Mail Policy"
+
      7      smtp-amavis:[127.0.0.1]:10026
***** http://bugzilla.zimbra.com/show_bug.cgi?id=5555
+
      7        Sender address
**** "domain level filters rules"
+
      3            admin@zcs806.DOMAIN.com
***** http://bugzilla.zimbra.com/show_bug.cgi?id=6128
+
      3              admin@zcs806.DOMAIN.com
**** "Distribution List Restrictions"
+
      2                  10.X.X.36    zcs806.DOMAIN.com
***** http://bugzilla.zimbra.com/show_bug.cgi?id=7104
+
      1                  10.X.X.166    gatewayXX.DOMAIN.com
**** "Feature request - Mail Policies"
+
      2            zimbra@zcs806.DOMAIN.com
***** http://bugzilla.zimbra.com/show_bug.cgi?id=9328
+
      2              admin@zcs806.DOMAIN.com
**** "limit  "send from"  to certain domains"
+
      2                  10.X.X.36    zcs806.DOMAIN.com
***** http://bugzilla.zimbra.com/show_bug.cgi?id=12038
+
      1            ajcody@DOMAIN.com
**** "'Internal email only' options in admin control panel"
+
      1              admin@zcs806.DOMAIN.com
***** http://bugzilla.zimbra.com/show_bug.cgi?id=16671
+
      1                  10.X.X.184    edgeXX.DOMAIN.com
**** "Access control for free busy and resources (ie permission to invite)"
+
      1            san5@zcs806.DOMAIN.com
***** http://bugzilla.zimbra.com/show_bug.cgi?id=22913
+
      1              b@zcs806.DOMAIN.com
**** "RFE: Admin GUI: Restrict the use of Distribution List among users."
+
      1                  10.X.X.36    zcs806.DOMAIN.com
***** http://bugzilla.zimbra.com/show_bug.cgi?id=29305
+
      2      smtp-amavis:[127.0.0.1]:10024
* "Implement smtpd_sender_restrictions"
+
      2        Sender address
** http://bugzilla.zimbra.com/show_bug.cgi?id=15808
+
      1            admin@zcs806.DOMAIN.com
* "How to restrict a user to only send via zwc"
+
      1              admin@zcs806.DOMAIN.com
** http://bugzilla.zimbra.com/show_bug.cgi?id=16623
+
      1                  10.X.X.166    gatewayXX.DOMAIN.com
* "enable configuration of  "smtpd_sender_restriction""
+
      1            ajcody@DOMAIN.com
** http://bugzilla.zimbra.com/show_bug.cgi?id=22363
+
      1              admin@zcs806.DOMAIN.com
 
+
      1                  10.X.X.184    edgeXX.DOMAIN.com
===Spam Control And Related Issues===
+
 
 +
      2  Notifications sent ----------------------------------------------------------------------
 +
      2      Non-delivery
 +
      2        sender
 +
 
 +
      4  Timeouts (inbound) ----------------------------------------------------------------------
 +
      4      After END-OF-MESSAGE
  
====High Over View Steps Of What To Do====
+
      1  PIX workaround enabled ------------------------------------------------------------------
 +
      1      disable_esmtp delay_dotcrlf
 +
      1        64.X.X.28      sentry.DOMAIN.com
  
* '''Step 1:''' Confirm your not an open relay and double check your postfix $mynetworks variable.
+
=== Delivery Delays Percentiles ============================================================
** [[ZimbraMtaMyNetworks|ZimbraMtaMyNetworks And Postfix mynetworks]]
+
                    0%      25%      50%      75%      90%      95%      98%      100%
** [[Ajcody-MTA-Postfix-Topics#Open_Relay_Check|Open Relay Check]]
+
--------------------------------------------------------------------------------------------
* '''Step 2:''' Stop or put on-hold mail queue.
+
Before qmgr      0.01      0.03      0.06      0.14      0.27      0.34      0.48      2.60
** Put all messages into HOLD queue:
+
In qmgr          0.00      0.00      0.08    117.50    193.00    216.00    231.48    246.00
*** Get a report of your current mailq [can be useful if you clean out the queue later but need to identify what external mail hosts are now denying you and who you'll need to contact about getting removed from their denial list]
+
Conn setup        0.00      0.00      0.00      0.00      0.02      0.04      0.22    20.00
**** Example: /opt/zimbra/postfix/sbin/mailq > /tmp/zimbra_mailq_report.txt
+
Transmission      0.05      0.09      3.60      9.80    10.00    10.00    11.00    160.00
*** /opt/zimbra/postfix/sbin/postsuper -h ALL
+
Total            0.07      0.13      3.80    129.00    203.00    226.00    241.64    259.00
** Or put all messages match compromised account into HOLD queue:
+
============================================================================================
*** /opt/zimbra/postfix/sbin/mailq | grep user_compromised@domain | awk '{ print $1 }' | tr -d '!*' | /opt/zimbra/postfix/sbin/postsuper -h -
+
</pre>
**** Note, this is an example - you might with the grep grab more than the compromised account with the match.
 
** See whole section - [[Ajcody-MTA-Postfix-Topics#Managing_Postfix_Queue| Managing The Postfix Queue]]
 
* '''Step 3:''' Check your mail log [On ZCS servers running MTA services] - /var/log/zimbra.log
 
** [[Ajcody-MTA-Postfix-Topics#Understanding_.2Fvar.2Flog.2Fzimbra.log_And_Postfix_Log_Events| Understanding the zimbra.log file and Postfix log events.]] , see subsection about queue ID and message ID also.
 
** [[Ajcody-MTA-Postfix-Topics#Who.27s_My_Spammer.3F| Who's My Spammer?]]
 
* '''Step 4:''' Identify compromised account authenticating SMTP AUTH connection or block ip address where emails are coming from at firewall.
 
** [[Ajcody-MTA-Postfix-Topics#Who.27s_My_Spammer.3F| Who's My Spammer?]]
 
** Continue to monitor compromised account and block ip addresses:
 
*** tail -f /var/log/zimbra.log | grep username | grep sasl
 
**** Jun  8 18:14:10 mail postfix/smtpd[15794]: 004358EEB16: client=unknown[XXXX.236.197.216], sasl_method=LOGIN, sasl_username=username@domain
 
* '''Step 5:''' Disable the exploited email account, expire auth session, etc.
 
** [[Ajcody-User-Management-Topics#Resetting_A_User.27s_Account_From_CLI| Resetting Or Expiring User Auth]]
 
** '''Note''' - Restarting the mta services will be important once you reset the password/s or lock the account. It's required to ensure the active connections will be closed and any existing auth tokens no longer are valid. See:
 
*** Force currently active SMTP authenticated sessions to be renegotiated when locking an account
 
**** https://bugzilla.zimbra.com/show_bug.cgi?id=80299
 
* '''Step 6:''' Move the mail queue or delete the spam email
 
** See whole section - [[Ajcody-MTA-Postfix-Topics#Managing_Postfix_Queue| Managing The Postfix Queue]]
 
* '''Step 7:''' Release Mail queue
 
  
====Who's My Spammer?====
+
======zmaccts======
  
=====Getting Some Initial Summary Data=====
+
One way to note accounts that are actively logging in vs. those that aren't, can help shrink the number of accounts you might want to investigate or monitor. [example below, I cut out a lot of the  accounts]
  
======zmdialyreport======
+
<pre>
 +
          account                          status            created      last logon
 +
------------------------------------  -----------    ---------------  ---------------
 +
zcstest001@zcs806.DOMAIN.com                active      01/20/14 18:47  03/02/14 21:11
 +
zcstest002@zcs806.DOMAIN.com                active      01/30/14 01:48  02/19/14 00:07
 +
admin-20140415@zcs806.DOMAIN.com            active      04/15/14 14:42            never
 +
archtest-prod-20140402@zcs806.DOMAIN        active      04/02/14 07:42            never
  
First, some notable bug/RFE's in regards to the zmdailyreport:
+
          account                          status            created      last logon
 +
------------------------------------  -----------    ---------------  ---------------
 +
bruce@test1.lab                            active      02/22/14 09:32            never
 +
test.cal@test1.lab                          active      04/06/14 05:35  04/06/14 05:35
 +
test200@test1.lab                          active      04/12/14 00:50            never
  
* RFE - add explanations to Daily mail report / pflogsumm.pl output
+
                                domain summary
** https://bugzilla.zimbra.com/show_bug.cgi?id=86630
 
* Daily mail report shows incorrect output because pflogsumm.pl doubles the result
 
** https://bugzilla.zimbra.com/show_bug.cgi?id=84444
 
* Descriptions of mta_counts numbers vs daily reports and other msg stats
 
** https://bugzilla.zimbra.com/show_bug.cgi?id=79632
 
  
You can first get some summary data by doing the following:
+
    domain                  active    closed    locked    maintenance    total
 
+
-----------------------  --------  --------  --------  -------------  --------
<pre>
+
test1.lab                        3        0        0              0        3
[zimbra@zcs806 ~]$ /opt/zimbra/libexec/zmdailyreport
+
test2.com                        2        0        0              0        2
 +
angad.com                        2        0        0              0        2
 +
test.test                        3        0        0              0        3
 +
test.DOMAIN.com                  6        0        0              0        6
 +
zcs806.DOMAIN.com              58        0        0              0        58
 +
zcs806.DOMAIN.com                2        0        0              0        2
 +
</pre>
  
Grand Totals
+
=====By Authentication Attempts=====
------------
 
messages
 
  
      7  received
+
A fast way to see who is doing a lot of authentications, which normally happens when a spammer has compromised an account with a weak password, is to do:
    11  delivered
 
      0  forwarded
 
      0  deferred
 
      0  bounced
 
      3  rejected (21%)
 
      0  reject warnings
 
      0  held
 
      0  discarded (0%)
 
  
  2780  bytes received
+
<pre>
  10914  bytes delivered
+
# cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
       2  senders
+
       1 Auser@domain.com
       1  sending hosts/domains
+
       3 Buser@domain.com
       1  recipients
+
       4 Cuser@domain.com
       1  recipient hosts/domains
+
       5 Duser@domain.com
 +
    36 SPAMMER@domain.com
 +
</pre>
  
 +
'''Note - This might take a long time, if so - try pruning it down'''
  
Per-Hour Traffic Summary
+
Example:
    time          received  delivered  deferred    bounced    rejected
+
<pre>
    --------------------------------------------------------------------
+
# cat /var/log/zimbra.log | grep sasl_username > /tmp/zimbra_sasl_username.txt
    0000-0100          0          0          0          0          0
+
# cat /tmp/zimbra_sasl_username.txt | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
    0100-0200          1          3          0          0          0
+
      1 Auser@domain.com
    0200-0300          0          0          0          0          0
+
      3 Buser@domain.com
    0300-0400          0          0          0          0          0
+
      4 Cuser@domain.com
    0400-0500          0          0          0          0          0
+
      5 Duser@domain.com
    0500-0600          0          0          0          0          0
+
    36 SPAMMER@domain.com
    0600-0700          0          0          0          0          0
+
</pre>
    0700-0800          1         0          0          0          2
 
    0800-0900          1          0          0          0          0
 
    0900-1000          0          0          0          0          1
 
    1000-1100          0          0          0          0          0
 
    1100-1200          0          0          0          0          0
 
    1200-1300          4         8          0          0          0
 
    1300-1400          0          0          0          0          0
 
    1400-1500          0          0          0          0          0
 
    1500-1600          0          0          0          0          0
 
    1600-1700          0          0          0          0          0
 
    1700-1800          0          0          0          0          0
 
    1800-1900          0          0          0          0          0
 
    1900-2000          0          0          0          0          0
 
    2000-2100          0          0          0          0          0
 
    2100-2200          0          0          0          0          0
 
    2200-2300          0          0          0          0          0
 
    2300-2400          0          0          0          0          0
 
  
Host/Domain Summary: Message Delivery (top 50)
+
The full log event will look like this:
sent cnt  bytes  defers  avg dly max dly host/domain
+
<pre>
-------- -------  -------  ------- ------- -----------
+
zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
    11    10914        0    7.4 s  24.0 s  zcs806.DOMAIN.com
+
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
 +
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
 +
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>
 +
</pre>
  
Host/Domain Summary: Messages Received (top 50)
+
Against your older logs, you could:
msg cnt  bytes  host/domain
 
-------- -------  -----------
 
      5    2780  zcs806.DOMAIN.com
 
  
top 50 Senders by message count
+
<pre>
-------------------------------
+
# zcat /var/log/zimbra.log* | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
      4  zimbra@zcs806.DOMAIN.com
+
</pre>
      1  admin@zcs806.DOMAIN.com
 
  
top 50 Recipients by message count
+
And you can look at the specific information for the user in question with:
----------------------------------
 
    11  admin@zcs806.DOMAIN.com
 
  
top 50 Senders by message size
+
<pre>
------------------------------
+
# grep -C2 "sasl_username=SPAMMER@domain.com" /var/log/zimbra.log
  1974  zimbra@zcs806.DOMAIN.com
+
</pre>
    806  admin@zcs806.DOMAIN.com
 
  
top 50 Recipients by message size
+
Or if searching against the older logs:
---------------------------------
 
  10914  admin@zcs806.DOMAIN.com
 
  
message deferral detail: none
+
<pre>
 +
# zgrep -C2 "sasl_username=SPAMMER@domain.com" /var/log/zimbra.log*
 +
</pre>
 +
 
 +
If you want to check on a specific message ID, do:
 +
 
 +
<pre>
 +
grep 9DF7520804A /var/log/zimbra.log*
 +
</pre>
  
message bounce detail (by relay): none
+
For older message logs:
  
message reject detail
+
<pre>
---------------------
+
zgrep 9DF7520804A /var/log/zimbra.log*
  MAIL
+
</pre>
    5.3.4 Message size exceeds fixed limit (total: 3)
 
          3  domain-ext.com
 
  
message reject warning detail: none
+
To read/view the message in the queue:
  
message hold detail: none
+
/opt/zimbra/postfix/sbin/postcat -q 9DF7520804A
  
message discard detail: none
+
One would then normally lock/change password on the one account showing the most activity. Grep'ing the /var/log/zimbra.log with the username in question will also show the ip address being used, this can be blocked with your firewall.
  
smtp delivery failures: none
+
To be alerted of a compromised account and have it lock automatically see below. Slightly modified from this reference : http://www.zimbra.com/forums/administrators/62613-identify-compromised-accounts.html#post278732 :
  
Warnings
+
<pre>
--------
 
  sendmail (total: 3)
 
        1  or the command is run from a set-uid root process
 
        1  the Postfix sendmail command has set-uid root file permissions
 
        1  the Postfix sendmail command must be installed without set-uid ...
 
  smtpd (total: 1)
 
        1  7A735345A: queue file size limit exceeded
 
  
Fatal Errors: none
+
#!/bin/bash
 +
# checks log file and gets a count of authentications sent per minute, per user
 +
# and if the count exceeds the maxmails value the user's account is locked.
  
Panics: none
+
logfile="/var/log/zimbra.log"
 +
maxmails="10"
 +
mydomain="example.com"
 +
support="<postmaster-userid>@$mydomain"
 +
accounts="/tmp/active_accounts"
  
Master daemon messages: none
+
su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
</pre>
 
  
======client_usage_report.py======
+
zgrep -i "auth ok" $logfile | sed 's/  / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
 +
while read line
 +
do
 +
    count=`echo ${line} | cut -d' ' -f 1`
 +
    userid=`echo ${line} | cut -d' ' -f 3`
 +
    timestamp=`echo ${line} | cut -d' ' -f 2`
 +
    active=`grep "$userid@$mydomain" $accounts`
  
This will give some stats on your mail activity. Note, there are some issue with this script double reporting mail counts etc, but it's useful to identify the top 50 for activity.
+
    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
 +
        echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
 +
        su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
 +
        subject="$userid account locked due to excessive connections"
 +
        # Email text/message
 +
        message="/tmp/emailmessage.txt"
 +
        echo "$userid account has been locked as there were $count connections made at"> $message
 +
        echo "$timestamp.  Please have the user change their password, and check for phishing" >>$message
 +
        echo "emails if possible." >>$message
 +
        # send an email using /bin/mail
 +
        /usr/bin/mail -s "$subject" "$support" < $message
 +
        rm -f $message
 +
 
 +
        #update list of active accounts
 +
        su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
 +
    fi
 +
done
 +
 
 +
rm -f $accounts
  
<pre>
 
[zimbra@zcs806 ~]$ /opt/zimbra/libexec/client_usage_report.py
 
Reading /opt/zimbra/log/access_log.2014-04-17 ..
 
Reading /opt/zimbra/log/access_log.2014-04-18 ..
 
Reading /opt/zimbra/log/access_log.2014-04-19 ..
 
Reading /opt/zimbra/log/access_log.2014-04-20 ..
 
Reading /opt/zimbra/log/access_log.2014-04-21 ..
 
Reading /opt/zimbra/log/access_log.2014-04-22 ..
 
Reading /opt/zimbra/log/access_log.2014-04-23 ..
 
Writing /opt/zimbra/zmstat/client_usage_report_2014-04-24.csv ..
 
 
</pre>
 
</pre>
  
Then review the file it will create , it will give :  "user_agent","client_IP","req_count"
+
Then run it as a cron job.  The frequency will depend on the number of accounts you're managing.
  
 
<pre>
 
<pre>
[zimbra@zcs806 ~]$ cat /opt/zimbra/zmstat/client_usage_report_2014-04-24.csv
+
* * * * * /opt/zimbra/find_spammer.sh
"user_agent","client_IP","req_count"
 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","14"
 
"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","93"
 
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.174","6"
 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","71"
 
 
</pre>
 
</pre>
  
======qshape======
+
=====By Connecting IP - Useful For Blocking IP At Firewall=====
  
You can also look at the results of [[http://www.postfix.org/qshape.1.html qshape]] - the default is the active queue. For more on qshape, see [[http://www.postfix.org/QSHAPE_README.html Postfix Qshape Readme]] .
+
See also the following:
  
<pre>
+
* http://wiki.zimbra.com/wiki/Log_Files#Logging_the_Originating_IP
qshape deferred
 
              T  5 10 20 40 80 160 320 640 1280 1280+
 
        TOTAL 12  0  0  0  0  0  0  0  0    0    12
 
    gmail.com  9  0  0  0  0  0  0  0  0    0    9
 
    yahoo.com 3  0  0  0  0  0  0  0  0    0    3
 
</pre>
 
  
======3rd Party Log Reports - postfix-logwatch and amavis-logwatch======
+
To find the originating IP address of where the emails are coming from:
  
Created RFE for us to include these in ZCS:
+
grep 'connect from' /var/log/zimbra.log | sed 's/.*connect from.*\[\(.[^]]*\)\]/\1/g' | sort | uniq -c | sort -nr | head
  
* Include postfix-logwatch_and_amavis-logwatch
+
To check your older logs [example output below]:
** https://bugzilla.zimbra.com/show_bug.cgi?id=89450
 
  
You can download them from http://logreporters.sourceforge.net/ . It's a fairly simply install, download and then extract - cd into extracted directory and as root type :
+
<pre>
 +
zgrep 'connect from' /var/log/zimbra.log* | sed 's/.*connect from.*\[\(.[^]]*\)\]/\1/g' | sort | uniq -c | sort -nr | head
 +
    36 10.137.xx.34
 +
    34 127.0.0.1
 +
</pre>
  
make install-standalone
+
=====Open Relay Check=====
  
They will install to /usr/local/bin/amavis-logwatch & postfix-logwatch . The config files are in /usr/local/etc/amavis-logwatch.conf & postfix-logwatch.conf . Here's an example of the output.
+
You should also confirm you aren't an open relay.
 
 
/usr/local/bin/amavis-logwatch output example:
 
  
 
<pre>
 
<pre>
[root@zcs806 amavis-logwatch-1.51.02]# /usr/local/bin/amavis-logwatch /var/log/zimbra.log
+
$ host -t mx DOMAIN.com
****** Summary *************************************************************************************
+
DOMAIN.com mail is handled by 10 mail.DOMAIN.com.
  
      4  Total messages scanned ------------------  100.00%
+
$ telnet mail.DOMAIN.com 25
  1.926K  Total bytes scanned                          1,972
+
Trying 184.###.##.## ...
========  ==================================================
+
Connected to mail.DOMAIN.com.
 +
Escape character is '^]'.
 +
220 mail.DOMAIN.com ESMTP Postfix
 +
helo support.test
 +
250 mail.DOMAIN.com
 +
mail from:<SPAMMER@domain.com>
 +
250 2.1.0 Ok
 +
rcpt to:<TEST@DOMAIN.COM>
 +
554 5.7.1 <TEST@DOMAIN.COM>: Relay access denied
  
      4  Passed ---------------------------------- 100.00%
+
rcpt to:<SPAMMER@domain.com>
      4    Clean passed                            100.00%
+
554 5.7.1 Service unavailable; Client host [71.XXX.XX.XX] blocked
========  ==================================================
+
  using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=71.202.XX.XX
 +
quit
 +
221 2.0.0 Bye
 +
Connection closed by foreign host.
 +
</pre>
  
      4  Ham -------------------------------------  100.00%
+
=====Telnet Test To Confirm/Show Authentication Required For SMTP/Port 25=====
      4    Clean passed                            100.00%
 
========  ==================================================
 
  
 +
This is an example:
  
==================================================================================
+
<pre>
Spam Score Percentiles        0%      50%      90%      95%      98%      100%
+
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25
----------------------------------------------------------------------------------
 
Score Ham (4)            -1.900    -1.900    -1.900    -1.900    -1.900    -1.900
 
==================================================================================
 
  
======================================================================================================
+
Trying 10.137.27.32...
Spam Score Frequency      <= -10    <= -5      <= 0      <= 5    <= 10    <= 20    <= 30      > 30
+
Connected to zcs723.EXAMPLE.com.
------------------------------------------------------------------------------------------------------
+
Escape character is '^]'.
Hits (4)                      0        0        4        0        0        0        0        0
+
220 zcs723.EXAMPLE.com ESMTP Postfix
Percent of Hits            0.00%    0.00%   100.00%    0.00%    0.00%    0.00%    0.00%    0.00%
+
helo zcs723.EXAMPLE.com  << I typed
======================================================================================================
+
250 zcs723.EXAMPLE.com
 +
mail from:ajcody@zcs723.EXAMPLE.com  << I typed
 +
250 2.1.0 Ok
 +
rcpt to:ajcody2@zcs723.EXAMPLE.com   << I typed
 +
553 5.7.1 <ajcody@zcs723.EXAMPLE.com>: Sender address rejected: not logged in
 
</pre>
 
</pre>
  
/usr/local/bin/postfix-logwatch output example:
+
But note - if you do this from the ZCS server or a server that is within the ip range or has it's specific ip listed in the mynetworks, you will not get this authentication requirement.
  
 
<pre>
 
<pre>
[root@zcs806 amavis-logwatch-1.51.02]# /usr/local/bin/postfix-logwatch /var/log/zimbra.log
+
[root@zcs723 ~]# telnet localhost 25
 
+
Trying ::1...
****** Summary *************************************************************************************
+
telnet: connect to address ::1: Connection refused
 
+
Trying 127.0.0.1...
      1   *Warning: Queue file size limit exceeded
+
Connected to localhost.
 
+
Escape character is '^]'.
  6.512K  Bytes accepted                              6,668
+
220 zcs723.EXAMPLE.com ESMTP Postfix
  1.928K  Bytes sent via SMTP                          1,974
+
helo myworkstation
  4.584K  Bytes sent via LMTP                          4,694
+
250 zcs723.EXAMPLE.com
========  ==================================================
+
ehlo myworkstation
 +
250-zcs723.EXAMPLE.com
 +
250-PIPELINING
 +
250-SIZE 10240000
 +
250-VRFY
 +
250-ETRN
 +
250-STARTTLS
 +
250-AUTH LOGIN PLAIN
 +
250-AUTH=LOGIN PLAIN
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
 +
mail from:<ajcody@zcs723.EXAMPLE.com>
 +
250 2.1.0 Ok
 +
rcpt to: <ajcody2@zcs723.EXAMPLE.com>
 +
250 2.1.5 Ok
 +
data
 +
354 End data with <CR><LF>.<CR><LF>
 +
From: Adam <ajcody@zcs723.EXAMPLE.com>
 +
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com>
 +
Subject: From Localhost - NOT Auth
 +
test
 +
.
 +
250 2.0.0 Ok: queued as 8B19E1E78D1
 +
quit
 +
221 2.0.0 Bye
 +
Connection closed by foreign host.
 +
</pre>
  
      10  Accepted                                    76.92%
+
====Resources====
      3  Rejected                                    23.08%
 
--------  --------------------------------------------------
 
      13  Total                                      100.00%
 
========  ==================================================
 
  
      3  5xx Reject message size                    100.00%
+
A list of resources you'll find useful:
--------  --------------------------------------------------
 
      3  Total 5xx Rejects                          100.00%
 
========  ==================================================
 
  
      10  Connections
+
* [[Zimbra_MTA#Anti-Spam_Training_Filters]]
      10  Disconnections
+
* [[CLI_zmtrainsa]]
      8  Removed from queue
+
* [[Improving_Anti-spam_system]]
      4  Sent via SMTP
+
* [[Postfix_Policyd]]
      4  Sent via LMTP
+
* [[IP_Address_whitelisting]]
      4  Filtered
+
* [[Spam_training]]
 +
*  Restrict by user
 +
** [[RestrictPostfixRecipients]]
 +
* Restrict by ip addresses and sender and other items:
 +
** [http://www.postfix.org/RESTRICTION_CLASS_README.html Postfix - Restriction Class Readme]
 +
*** Note, from the readme:
 +
**** "What follows is based on the SMTP client IP address, and therefore is subject to IP spoofing."
 +
**** "What follows is based on the sender SMTP envelope address, and therefore is subject to SMTP sender spoofing."
  
****** Detail (10) *********************************************************************************
+
Wiki articles that have been assigned to the anit-spam category:
 +
 
 +
* [http://wiki.zimbra.com/index.php?title=Category:Anti-spam Category:Anti-spam]
  
      3  5xx Reject message size -----------------------------------------------------------------
+
Down to the end-user:
      3      192.168.1.166    remote.domain.com
 
      3        *unavailable
 
      3            *unavailable
 
  
      4  Sent via SMTP ---------------------------------------------------------------------------
+
* [[Cool_User_Spam_Filters]]
      4      zcs806.DOMAIN.com
+
* [http://www.zimbra.com/community/end_user_guide_and_how_to.html End-User Guide And How-To]
  
      4  Sent via LMTP ---------------------------------------------------------------------------
+
=====External Relay Test Pages=====
      4      zcs806.DOMAIN.com
 
  
      4  Filtered --------------------------------------------------------------------------------
+
* http://www.checkor.com/
      2      smtp-amavis:[127.0.0.1]:10024
+
** Note - this test is in regards to the From spoofing spammers sometimes do for DL's.
      2        Sender address
+
** Also, for the test - make an account/DL on your system for test1@[your domain] . Otherwise you'll just error about account not existing.
      1            admin@zcs806.DOMAIN.com
+
<pre>
      1              admin@zcs806.DOMAIN.com
+
RSET
      1                  192.168.1.166    remote.domain.com
+
250 2.0.0 Ok
      1            user@DOMAIN.com
+
MAIL FROM: spam@mail59.DOMAIN.com
      1              admin@zcs806.DOMAIN.com
+
250 2.1.0 Ok
      1                  192.168.1.184    remote2.domain.com
+
RCPT TO: test1@mail59.DOMAIN.com
      2     smtp-amavis:[127.0.0.1]:10026
+
Test Failed, 250 2.1.5 Ok
      2        Sender address
 
      1            admin@zcs806.DOMAIN.com
 
      1              admin@zcs806.DOMAIN.com
 
      1                 192.168.1.166    remote.domain.com
 
      1            user@DOMAIN.com
 
      1              admin@zcs806.DOMAIN.com
 
      1                  192.168.1.184    remote2.domain.com
 
 
 
=== Delivery Delays Percentiles ============================================================
 
                    0%      25%      50%      75%      90%      95%      98%      100%
 
--------------------------------------------------------------------------------------------
 
Before qmgr      0.04      0.09      0.11      0.11      0.23      0.35      0.43      0.48
 
In qmgr          0.00      0.00      0.01      0.01      0.04      0.07      0.08      0.09
 
Conn setup        0.00      0.01      0.29      1.30      2.05      2.23      2.33      2.40
 
Transmission      0.10      2.81      4.85      9.60    21.00    21.00    21.00    21.00
 
Total            0.20      2.91      5.20    11.00    23.30    23.65    23.86    24.00
 
============================================================================================
 
 
</pre>
 
</pre>
  
'''Note''' - First, look at the options each command has using the -h output. You might want to use --full when doing an investigation and also include a wildcard - /var/log/zimbra.lo* to take in all the log data. For example:
+
* http://www.mailradar.com/openrelay/
  
<pre>
+
====Blocking MAIL FROM - smtpd_sender_restrictions - Default Is Empty====
[zimbra@zcs806 ~]$ /usr/local/bin/postfix-logwatch --full /var/log/zimbra.lo*
 
****** Summary *************************************************************************************
 
  
      9  *Fatal:  General fatal
+
=====External References=====
      1  *Warning: Queue file size limit exceeded
 
      21  Miscellaneous warnings
 
  
710.888K  Bytes accepted                            727,949
+
* External Sources
193.036K  Bytes sent via SMTP                        197,669
+
** Postfix
520.114K  Bytes sent via LMTP                        532,597
+
*** [http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions Postfix On smtpd_sender_restrictions]
========  ==================================================
+
** Milter
 +
*** [http://www.postfix.org/MILTER_README.html#limitations Postfix's Milter Readme - Limitations]
 +
**** [http://puszcza.gnu.org.ua/software/mailfromd/ Mailfromd]
 +
***** [http://puszcza.gnu.org.ua/software/mailfromd/manual/html_section/SAV.html#SEC7 Mailfromd - Sender Address Verification]
 +
** [http://www.symantec.com/connect/articles/anti-spam-solutions-and-security Anti-Spam Solutions and Security]
  
    1041  Accepted                                    99.71%
+
=====Zimbra References And Bugs & RFE's=====
      3  Rejected                                    0.29%
 
--------  --------------------------------------------------
 
    1044  Total                                      100.00%
 
========  ==================================================
 
  
      3  5xx Reject message size                    100.00%
+
* Zimbra Related Soures
--------   --------------------------------------------------
+
** "policy for who can send to a distribution lists"
      3  Total 5xx Rejects                          100.00%
+
*** https://bugzilla.zimbra.com/show_bug.cgi?id=9620
========  ==================================================
+
**** '''Note - This will not stop spammers from mailing into your DL's by way of forged Mail From and guessing your DL address in the To'''
 +
** "support smtpd_sender_login_maps for smtp auth"
 +
*** http://bugzilla.zimbra.com/show_bug.cgi?id=11258
 +
** "Implement smtpd_sender_restrictions"
 +
*** http://bugzilla.zimbra.com/show_bug.cgi?id=15808
 +
** "milter to check if sender can send to a distribution list"
 +
*** https://bugzilla.zimbra.com/show_bug.cgi?id=46311
 +
**** Dependent upon bug 9620
 +
** Zimbra Forum Post on using smtpd_sender_restrictions options
 +
*** [http://www.zimbra.com/forums/administrators/28770-how-enforce-sasl_username-address.html  How to enforce sasl_username=FROM ADDRESS"
 +
** Another Zimbra Forum Post on using smtpd_sender_restrictions options
 +
*** [http://www.zimbra.com/forums/administrators/39095-need-urgent-help-spamming-issue.html Need urgent help on spamming issue]
  
      65  Connections
+
=====Protecting DL's From Spammers - Forging Mail From=====
      65  Disconnections
 
    1041  Removed from queue
 
    523  Sent via SMTP
 
    517  Sent via LMTP
 
      2  Bounced (local)
 
      1  Bounced (remote)
 
      9  Filtered
 
      2  Notifications sent
 
  
      4  Timeouts (inbound)
+
======First Recommendation - As Given By Dev's From Critical Meeting Notes======
      1  PIX workaround enabled
 
  
****** Detail (10) *********************************************************************************
+
----
  
      9  *Fatal:   General fatal -----------------------------------------------------------------
+
* Enabled SASL/SMTP Authentication
      3      Queue report unavailable - mail system is down
+
** Ref: http://wiki.zimbra.com/index.php?title=SMTP_Auth_Problems
      3      Usage: sendmail [options]
+
* Implement how-to as described in :
      2      The Postfix mail system is not running
+
** Permitted Senders: [[RestrictPostfixRecipients]]
      1      Usage: send-mail [options]
+
*** '''Note: You'll see on the above page a reference to the spoof hole.'''
 +
**** '''''"This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs."'''''
 +
*** '''Note: You'll also modify the instructions as above with addition details provided below.'''
 +
* Force authentication for local-domain senders:
 +
** modify the main.cf to have the following:
 +
*** smtpd_sender_restrictions = check_sender_access hash:/path/to/file
 +
** Then for the /path/to/file that you used in the mail.cf for smtpd_sender_restrictions, you'll have a line like:
 +
*** example.com            permit_sasl_authenticated, reject
 +
 
 +
======Second Recommendation - Unpredictable DL name or Non-routing Domain======
  
      21  Miscellaneous warnings ------------------------------------------------------------------
+
----
      7      or the command is run from a set-uid root process
 
      7      the Postfix sendmail command has set-uid root file permissions
 
      7      the Postfix sendmail command must be installed without set-uid root file permissions
 
  
      3  5xx Reject message size -----------------------------------------------------------------
+
Do not use predictable DL names. Instead of using everyone@company.com , use something like everyone-[random-string]@company.com .
      3      10.X.X.166    fence.DOMAIN.com
 
      3        *unavailable
 
      3            *unavailable
 
  
    523  Sent via SMTP ---------------------------------------------------------------------------
+
Another option is to use a non-routing domain - company.local - and setup your DL's there. You'll want to configure your main domain to be able to query the GAL of this domain.
    507      86.lab
+
 
      15      zcs806.DOMAIN.com
+
To see the existing setting:
      1      domaina.com
+
 
 +
zmprov gd [domainname] zimbraGalLdapSearchBase
  
    517  Sent via LMTP ---------------------------------------------------------------------------
+
To change the variable for the domain:
    507      86.lab
 
      10      zcs806.DOMAIN.com
 
  
      2  Bounced (local) -------------------------------------------------------------------------
+
zmprov md [domainname] zimbraGalInternalSearchBase ROOT
      2      5.0.0: Permanent failure: Other/Undefined status: Other undefined status
 
      2        zcs806.DOMAIN.com
 
      2            Zcs806.DOMAIN.com
 
      1              subject:test
 
      1              zimbra
 
  
      1  Bounced (remote) ------------------------------------------------------------------------
+
======Third Recommendation - Using smtpd_sender_restrictions======
      1      5.0.0: Permanent failure: Other/Undefined status: Other undefined status
 
      1        domain.com
 
      1            user
 
      1              64.X.X.28      sentry.DOMAIN.com
 
      1                  505 5.0.0 Unknown recipient: RCPT TO
 
  
      9  Filtered --------------------------------------------------------------------------------
+
----
      7      smtp-amavis:[127.0.0.1]:10026
 
      7        Sender address
 
      3            admin@zcs806.DOMAIN.com
 
      3              admin@zcs806.DOMAIN.com
 
      2                  10.X.X.36    zcs806.DOMAIN.com
 
      1                  10.X.X.166    gatewayXX.DOMAIN.com
 
      2            zimbra@zcs806.DOMAIN.com
 
      2              admin@zcs806.DOMAIN.com
 
      2                  10.X.X.36    zcs806.DOMAIN.com
 
      1            ajcody@DOMAIN.com
 
      1              admin@zcs806.DOMAIN.com
 
      1                  10.X.X.184    edgeXX.DOMAIN.com
 
      1            san5@zcs806.DOMAIN.com
 
      1              b@zcs806.DOMAIN.com
 
      1                  10.X.X.36    zcs806.DOMAIN.com
 
      2      smtp-amavis:[127.0.0.1]:10024
 
      2        Sender address
 
      1            admin@zcs806.DOMAIN.com
 
      1              admin@zcs806.DOMAIN.com
 
      1                  10.X.X.166    gatewayXX.DOMAIN.com
 
      1            ajcody@DOMAIN.com
 
      1              admin@zcs806.DOMAIN.com
 
      1                  10.X.X.184    edgeXX.DOMAIN.com
 
  
      2  Notifications sent ----------------------------------------------------------------------
+
:::'''Work In Progress. I'm testing this now. Please don't attempt until this line is removed.'''
      2      Non-delivery
 
      2        sender
 
  
      4  Timeouts (inbound) ----------------------------------------------------------------------
+
Update: See the following:
      4      After END-OF-MESSAGE
+
* "Enforcing a match between the FROM Address and sasl_username in Zimbra Collaboration Server (2011281)"
 +
** http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2011281
 +
 
 +
This should work if your "clients" are using ZWC, ZCO, or ActiveSync mobile devices. If you are using IMAP/POP + STMP thick clients, you'll most likely have to enable smtp authentication [sasl] and use the reject_authenticated_sender_login_mismatch variable instead.
 +
 
 +
postconf -e smtpd_sender_restrictions=reject_sender_login_mismatch
 +
postfix reload
  
      1  PIX workaround enabled ------------------------------------------------------------------
+
This option is described as: 
      1      disable_esmtp delay_dotcrlf
 
      1        64.X.X.28      sentry.DOMAIN.com
 
  
=== Delivery Delays Percentiles ============================================================
+
:'''''reject_sender_login_mismatch'''''
                    0%      25%      50%      75%      90%      95%      98%      100%
+
:: ''Reject the request when $smtpd_sender_login_maps  specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.''  [http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions Man page]
--------------------------------------------------------------------------------------------
 
Before qmgr      0.01      0.03      0.06      0.14      0.27      0.34      0.48      2.60
 
In qmgr          0.00      0.00      0.08    117.50    193.00    216.00    231.48    246.00
 
Conn setup        0.00      0.00      0.00      0.00      0.02      0.04      0.22    20.00
 
Transmission      0.05      0.09      3.60      9.80    10.00    10.00    11.00    160.00
 
Total            0.07      0.13      3.80    129.00    203.00    226.00    241.64    259.00
 
============================================================================================
 
</pre>
 
  
======zmaccts======
+
====Some Other SMTP Sending Restrictions====
  
One way to note accounts that are actively logging in vs. those that aren't, can help shrink the number of accounts you might want to investigate or monitor. [example below, I cut out a lot of the  accounts]
+
=====Blocking Incoming From Domain And By User=====
  
<pre>
+
See the following:
          account                          status            created      last logon
 
------------------------------------  -----------    ---------------  ---------------
 
zcstest001@zcs806.DOMAIN.com                active      01/20/14 18:47  03/02/14 21:11
 
zcstest002@zcs806.DOMAIN.com                active      01/30/14 01:48  02/19/14 00:07
 
admin-20140415@zcs806.DOMAIN.com            active      04/15/14 14:42            never
 
archtest-prod-20140402@zcs806.DOMAIN        active      04/02/14 07:42            never
 
  
          account                          status            created      last logon
+
* [[Domain_level_blocking_of_users]]
------------------------------------  -----------    ---------------  ---------------
+
* [[Improving_Anti-spam_system#Implementing_Whitelist.2FBlacklist]]
bruce@test1.lab                            active      02/22/14 09:32            never
 
test.cal@test1.lab                          active      04/06/14 05:35  04/06/14 05:35
 
test200@test1.lab                          active      04/12/14 00:50            never
 
  
                                domain summary
+
=====check_client_access=====
  
    domain                  active    closed    locked    maintenance    total
+
The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from. The default behavior is to allow SMTP connections from any client. This is discussed under [http://www.postfix.org/spam.html Spam Controls] on the Postfix site.
-----------------------  --------  --------  --------  -------------  --------
 
test1.lab                        3        0        0              0        3
 
test2.com                        2        0        0              0        2
 
angad.com                        2        0        0              0        2
 
test.test                        3        0        0              0        3
 
test.DOMAIN.com                  6        0        0              0        6
 
zcs806.DOMAIN.com              58        0        0              0        58
 
zcs806.DOMAIN.com                2        0        0              0        2
 
</pre>
 
  
=====By Authentication Attempts=====
+
Example:
  
A fast way to see who is doing a lot of authentications, which normally happens when a spammer has compromised an account with a weak password, is to do:
+
check_client_access regexp:/etc/postfix/access_sender_client_server,
  
<pre>
+
Example:
# cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
+
 
      1 Auser@domain.com
+
check_sender_access regexp:/etc/postfix/access_sender_toplevel
      3 Buser@domain.com
+
 
      4 Cuser@domain.com
+
=====smtpd_reject_unlisted_sender=====
      5 Duser@domain.com
 
    36 SPAMMER@domain.com
 
</pre>
 
  
'''Note - This might take a long time, if so - try pruning it down'''
+
Details can be found on the [http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient mail.cf] Postfix page.
  
 
Example:
 
Example:
<pre>
 
# cat /var/log/zimbra.log | grep sasl_username > /tmp/zimbra_sasl_username.txt
 
# cat /tmp/zimbra_sasl_username.txt | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
 
      1 Auser@domain.com
 
      3 Buser@domain.com
 
      4 Cuser@domain.com
 
      5 Duser@domain.com
 
    36 SPAMMER@domain.com
 
</pre>
 
  
The full log event will look like this:
+
smtpd_reject_unlisted_sender = yes
<pre>
+
 
zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
+
Possible Bug:
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
+
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
+
http://bugzilla.zimbra.com/show_bug.cgi?id=24889
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>
 
</pre>
 
  
Against your older logs, you could:
+
====What's Your SPF Records Say, When Getting "does not designate 74.x.x.x as permitted sender Errors"====
  
<pre>
+
This is most likely related to the SPF records for your domain and what the header content of the sending email states as it's Mail From. For example, this is from the header of an email that was "received":
# zcat /var/log/zimbra.log* | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
 
</pre>
 
 
 
And you can look at the specific information for the user in question with:
 
  
 
<pre>
 
<pre>
# grep -C2 "sasl_username=SPAMMER@domain.com" /var/log/zimbra.log
+
Received: from mail.XYZ-FAKE.com (mailhost.XYZ-FAKE.com [74.X.X.244]) by mta01.ABC-FAKE.com with ESMTP id
 +
Cft0mO3fjlFGQjTA for <support@ABC-FAKE.com>; Tue, 21 Apr 2009 05:14:13 -0700 (PDT)
 +
X-Barracuda-Envelope-From: testuser@XYZ-FAKE.com
 +
Received-SPF: pass (mta01.ABC-FAKE.com: domain of testuser@XYZ-FAKE.com designates 74.X.X.244 as permitted sender)
 +
receiver=mta01.ABC-FAKE.com; client_ip=74.X.X.244; envelope-from=testuser@XYZ-FAKE.com;
 
</pre>
 
</pre>
  
Or if searching against the older logs:
+
To see what this check was done against, do the following below. I'll trim the output and adjust the information used to protect the innocent. Also, notice how a DNS "alias" might cause an issue here? :
  
 
<pre>
 
<pre>
# zgrep -C2 "sasl_username=SPAMMER@domain.com" /var/log/zimbra.log*
 
</pre>
 
  
If you want to check on a specific message ID, do:
+
$ host 74.X.X.244
 +
244.X.X.74.in-addr.arpa domain name pointer mailhost.XYZ-FAKE.com.
  
<pre>
+
$ host mailhost.XYZ-FAKE.com
grep 9DF7520804A /var/log/zimbra.log*
+
mailhost.XYZ-FAKE.com has address 74.X.X.244
</pre>
 
  
For older message logs:
+
$ host mail.XYZ-FAKE.com
 +
mail.XYZ-FAKE.com is an alias for mailhost.XYZ-FAKE.com.
 +
mailhost.XYZ-FAKE.com has address 74.X.X.244
  
<pre>
+
$ dig XYZ-FAKE.com MX
zgrep 9DF7520804A /var/log/zimbra.log*
 
</pre>
 
  
To read/view the message in the queue:
+
;; QUESTION SECTION:
 +
;XYZ-FAKE.com. IN MX
  
/opt/zimbra/postfix/sbin/postcat -q 9DF7520804A
+
;; ANSWER SECTION:
 +
XYZ-FAKE.com. 3600 IN MX 22 serverA.DNS-FAKE.com.
 +
XYZ-FAKE.com. 3600 IN MX 11 serverB.DNS-FAKE.com.
  
One would then normally lock/change password on the one account showing the most activity. Grep'ing the /var/log/zimbra.log with the username in question will also show the ip address being used, this can be blocked with your firewall.
+
$ dig XYZ-FAKE.com TXT
  
To be alerted of a compromised account and have it lock automatically see below. Slightly modified from this reference : http://www.zimbra.com/forums/administrators/62613-identify-compromised-accounts.html#post278732 :
+
;; QUESTION SECTION:
 +
;XYZ-FAKE.com. IN TXT
  
<pre>
+
;; ANSWER SECTION:
 +
XYZ-FAKE.com. 3600 IN TXT "v=spf1 a:mail.XYZ-FAKE.com ~all"
  
#!/bin/bash
+
</pre>
# checks log file and gets a count of authentications sent per minute, per user
+
 
# and if the count exceeds the maxmails value the user's account is locked.
+
See the following for more information:
 +
 
 +
* http://www.openspf.org/
 +
* http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#publishing
 +
** All of the 3.x section.
  
logfile="/var/log/zimbra.log"
+
===Using Different SMTP Server For Webclient (ZWC), Mobiles, And ZCO===
maxmails="10"
 
mydomain="example.com"
 
support="<postmaster-userid>@$mydomain"
 
accounts="/tmp/active_accounts"
 
  
su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
+
====Note Of Caution About Using External MTAs====
  
zgrep -i "auth ok" $logfile | sed 's/  / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
+
Using non-zimbra MTA's can cause some options in zimbra to not function anymore - since it no longer has zimbra's mta services available.
while read line
 
do
 
    count=`echo ${line} | cut -d' ' -f 1`
 
    userid=`echo ${line} | cut -d' ' -f 3`
 
    timestamp=`echo ${line} | cut -d' ' -f 2`
 
    active=`grep "$userid@$mydomain" $accounts`
 
  
    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
+
=====Zimbra Mail Forwarding Possibly Will Not Work - Turn Off User Option To Set MailForwarding=====
        echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
 
        su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
 
        subject="$userid account locked due to excessive connections"
 
        # Email text/message
 
        message="/tmp/emailmessage.txt"
 
        echo "$userid account has been locked as there were $count connections made at"> $message
 
        echo "$timestamp.  Please have the user change their password, and check for phishing" >>$message
 
        echo "emails if possible." >>$message
 
        # send an email using /bin/mail
 
        /usr/bin/mail -s "$subject" "$support" < $message
 
        rm -f $message
 
  
        #update list of active accounts
+
Mail forwarding might no longer work depending on the configuration you setup regarding the use of your external mta's. When this happens you'll most likely want to disable the option for users to set a mail forwarding address in their preferences. This can be done via their COS or USER configuration.
        su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
 
    fi
 
done
 
  
rm -f $accounts
+
* In the admin console, goto the COS configuration the user/s are using and the "Features" tab. Uncheck the option "Allow the user to specify a forwarding address" under Mail Features. It is in the same location under a USERs configuration panel in the admin console.
  
</pre>
+
In the CLI, you will see these set as the defaults for the default COS. The admin gui option above only adjusts the zimbraFeatureMailForwardingEnabled variable :
  
Then run it as a cron job. The frequency will depend on the number of accounts you're managing.
+
  $ zmprov gc default | grep zimbraFeatureMailForwarding
 +
    zimbraFeatureMailForwardingEnabled: TRUE
 +
    zimbraFeatureMailForwardingInFiltersEnabled: TRUE
  
<pre>
+
$ zmprov ga ajcody@`zmhostname` | grep zimbraFeatureMailForwarding
* * * * * /opt/zimbra/find_spammer.sh
+
    zimbraFeatureMailForwardingEnabled: TRUE
</pre>
+
    zimbraFeatureMailForwardingInFiltersEnabled: TRUE
  
=====By Connecting IP - Useful For Blocking IP At Firewall=====
+
More details about them are in the /opt/zimbra/conf/attrs/zimbra-attrs.xml file.
  
See also the following:
+
<pre>
 +
<attr id="342" name="zimbraFeatureMailForwardingEnabled" type="boolean" cardinality="single"
 +
optionalIn="account,cos" flags="accountInfo,accountInherited,domainAdminModifiable">
 +
  <defaultCOSValue>TRUE</defaultCOSValue>
 +
  <desc>enable end-user mail forwarding features</desc>
 +
</attr>
  
* http://wiki.zimbra.com/wiki/Log_Files#Logging_the_Originating_IP
+
<attr id="704" name="zimbraFeatureMailForwardingInFiltersEnabled" type="boolean"
 +
cardinality="single" optionalIn="account,cos" flags="accountInfo,accountInherited,
 +
domainAdminModifiable" since="5.0.10">
 +
  <defaultCOSValue>TRUE</defaultCOSValue>
 +
  <desc>enable end-user mail forwarding defined in mail filters features</desc>
 +
</attr>
 +
</pre>
  
To find the originating IP address of where the emails are coming from:
+
=====Configure External MTA To Use LDAP Virtual Alias Maps=====
  
grep 'connect from' /var/log/zimbra.log | sed 's/.*connect from.*\[\(.[^]]*\)\]/\1/g' | sort | uniq -c | sort -nr | head
+
Here's the basic info in regards to how Zimbra's mta [postfix/etc] uses Zimbra's LDAP to get the forwarding information:
  
To check your older logs [example output below]:
+
$ grep Forward conf/ldap-*
 +
conf/ldap-vam.cf:result_attribute = 
 +
zimbraMailDeliveryAddress,zimbraMailForwardingAddress,
 +
zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
  
<pre>
+
$ postconf |grep vam
zgrep 'connect from' /var/log/zimbra.log* | sed 's/.*connect from.*\[\(.[^]]*\)\]/\1/g' | sort | uniq -c | sort -nr | head
+
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
    36 10.137.xx.34
+
 
    34 127.0.0.1
+
See http://www.postfix.org/postconf.5.html#virtual_alias_maps for more information.
</pre>
+
 
 +
====Confirming And Setting zimbraMtaRelayHost And zimbraMtaDnsLookupsEnabled====
  
=====Open Relay Check=====
+
First we'll set '''''zimbraMtaRelayHost''''' and '''''zimbraMtaDnsLookupsEnabled''''' variables. These options are also shown in the admin console and can be configured there. These variable alone will not redirect ALL traffic to an external MTA first though. There's alao a variable called zimbraSmtpHostname that is in the global (zmprov gacf) and server (zmprov gs `hostname`) configs - addressed in the section below. It's defaulted value is 'localhost' - at least on a single ZCS configuration.
  
You should also confirm you aren't an open relay.
+
In situations where you need/want all mail to be processed by, for example, an external non-Zimbra spam filter box you could set this variable to the spam filter servers hostname.
  
<pre>
+
Normally, when zimbraMtaRelayHost is set to a non-zimbra external MTA would disable DNS lookups. If you disable DNS Lookups (under the MTA tab of the admin console, or with zmprov), Zimbra will end up using (according to the postconf man page) the "gethostbyname() system library routine which normally also looks in /etc/hosts" (based on the entries on the "hosts" line in /etc/nsswitch.conf). If you do this but don't also specify an SMTP relay host (typically your ISP's SMTP server), which will take care of checking DNS, you will reverse your ability to send mail: suddenly you can send mail to other users on the Zimbra server, but you can't send to the internet (though you can still receive mail from the internet either way).
$ host -t mx DOMAIN.com
 
DOMAIN.com mail is handled by 10 mail.DOMAIN.com.
 
  
$ telnet mail.DOMAIN.com 25
+
Query Global - `zmhostname` would use the value returned, you can manual type out the servername as well :
Trying 184.###.##.## ...
 
Connected to mail.DOMAIN.com.
 
Escape character is '^]'.
 
220 mail.DOMAIN.com ESMTP Postfix
 
helo support.test
 
250 mail.DOMAIN.com
 
mail from:<SPAMMER@domain.com>
 
250 2.1.0 Ok
 
rcpt to:<TEST@DOMAIN.COM>
 
554 5.7.1 <TEST@DOMAIN.COM>: Relay access denied
 
  
rcpt to:<SPAMMER@domain.com>
+
zmprov gacf zimbraMtaRelayHost
554 5.7.1 Service unavailable; Client host [71.XXX.XX.XX] blocked
+
  zmprov gacf zimbraMtaDnsLookupsEnabled
  using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=71.202.XX.XX
 
quit
 
221 2.0.0 Bye
 
Connection closed by foreign host.
 
</pre>
 
  
=====Telnet Test To Confirm/Show Authentication Required For SMTP/Port 25=====
+
Query Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :
  
This is an example:
+
zmprov gs `zmhostname` zimbraMtaRelayHost
 +
zmprov gs `zmhostname` zimbraMtaDnsLookupsEnabled
  
<pre>
+
Note - if you get errors about doing the query on your non-mailstores like, "ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)" then you might need to adjust this variable. First query it, it's most likely set to localhost
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25
 
  
Trying 10.137.27.32...
+
zmlocalconfig zimbra_zmprov_default_soap_server
Connected to zcs723.EXAMPLE.com.
 
Escape character is '^]'.
 
220 zcs723.EXAMPLE.com ESMTP Postfix
 
helo zcs723.EXAMPLE.com  << I typed
 
250 zcs723.EXAMPLE.com
 
mail from:ajcody@zcs723.EXAMPLE.com  << I typed
 
250 2.1.0 Ok
 
rcpt to:ajcody2@zcs723.EXAMPLE.com  << I typed
 
553 5.7.1 <ajcody@zcs723.EXAMPLE.com>: Sender address rejected: not logged in
 
</pre>
 
  
But note - if you do this from the ZCS server or a server that is within the ip range or has it's specific ip listed in the mynetworks, you will not get this authentication requirement.
+
If you had the error and it was set to localhost, modify it to be one of your mailstores.
  
<pre>
+
zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com
[root@zcs723 ~]# telnet localhost 25
+
 
Trying ::1...
+
No restart of anything is needed, the zmprov query should now work.
telnet: connect to address ::1: Connection refused
+
 
Trying 127.0.0.1...
+
Modify Global - `zmhostname` would use the value returned, you can manual type out the servername as well :
Connected to localhost.
+
 
Escape character is '^]'.
+
zmprov mcf zimbraMtaRelayHost hostname-of-ext-server:PORT
220 zcs723.EXAMPLE.com ESMTP Postfix
+
  ** ex : zmprov mcf zimbraMtaRelayHost primary.YYY.state.XX.us:25
helo myworkstation
+
  ** At the end, 25 is the port number for smtp on the targeted system.  
250 zcs723.EXAMPLE.com
+
  ** Adjust this number if you changed the smtp port.
ehlo myworkstation
+
zmprov mcf zimbraMtaDnsLookupsEnabled FALSE
250-zcs723.EXAMPLE.com
+
 
250-PIPELINING
+
Modify Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :
250-SIZE 10240000
+
 
250-VRFY
+
zmprov ms `zmhostname` zimbraMtaRelayHost hostname-of-ext-server:PORT
250-ETRN
+
  ** ex : zmprov ms `zmhostname` zimbraMtaRelayHost primary.YYY.state.XX.us:25
250-STARTTLS
+
  ** At the end, 25 is the port number for smtp on the targeted system.  
250-AUTH LOGIN PLAIN
+
  ** Adjust this number if you changed the smtp port.
250-AUTH=LOGIN PLAIN
+
zmprov ms `zmhostname` zimbraMtaDnsLookupsEnabled FALSE
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
mail from:<ajcody@zcs723.EXAMPLE.com>
 
250 2.1.0 Ok
 
rcpt to: <ajcody2@zcs723.EXAMPLE.com>
 
250 2.1.5 Ok
 
data
 
354 End data with <CR><LF>.<CR><LF>
 
From: Adam <ajcody@zcs723.EXAMPLE.com>
 
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com>
 
Subject: From Localhost - NOT Auth
 
test
 
.
 
250 2.0.0 Ok: queued as 8B19E1E78D1
 
quit
 
221 2.0.0 Bye
 
Connection closed by foreign host.
 
</pre>
 
  
====Resources====
+
====Confirming And Setting zimbraSmtpHostname====
  
A list of resources you'll find useful:
+
I'm assuming you already set, '''''zimbraMtaRelayHost''''' and '''''zimbraMtaDnsLookupsEnabled''''' for your needs - see above section. The variable called zimbraSmtpHostname is in the global (zmprov gacf) and server (zmprov gs `hostname`) configs. It's default value is set to 'localhost' - at least on a single ZCS configuration.
  
* [[Zimbra_MTA#Anti-Spam_Training_Filters]]
+
In cases where you need/want all mail to be processed by, for example, an external non-Zimbra spam filter box you could set this variable to the spam filter boxes hostname.
* [[CLI_zmtrainsa]]
 
* [[Improving_Anti-spam_system]]
 
* [[Postfix_Policyd]]
 
* [[IP_Address_whitelisting]]
 
* [[Spam_training]]
 
*  Restrict by user
 
** [[RestrictPostfixRecipients]]
 
* Restrict by ip addresses and sender and other items:
 
** [http://www.postfix.org/RESTRICTION_CLASS_README.html Postfix - Restriction Class Readme]
 
*** Note, from the readme:
 
**** "What follows is based on the SMTP client IP address, and therefore is subject to IP spoofing."
 
**** "What follows is based on the sender SMTP envelope address, and therefore is subject to SMTP sender spoofing."
 
  
Wiki articles that have been assigned to the anit-spam category:
+
Query Global - `zmhostname` would use the value returned, you can manual type out the servername as well :
  
* [http://wiki.zimbra.com/index.php?title=Category:Anti-spam Category:Anti-spam]
+
zmprov gacf zimbraSmtpHostname
  
Down to the end-user:
+
Query Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :
  
* [[Cool_User_Spam_Filters]]
+
zmprov gs `zmhostname` zimbraSmtpHostname
* [http://www.zimbra.com/community/end_user_guide_and_how_to.html End-User Guide And How-To]
 
  
=====External Relay Test Pages=====
+
Note - if you get errors about doing the query on your non-mailstores like, "ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)" then you might need to adjust this variable. First query it, it's most likely set to localhost
  
* http://www.checkor.com/
+
zmlocalconfig zimbra_zmprov_default_soap_server
** Note - this test is in regards to the From spoofing spammers sometimes do for DL's.
 
** Also, for the test - make an account/DL on your system for test1@[your domain] . Otherwise you'll just error about account not existing.
 
<pre>
 
RSET
 
250 2.0.0 Ok
 
MAIL FROM: spam@mail59.DOMAIN.com
 
250 2.1.0 Ok
 
RCPT TO: test1@mail59.DOMAIN.com
 
Test Failed, 250 2.1.5 Ok
 
</pre>
 
  
* http://www.mailradar.com/openrelay/
+
If you had the error and it was set to localhost, modify it to be one of your mailstores.
  
====Blocking MAIL FROM - smtpd_sender_restrictions - Default Is Empty====
+
zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com
  
=====External References=====
+
No restart of anything is needed, the zmprov query should now work.
  
* External Sources
+
Modify Global - `zmhostname` would use the value returned, you can manual type out the servername as well :
** Postfix
 
*** [http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions Postfix On smtpd_sender_restrictions]
 
** Milter
 
*** [http://www.postfix.org/MILTER_README.html#limitations Postfix's Milter Readme - Limitations]
 
**** [http://puszcza.gnu.org.ua/software/mailfromd/ Mailfromd]
 
***** [http://puszcza.gnu.org.ua/software/mailfromd/manual/html_section/SAV.html#SEC7 Mailfromd - Sender Address Verification]
 
** [http://www.symantec.com/connect/articles/anti-spam-solutions-and-security Anti-Spam Solutions and Security]
 
  
=====Zimbra References And Bugs & RFE's=====
+
zmprov mcf zimbraSmtpHostname hostname-of-ext-server
 +
  ** ex : zmprov mcf zimbraSmtpHostname primary.YYY.state.XX.us
  
* Zimbra Related Soures
+
Modify Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :
** "policy for who can send to a distribution lists"
+
 
*** https://bugzilla.zimbra.com/show_bug.cgi?id=9620
+
zmprov ms `zmhostname` zimbraSmtpHostname hostname-of-ext-server
**** '''Note - This will not stop spammers from mailing into your DL's by way of forged Mail From and guessing your DL address in the To'''
+
  ** ex : zmprov ms `zmhostname` zimbraSmtpHostname primary.YYY.state.XX.us
** "support smtpd_sender_login_maps for smtp auth"
+
 
*** http://bugzilla.zimbra.com/show_bug.cgi?id=11258
+
====External Email Clients Setting A SMTP Server====
** "Implement smtpd_sender_restrictions"
 
*** http://bugzilla.zimbra.com/show_bug.cgi?id=15808
 
** "milter to check if sender can send to a distribution list"
 
*** https://bugzilla.zimbra.com/show_bug.cgi?id=46311
 
**** Dependent upon bug 9620
 
** Zimbra Forum Post on using smtpd_sender_restrictions options
 
*** [http://www.zimbra.com/forums/administrators/28770-how-enforce-sasl_username-address.html  How to enforce sasl_username=FROM ADDRESS"
 
** Another Zimbra Forum Post on using smtpd_sender_restrictions options
 
*** [http://www.zimbra.com/forums/administrators/39095-need-urgent-help-spamming-issue.html Need urgent help on spamming issue]
 
  
=====Protecting DL's From Spammers - Forging Mail From=====
+
The above variable, zimbraSmtpHostname, will not alter your third party email clients that are setting the smtp server to your ZCS mta's. Here are your options if you also need to have that traffic to go through another device [mta, spam filter, etc.] prior to local delivery [lmtp] to an internal address.
  
======First Recommendation - As Given By Dev's From Critical Meeting Notes======
+
* Set your clients to use the another devices ip address or hostname that you set for zimbraSmtpHostname.
  
----
+
If you can't do the above, for whatever reason -- maybe security constraints or issues that might arise being a hosting provider, then see below.
  
* Enabled SASL/SMTP Authentication
+
# You could investigate the alternation of postfix's content_filter option to place the external device/host [a barracuda for example] within that process. postfix.org has information on this - [http://www.postfix.org/FILTER_README.html Postfix After-Queue Content Filter]. This would be unsupported by Zimbra.
** Ref: http://wiki.zimbra.com/index.php?title=SMTP_Auth_Problems
+
# Contact Zimbra's Professional Services [PS] team for help.
* Implement how-to as described in :
+
# Setup another server using a mta of your choice [postfix , sendmail] that the clients can use for the smtp server variable. This "new" mta would then simply relay to the device - a barracuda box for example. The barracuda would then do what it needs to and then forwards the messages to the appropriate servers for delivery. Your ZCS mta's in the case of local delivery that would of normally occurred over lmtp - userA@domainC.com sending to userB@domainC.com .
** Permitted Senders: [[RestrictPostfixRecipients]]
 
*** '''Note: You'll see on the above page a reference to the spoof hole.'''
 
**** '''''"This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs."'''''
 
*** '''Note: You'll also modify the instructions as above with addition details provided below.'''
 
* Force authentication for local-domain senders:
 
** modify the main.cf to have the following:
 
*** smtpd_sender_restrictions = check_sender_access hash:/path/to/file
 
** Then for the /path/to/file that you used in the mail.cf for smtpd_sender_restrictions, you'll have a line like:
 
*** example.com             permit_sasl_authenticated, reject
 
  
======Second Recommendation - Unpredictable DL name or Non-routing Domain======
+
===Global Or System Wide Filters===
  
----
+
There is no "supported" solution for this - depending on the exact circumstances. It's a complex issue because each request for "global filters" tends to be very specific on either what's to be filter, what actions are to be taken, and so forth.
  
Do not use predictable DL names. Instead of using everyone@company.com , use something like everyone-[random-string]@company.com .
+
====RFE's Related To Global Filters====
  
Another option is to use a non-routing domain - company.local - and setup your DL's there. You'll want to configure your main domain to be able to query the GAL of this domain.
+
* "Define a default filter rule for spam that users can apply before custom filters"
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=12701
 +
* "admin assignable mail filters"
 +
** http://bugzilla.zimbra.com/show_bug.cgi?id=35452
  
To see the existing setting:
+
====Use The Legal Intercept Method====
  
zmprov gd [domainname] zimbraGalLdapSearchBase
+
Depending on the details of your request, using the Legal Intercept options might be useful. You could take the results that goto the LI mailbox and then perform your admin global searches against your mailbox accounts to take the appropriate action.
  
To change the variable for the domain:
+
See [[Legal_Intercept]]
  
zmprov md [domainname] zimbraGalInternalSearchBase ROOT
+
====Sieve Filter Set For Every Account====
  
======Third Recommendation - Using smtpd_sender_restrictions======
+
One could setup a forloop for all of your users and setup a sieve filter. Downside here is the rules are editable by the users and you would have to manage the rules for new accounts going forward.
  
----
+
See [[User_Migration#Migrating_Sieve_Filter_Rules ]] for details.
  
:::'''Work In Progress. I'm testing this now. Please don't attempt until this line is removed.'''
+
====Double Check The Current Anti-Spam Options====
  
Update: See the following:
+
Make sure your request can't be solved by the current solutions described in [[Category:Anti-spam]] articles.
* "Enforcing a match between the FROM Address and sasl_username in Zimbra Collaboration Server (2011281)"
 
** http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2011281
 
  
This should work if your "clients" are using ZWC, ZCO, or ActiveSync mobile devices. If you are using IMAP/POP + STMP thick clients, you'll most likely have to enable smtp authentication [sasl] and use the reject_authenticated_sender_login_mismatch variable instead.
+
====Postfix , Amavis Customizations====
  
postconf -e smtpd_sender_restrictions=reject_sender_login_mismatch
+
I've seen some posts on the forums that customers found their own workarounds by customizing postfix and amavis. This will most likely result in an unsupported situation. Unfortunately, those forum posts don't also include details that I can share here. Hopefully I can find them going forward and I'll post them here.
postfix reload
 
  
This option is described as: 
+
===Global Disclaimer Options===
  
:'''''reject_sender_login_mismatch'''''
+
Here's the url to review for a "current" possibility:
:: ''Reject the request when $smtpd_sender_login_maps  specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.''  [http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions Man page]
 
  
====Some Other SMTP Sending Restrictions====
+
* http://wiki.zimbra.com/index.php?title=Domain_Disclaimer_Extension_Admin_UI
  
=====Blocking Incoming From Domain And By User=====
+
And in the notes section there's a comment about multi-servers:
  
See the following:
+
* http://wiki.zimbra.com/index.php?title=Talk:Domain_Disclaimer_Extension_Admin_UI
  
* [[Domain_level_blocking_of_users]]
+
Please note though, "This article is a community contribution and may include unsupported customizations." Meaning, it's an unsupported customization, so please take the necessary precautions.
* [[Improving_Anti-spam_system#Implementing_Whitelist.2FBlacklist]]
+
 
 +
In regards to an official and supported way to do this, please review this RFE:
  
=====check_client_access=====
+
* http://bugzilla.zimbra.com/show_bug.cgi?id=4720
  
The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from. The default behavior is to allow SMTP connections from any client. This is discussed under [http://www.postfix.org/spam.html Spam Controls] on the Postfix site.
+
===Quota Issues===
  
Example:
+
====Where To Adjust Message User Gets When They Are Over Quota====
  
check_client_access regexp:/etc/postfix/access_sender_client_server,
+
Moved to [[How_To_Adjust_The_Over_Quota_Message_The_User_Receives]]
  
Example:
+
====See Current User Qoutas====
  
check_sender_access regexp:/etc/postfix/access_sender_toplevel
+
Moved to [[Getting_All_Users_Quota_Data]]
  
=====smtpd_reject_unlisted_sender=====
+
====Controlling Behavior For Messages Sent To Over Quota Mailbox - LMTP====
  
Details can be found on the [http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient mail.cf] Postfix page.
+
Moved to [[Controlling_Behavior_For_Messages_Sent_To_Over_Quota_Mailbox_-_LMTP]]
  
Example:
+
====Controlling Behavior For Messages Sent To Over Quota Mailbox - SMTP====
  
smtpd_reject_unlisted_sender = yes
+
Moved to [[Controlling_Behavior_For_Messages_Sent_To_Over_Quota_Mailbox_-_SMTP]]
  
Possible Bug:
+
====Message Senders Receive About Mailbox Over Quota====
 
http://bugzilla.zimbra.com/show_bug.cgi?id=24889
 
  
====What's Your SPF Records Say, When Getting "does not designate 74.x.x.x as permitted sender Errors"====
+
Moved to [[Message_Senders_Receive_About_Mailbox_Over_Quota]]
  
This is most likely related to the SPF records for your domain and what the header content of the sending email states as it's Mail From. For example, this is from the header of an email that was "received":
+
====Quota Not Showing In Admin Console - After ZCS Upgrade====
  
<pre>
+
Moved to [[Quota_Not_Showing_In_Admin_Console_-_After_ZCS_Upgrade]]
Received: from mail.XYZ-FAKE.com (mailhost.XYZ-FAKE.com [74.X.X.244]) by mta01.ABC-FAKE.com with ESMTP id
 
Cft0mO3fjlFGQjTA for <support@ABC-FAKE.com>; Tue, 21 Apr 2009 05:14:13 -0700 (PDT)
 
X-Barracuda-Envelope-From: testuser@XYZ-FAKE.com
 
Received-SPF: pass (mta01.ABC-FAKE.com: domain of testuser@XYZ-FAKE.com designates 74.X.X.244 as permitted sender)
 
receiver=mta01.ABC-FAKE.com; client_ip=74.X.X.244; envelope-from=testuser@XYZ-FAKE.com;
 
</pre>
 
  
To see what this check was done against, do the following below. I'll trim the output and adjust the information used to protect the innocent. Also, notice how a DNS "alias" might cause an issue here? :
+
===Managing Postfix Queue===
  
<pre>
+
Moved to [[Managing_The_Postfix_Queues#Managing_The_Postfix_Queues]]
  
$ host 74.X.X.244
+
====Postfix, Amavis, Clamav Spool Directory Paths And Names====
244.X.X.74.in-addr.arpa domain name pointer mailhost.XYZ-FAKE.com.
 
  
$ host mailhost.XYZ-FAKE.com
+
Moved to [[Managing_The_Postfix_Queues#Postfix.2C_Amavis.2C_Clamav_Spool_Directory_Paths_And_Names]]
mailhost.XYZ-FAKE.com has address 74.X.X.244
 
  
$ host mail.XYZ-FAKE.com
+
====Stop And Starting Postfix And Mta====
mail.XYZ-FAKE.com is an alias for mailhost.XYZ-FAKE.com.
 
mailhost.XYZ-FAKE.com has address 74.X.X.244
 
  
$ dig XYZ-FAKE.com MX
+
Moved to [[Managing_The_Postfix_Queues#Stop_And_Starting_Postfix_And_Mta]]
  
;; QUESTION SECTION:
+
====To See Postfix Queue====
;XYZ-FAKE.com. IN MX
 
  
;; ANSWER SECTION:
+
Moved to [[Managing_The_Postfix_Queues#To_See_The_Postfix_Queues]]
XYZ-FAKE.com. 3600 IN MX 22 serverA.DNS-FAKE.com.
 
XYZ-FAKE.com. 3600 IN MX 11 serverB.DNS-FAKE.com.
 
  
$ dig XYZ-FAKE.com TXT
+
=====Qshape - Print Postfix queue domain and age distribution=====
  
;; QUESTION SECTION:
+
Moved to [[Managing_The_Postfix_Queues#Qshape_-_Print_Postfix_queue_domain_and_age_distribution]]
;XYZ-FAKE.com. IN TXT
 
  
;; ANSWER SECTION:
+
====To View A Message In The Queue====
XYZ-FAKE.com. 3600 IN TXT "v=spf1 a:mail.XYZ-FAKE.com ~all"
 
  
</pre>
+
Moved to [[Managing_The_Postfix_Queues#To_View_A_Message_In_The_Queue]]
  
See the following for more information:
+
====To Flush Postfix Queue====
  
* http://www.openspf.org/
+
Moved to [[Managing_The_Postfix_Queues#To_Flush_Postfix_Queue]]
* http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#publishing
 
** All of the 3.x section.
 
  
===Using Different SMTP Server For Webclient (ZWC), Mobiles, And ZCO===
+
====To Requeue Messages In Postfix====
  
====Note Of Caution About Using External MTAs====
+
Moved to [[Managing_The_Postfix_Queues#To_Requeue_Messages_In_Postfix]]
  
Using non-zimbra MTA's can cause some options in zimbra to not function anymore - since it no longer has zimbra's mta services available.
+
====To Put Messages On Hold====
  
=====Zimbra Mail Forwarding Possibly Will Not Work - Turn Off User Option To Set MailForwarding=====
+
Moved to [[Managing_The_Postfix_Queues#To_Put_Messages_On_Hold]]
  
Mail forwarding might no longer work depending on the configuration you setup regarding the use of your external mta's. When this happens you'll most likely want to disable the option for users to set a mail forwarding address in their preferences. This can be done via their COS or USER configuration.
+
====To Delete Messages From Queue====
  
* In the admin console, goto the COS configuration the user/s are using and the "Features" tab. Uncheck the option "Allow the user to specify a forwarding address" under Mail Features. It is in the same location under a USERs configuration panel in the admin console.
+
Moved to [[Managing_The_Postfix_Queues#To_Delete_Messages_From_Queue]]
  
In the CLI, you will see these set as the defaults for the default COS. The admin gui option above only adjusts the zimbraFeatureMailForwardingEnabled variable :
+
=====Cautionary Note=====
  
$ zmprov gc default | grep zimbraFeatureMailForwarding
+
Moved to [[Managing_The_Postfix_Queues#Cautionary_Note]]
    zimbraFeatureMailForwardingEnabled: TRUE
 
    zimbraFeatureMailForwardingInFiltersEnabled: TRUE
 
  
$ zmprov ga ajcody@`zmhostname` | grep zimbraFeatureMailForwarding
+
=====Relevant Sections Of Postsuper Man Page=====
    zimbraFeatureMailForwardingEnabled: TRUE
 
    zimbraFeatureMailForwardingInFiltersEnabled: TRUE
 
  
More details about them are in the /opt/zimbra/conf/attrs/zimbra-attrs.xml file.
+
Moved to [[Managing_The_Postfix_Queues#Relevant_Sections_Of_Postsuper_Man_Page]]
  
<pre>
+
=====To Delete Single Message From Queue=====
<attr id="342" name="zimbraFeatureMailForwardingEnabled" type="boolean" cardinality="single"
 
optionalIn="account,cos" flags="accountInfo,accountInherited,domainAdminModifiable">
 
  <defaultCOSValue>TRUE</defaultCOSValue>
 
  <desc>enable end-user mail forwarding features</desc>
 
</attr>
 
  
<attr id="704" name="zimbraFeatureMailForwardingInFiltersEnabled" type="boolean"
+
Moved to [[Managing_The_Postfix_Queues#To_Delete_Single_Message_From_Queue]]
cardinality="single" optionalIn="account,cos" flags="accountInfo,accountInherited,
 
domainAdminModifiable" since="5.0.10">
 
  <defaultCOSValue>TRUE</defaultCOSValue>
 
  <desc>enable end-user mail forwarding defined in mail filters features</desc>
 
</attr>
 
</pre>
 
  
=====Configure External MTA To Use LDAP Virtual Alias Maps=====
+
=====To Delete ALL Messages From Queue=====
  
Here's the basic info in regards to how Zimbra's mta [postfix/etc] uses Zimbra's LDAP to get the forwarding information:
+
Moved to [[Managing_The_Postfix_Queues#To_Delete_ALL_Messages_From_Queue]]
  
$ grep Forward conf/ldap-*
+
======To Delete ALL Messages From The Deferred Queue======
conf/ldap-vam.cf:result_attribute =
 
zimbraMailDeliveryAddress,zimbraMailForwardingAddress,
 
zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
 
  
$ postconf |grep vam
+
Moved to [[Managing_The_Postfix_Queues#To_Delete_ALL_Messages_From_The_Deferred_Queue]]
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
 
  
See http://www.postfix.org/postconf.5.html#virtual_alias_maps for more information.
+
======To Delete ALL Messages From The Hold Queue======
  
====Confirming And Setting zimbraMtaRelayHost And zimbraMtaDnsLookupsEnabled====
+
Moved to [[Managing_The_Postfix_Queues#To_Delete_ALL_Messages_From_The_Hold_Queue]]
  
First we'll set '''''zimbraMtaRelayHost''''' and '''''zimbraMtaDnsLookupsEnabled''''' variables. These options are also shown in the admin console and can be configured there. These variable alone will not redirect ALL traffic to an external MTA first though. There's alao a variable called zimbraSmtpHostname that is in the global (zmprov gacf) and server (zmprov gs `hostname`) configs - addressed in the section below. It's defaulted value is 'localhost' - at least on a single ZCS configuration.
+
=====To Delete Many Messages From Queue=====
  
In situations where you need/want all mail to be processed by, for example, an external non-Zimbra spam filter box you could set this variable to the spam filter servers hostname.
+
Moved to [[Managing_The_Postfix_Queues#To_Delete_Many_Messages_From_Queue]]
  
Normally, when zimbraMtaRelayHost is set to a non-zimbra external MTA would disable DNS lookups. If you disable DNS Lookups (under the MTA tab of the admin console, or with zmprov), Zimbra will end up using (according to the postconf man page) the "gethostbyname() system library routine which normally also looks in /etc/hosts" (based on the entries on the "hosts" line in /etc/nsswitch.conf). If you do this but don't also specify an SMTP relay host (typically your ISP's SMTP server), which will take care of checking DNS, you will reverse your ability to send mail: suddenly you can send mail to other users on the Zimbra server, but you can't send to the internet (though you can still receive mail from the internet either way).
+
=====Delete From Queue By Email Address=====
 
 
Query Global - `zmhostname` would use the value returned, you can manual type out the servername as well :
 
 
 
zmprov gacf zimbraMtaRelayHost
 
zmprov gacf zimbraMtaDnsLookupsEnabled
 
 
 
Query Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :
 
 
 
zmprov gs `zmhostname` zimbraMtaRelayHost
 
zmprov gs `zmhostname` zimbraMtaDnsLookupsEnabled
 
 
 
Note - if you get errors about doing the query on your non-mailstores like, "ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)" then you might need to adjust this variable. First query it, it's most likely set to localhost
 
 
 
zmlocalconfig zimbra_zmprov_default_soap_server
 
 
 
If you had the error and it was set to localhost, modify it to be one of your mailstores.
 
 
 
zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com
 
 
 
No restart of anything is needed, the zmprov query should now work.
 
 
 
Modify Global - `zmhostname` would use the value returned, you can manual type out the servername as well :
 
 
 
zmprov mcf zimbraMtaRelayHost hostname-of-ext-server:PORT
 
  ** ex : zmprov mcf zimbraMtaRelayHost primary.YYY.state.XX.us:25
 
  ** At the end, 25 is the port number for smtp on the targeted system.
 
  ** Adjust this number if you changed the smtp port.
 
zmprov mcf zimbraMtaDnsLookupsEnabled FALSE
 
 
 
Modify Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :
 
 
 
zmprov ms `zmhostname` zimbraMtaRelayHost hostname-of-ext-server:PORT
 
  ** ex : zmprov ms `zmhostname` zimbraMtaRelayHost primary.YYY.state.XX.us:25
 
  ** At the end, 25 is the port number for smtp on the targeted system.
 
  ** Adjust this number if you changed the smtp port.
 
zmprov ms `zmhostname` zimbraMtaDnsLookupsEnabled FALSE
 
 
 
====Confirming And Setting zimbraSmtpHostname====
 
 
 
I'm assuming you already set, '''''zimbraMtaRelayHost''''' and '''''zimbraMtaDnsLookupsEnabled''''' for your needs - see above section. The variable called zimbraSmtpHostname is in the global (zmprov gacf) and server (zmprov gs `hostname`) configs. It's default value is set to 'localhost' - at least on a single ZCS configuration.
 
 
 
In cases where you need/want all mail to be processed by, for example, an external non-Zimbra spam filter box you could set this variable to the spam filter boxes hostname.
 
 
 
Query Global - `zmhostname` would use the value returned, you can manual type out the servername as well :
 
 
 
zmprov gacf zimbraSmtpHostname
 
 
 
Query Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :
 
 
 
zmprov gs `zmhostname` zimbraSmtpHostname
 
 
 
Note - if you get errors about doing the query on your non-mailstores like, "ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)" then you might need to adjust this variable. First query it, it's most likely set to localhost
 
 
 
zmlocalconfig zimbra_zmprov_default_soap_server
 
 
 
If you had the error and it was set to localhost, modify it to be one of your mailstores.
 
 
 
zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com
 
 
 
No restart of anything is needed, the zmprov query should now work.
 
 
 
Modify Global - `zmhostname` would use the value returned, you can manual type out the servername as well :
 
 
 
zmprov mcf zimbraSmtpHostname hostname-of-ext-server
 
  ** ex : zmprov mcf zimbraSmtpHostname primary.YYY.state.XX.us
 
 
 
Modify Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :
 
 
 
zmprov ms `zmhostname` zimbraSmtpHostname hostname-of-ext-server
 
  ** ex : zmprov ms `zmhostname` zimbraSmtpHostname primary.YYY.state.XX.us
 
 
 
====External Email Clients Setting A SMTP Server====
 
 
 
The above variable, zimbraSmtpHostname, will not alter your third party email clients that are setting the smtp server to your ZCS mta's. Here are your options if you also need to have that traffic to go through another device [mta, spam filter, etc.] prior to local delivery [lmtp] to an internal address.
 
 
 
* Set your clients to use the another devices ip address or hostname that you set for zimbraSmtpHostname.
 
 
 
If you can't do the above, for whatever reason -- maybe security constraints or issues that might arise being a hosting provider, then see below.
 
 
 
# You could investigate the alternation of postfix's content_filter option to place the external device/host [a barracuda for example] within that process. postfix.org has information on this - [http://www.postfix.org/FILTER_README.html Postfix After-Queue Content Filter]. This would be unsupported by Zimbra.
 
# Contact Zimbra's Professional Services [PS] team for help.
 
# Setup another server using a mta of your choice [postfix , sendmail] that the clients can use for the smtp server variable. This "new" mta would then simply relay to the device - a barracuda box for example. The barracuda would then do what it needs to and then forwards the messages to the appropriate servers for delivery. Your ZCS mta's in the case of local delivery that would of normally occurred over lmtp - userA@domainC.com sending to userB@domainC.com .
 
 
 
===Global Or System Wide Filters===
 
 
 
There is no "supported" solution for this - depending on the exact circumstances. It's a complex issue because each request for "global filters" tends to be very specific on either what's to be filter, what actions are to be taken, and so forth.
 
 
 
====RFE's Related To Global Filters====
 
 
 
* "Define a default filter rule for spam that users can apply before custom filters"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=12701
 
* "admin assignable mail filters"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=35452
 
 
 
====Use The Legal Intercept Method====
 
 
 
Depending on the details of your request, using the Legal Intercept options might be useful. You could take the results that goto the LI mailbox and then perform your admin global searches against your mailbox accounts to take the appropriate action.
 
 
 
See [[Legal_Intercept]]
 
 
 
====Sieve Filter Set For Every Account====
 
 
 
One could setup a forloop for all of your users and setup a sieve filter. Downside here is the rules are editable by the users and you would have to manage the rules for new accounts going forward.
 
 
 
See [[User_Migration#Migrating_Sieve_Filter_Rules ]] for details.
 
 
 
====Double Check The Current Anti-Spam Options====
 
 
 
Make sure your request can't be solved by the current solutions described in [[Category:Anti-spam]] articles.
 
 
 
====Postfix , Amavis Customizations====
 
 
 
I've seen some posts on the forums that customers found their own workarounds by customizing postfix and amavis. This will most likely result in an unsupported situation. Unfortunately, those forum posts don't also include details that I can share here. Hopefully I can find them going forward and I'll post them here.
 
 
 
===Global Disclaimer Options===
 
 
 
Here's the url to review for a "current" possibility:
 
 
 
* http://wiki.zimbra.com/index.php?title=Domain_Disclaimer_Extension_Admin_UI
 
 
 
And in the notes section there's a comment about multi-servers:
 
 
 
* http://wiki.zimbra.com/index.php?title=Talk:Domain_Disclaimer_Extension_Admin_UI
 
 
 
Please note though, "This article is a community contribution and may include unsupported customizations." Meaning, it's an unsupported customization, so please take the necessary precautions.
 
 
 
In regards to an official and supported way to do this, please review this RFE:
 
 
 
* http://bugzilla.zimbra.com/show_bug.cgi?id=4720
 
 
 
===Quota Issues===
 
 
 
====Where To Adjust Message User Gets When They Are Over Quota====
 
 
 
* From the web admin console:
 
** Configuration > Class of Service
 
** Select the COS in question
 
** Then goto the Advanced tab on the right
 
** There's a quota section. The sub-section you want is called:
 
*** "Quota warning message template:"
 
 
 
====See Current User Qoutas====
 
 
 
Please see [[Ajcody-Logging#Getting_All_User_Quota_Data_.28not_zmstat_related_really.29|Getting All User Quota Data (not zmstat related really)]]
 
 
 
====Controlling Behavior For Messages Sent To Over Quota Mailbox - LMTP====
 
 
 
The variable to set for a 452 Temp/Try Again response verses a 552 Permanent Error. This happens over lmtp rather than smtp. For smtp, see below.
 
 
 
zmprov gacf zimbraLmtpPermanentFailureWhenOverQuota
 
 
 
Setting to TRUE will flag it for the 552 response.
 
 
 
zmprov mcf zimbraLmtpPermanentFailureWhenOverQuota TRUE
 
 
 
References:
 
 
 
* "Configurable treatment for inbound over quota mail"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=27838
 
* http://www.zimbra.com/forums/administrators/19950-about-postfix-lmtp-quotas.html
 
 
 
====Controlling Behavior For Messages Sent To Over Quota Mailbox - SMTP====
 
 
 
References:
 
 
 
* RFE "quota check during smtp transaction"
 
** http://bugzilla.zimbra.com/show_bug.cgi?id=32592
 
** Currently, Sept 2010, targeted for the IronMaiden release.
 
* http://www.zimbra.com/forums/administrators/19950-about-postfix-lmtp-quotas.html
 
 
 
====Message Senders Receive About Mailbox Over Quota====
 
 
 
File that holds text of message:
 
 
 
/opt/zimbra/postfix/conf/bounce.cf.default
 
 
 
Note, please read the [http://www.postfix.org/bounce.5.html bounce MAN] page before you attempt to edit this file directly.
 
 
 
Also, I haven't been able to confirm the relationship of this above file with the postconf default output:
 
 
 
<pre>
 
[root@mail3 ~]# postconf | grep -i bounce
 
2bounce_notice_recipient = postmaster
 
backwards_bounce_logfile_compatibility = yes
 
bounce_notice_recipient = postmaster
 
bounce_queue_lifetime = 5d
 
bounce_service_name = bounce
 
bounce_size_limit = 50000
 
bounce_template_file =
 
disable_verp_bounces = no
 
double_bounce_sender = double-bounce
 
multi_recipient_bounce_reject_code = 550
 
soft_bounce = no
 
</pre>
 
 
 
To use a bounce.cf file, you'll want to add the file to variable and reload postfix via the zmmtactl script. It looks like zmlocalconfig doesn't currently handle this variable.
 
 
 
cp /opt/zimbra/postfix/conf/bounce.cf.default /opt/zimbra/postfix/conf/bounce.cf
 
postconf -e bounce_template_file="/opt/zimbra/postfix/conf/bounce.cf"
 
zmmtactl reload
 
 
 
Note, this might get lost during upgrades so make a note to yourself about this change.
 
 
 
Another reference : [http://www.howtoforge.com/configure-custom-postfix-bounce-messages Configure Customer Postfix Bounce Messages]
 
 
 
====Quota Not Showing In Admin Console - After ZCS Upgrade====
 
 
 
There might be some server attributes missing. To have the mail quota work properly, zimbraServiceInstalled mailbox must be true.
 
 
 
$zmprov gs `zmhostname` zimbraServiceInstalled
 
 
 
It must contain mailbox for the quota information to be available.
 
 
 
To set the zimbraServiceInstalled to true for "mailbox".
 
 
 
$zmprov ms `zmhostname` +zimbraServiceInstalled mailbox
 
 
 
I would think a zimbra restart would necessary as well for us to see the changes in the quota admin console view.
 
 
 
===Managing Postfix Queue===
 
 
 
====Postfix, Amavis, Clamav Spool Directory Paths And Names====
 
 
 
ls /opt/zimbra/data
 
  amavisd  clamav  dspam  postfix
 
 
 
ls /opt/zimbra/data/postfix/spool/
 
  active  active.old  bounce  corrupt  defer  deferred 
 
  flush  hold  incoming  incoming.old  maildrop  pid 
 
  private  public  saved  trace
 
 
 
====Stop And Starting Postfix And Mta====
 
 
 
To only stop and start postfix:
 
 
 
postfix stop
 
postfix start
 
 
 
To stop and start postfix, amavis, and clam:
 
 
 
zmmtactl stop
 
zmmtactl start
 
 
 
====To See Postfix Queue====
 
 
 
As zimbra using sudo - show a summary of queue count - ~/libexec/zmqstat:
 
<pre>
 
[zimbra@mail37 ~]$ sudo ~/libexec/zmqstat
 
hold=0
 
corrupt=0
 
deferred=0
 
active=0
 
incoming=0
 
</pre>
 
 
 
As zimbra - /opt/zimbra/postfix/sbin/postqueue -p
 
<pre>
 
[zimbra@mail37 ~]$ /opt/zimbra/postfix/sbin/postqueue -p
 
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
 
EC753D0D00*    328 Thu Apr  5 14:34:09  sender@sourcedomainname.local
 
                                        recipient@destinationdomainname.local
 
 
 
-- 0 Kbytes in 1 Request.
 
</pre>
 
 
 
As zimbra - mailq
 
<pre>
 
[zimbra@mail37 ~]$ mailq
 
Mail queue is empty
 
</pre>
 
 
 
=====Qshape - Print Postfix queue domain and age distribution=====
 
 
 
/opt/zimbra/bin/qshape
 
 
 
References:
 
 
 
* http://www.postfix.org/qshape.1.html
 
* http://www.postfix.org/QSHAPE_README.html
 
 
 
Example output:
 
 
 
<pre>
 
$ qshape -s hold | head
 
                        T  5 10 20 40 80 160 320 640 1280 1280+
 
                TOTAL 486  0  0  1  0  0  2  4  20  40  419
 
            yahoo.com  14  0  0  1  0  0  0  0  1    0    12
 
  extremepricecuts.net  13  0  0  0  0  0  0  0  2    0    11
 
        ms35.hinet.net  12  0  0  0  0  0  0  0  0    1    11
 
      winnersdaily.net  12  0  0  0  0  0  0  0  2    0    10
 
          hotmail.com  11  0  0  0  0  0  0  0  0    1    10
 
          worldnet.fr  6  0  0  0  0  0  0  0  0    0    6
 
        ms41.hinet.net  6  0  0  0  0  0  0  0  0    0    6
 
                osn.de  5  0  0  0  0  0  1  0  0    0    4
 
</pre>
 
 
 
====To View A Message In The Queue====
 
 
 
Get the message id and use post cat:
 
 
 
/opt/zimbra/postfix/sbin/postcat -q EC753D0D00
 
 
 
or with more information, include the -v option:
 
 
 
/opt/zimbra/postfix/sbin/postcat -qv EC753D0D00
 
 
 
====To Flush Postfix Queue====
 
 
 
/opt/zimbra/postfix/sbin/postqueue -f
 
 
 
====To Requeue Messages In Postfix====
 
 
 
/opt/zimbra/postfix/sbin/postsuper -r ALL
 
 
 
More explanation from the postsuper man page:
 
 
 
<pre>
 
-r queue_id
 
              Requeue  the  message  with the named queue ID from
 
              the named mail queue(s) (default:  hold,  incoming,
 
              active  and  deferred).  To  requeue multiple mes-
 
              sages, specify multiple -r command-line options.
 
 
 
              Alternatively, if a queue_id of - is specified, the
 
              program reads queue IDs from standard input.
 
 
 
              Specify  "-r  ALL"  to  requeue  all messages. As a
 
              safety measure, the word ALL must be  specified  in
 
              upper case.
 
 
 
              A  requeued message is moved to the maildrop queue,
 
              from where  it  is  copied  by  the  pickup(8)  and
 
              cleanup(8)  daemons  to  a  new queue file. In many
 
              respects its handling differs from that  of  a  new
 
              local submission.
 
 
 
              o      The  message  is  not  subjected  to  the
 
                    smtpd_milters or non_smtpd_milters settings.
 
                    When  mail  has  passed  through an external
 
                    content filter, this would produce incorrect
 
                    results with Milter applications that depend
 
                    on original SMTP connection  state  informa-
 
                    tion.
 
 
 
              o      The  message  is  subjected  again  to  mail
 
                    address rewriting and substitution.  This is
 
                    useful  when rewriting rules or virtual map-
 
                    pings have changed.
 
 
 
                    The  address  rewriting  context  (local  or
 
                    remote)  is the same as when the message was
 
                    received.
 
 
 
              o      The message is subjected to  the  same  con-
 
                    tent_filter  settings  (if  any) as used for
 
                    new local mail submissions.  This is  useful
 
                    when content_filter settings have changed.
 
 
 
              Warning:  Postfix queue IDs are reused.  There is a
 
              very small possibility that  postsuper(1)  requeues
 
              the  wrong  message  file when it is executed while
 
              the Postfix mail system is  running,  but  no  harm
 
              should be done.
 
 
 
              This feature is available in Postfix 1.1 and later.
 
</pre>
 
 
 
====To Put Messages On Hold====
 
 
 
If there’s ‘*’ character next to queue ID , EC753D0D00* , it means that this message is in the active queue e.g. attempts to deliver the messages are made.
 
 
 
If there’s ‘!’ character next to queue ID , EC753D0D00! , it means that this message is put “on hold”.
 
 
 
To put a message on hold:
 
 
 
~# /opt/zimbra/postfix/sbin/postsuper -h EC753D0D00
 
 
 
To put on hold messages from user@domain.com:
 
 
~# /opt/zimbra/postfix/sbin/postqueue -p | awk ‘BEGIN { RS = “” } { if ($7 == “user@domain.com” ) print $1 }’ | tr -d ‘!*’ | postsuper -h -
 
 
 
To put all messages on hold:
 
 
 
~# /opt/zimbra/postfix/sbin/postsuper -h ALL
 
postsuper: Placed on hold: 6 messages
 
 
 
====To Delete Messages From Queue====
 
 
 
=====Cautionary Note=====
 
 
 
::'''Warning, deleting messages from the queue can have a negative consequence of your users. You might need to account for the action and/or confirm your deletion was appropriate. Please try to save the postqueue -p information from the various messages prior to deleting them. This will at least you give you he information to  later justify your actions on why you delete msg#.'''
 
 
 
=====Relevant Sections Of Postsuper Man Page=====
 
 
 
<pre>
 
By  default,  postsuper(1)  performs  the operations requested with the -s and -p
 
command-line options on all Postfix queue directories - this includes the incoming,
 
active and deferred directories with mail files and the bounce, defer, trace and flush
 
directories with log files.
 
 
 
  -d queue_id Delete one message with the named queue ID from the named mail queue(s)
 
    (default: hold, incoming, active and deferred).
 
    If a queue_id of - is specified, the program reads queue IDs from standard input.
 
    For example, to delete all mail with exactly one recipient user@example.com:
 
 
 
              mailq | tail +2 | grep -v '^ *(' | awk  'BEGIN { RS = "" }
 
                  # $7=sender, $8=recipient1, $9=recipient2
 
                  { if ($8 == "user@example.com" && $9 == "")
 
                        print $1 }
 
              ' | tr -d '*!' | postsuper -d -
 
 
 
      Specify "-d ALL" to remove all messages; for example, specify "-d ALL deferred"
 
      to delete all mail in the deferred queue.  As a safety measure, the word ALL must
 
      be specified in upper case.
 
 
 
      Warning: Postfix queue IDs are reused.  There is a very small possibility that
 
      postsuper deletes the wrong message file when it is executed while the Postfix mail
 
      system is delivering mail.
 
 
 
      The scenario is as follows:
 
      1)  The Postfix queue manager deletes the message that postsuper(1) is asked to
 
        delete, because Postfix is finished with the message (it is delivered, or it is
 
        returned to the sender).
 
      2)  New mail arrives, and the new message is given the same queue ID as the message
 
        that postsuper(1) is supposed to delete.  The probability for reusing a deleted
 
        queue ID is about 1 in 2**15 (the number  of  different microsecond values that
 
        the system clock can distinguish within a second).
 
      3)  postsuper(1) deletes the new message, instead of the old message that it should
 
        have deleted.
 
 
 
  -h queue_id Put mail "on hold" so that no attempt is made to deliver it.  Move one
 
    message with the named queue ID from the named mail queue(s) (default: incoming,
 
    active and deferred) to the hold queue.
 
 
 
    If a queue_id of - is specified, the program reads queue IDs from standard input.
 
    Specify "-h ALL" to hold all messages; for example, specify "-h ALL deferred" to hold
 
    all mail in the deferred queue.  As a safety measure, the word ALL must be specified
 
    in upper case.
 
    Note: while mail is "on hold" it will not expire when its time in the queue exceeds
 
    the maximal_queue_lifetime or bounce_queue_lifetime setting. It becomes subject to
 
    expiration after it is released from "hold".
 
 
 
  -H queue_id Release mail that was put "on hold".  Move one message with the named queue
 
    ID from the named mail queue(s) (default: hold) to the deferred queue.
 
 
 
    If a queue_id of - is specified, the program reads queue IDs from standard input.
 
    Note: specify "postsuper -r" to release mail that was kept on hold for a significant
 
    fraction of $maximal_queue_lifetime or $bounce_queue_lifetime, or longer.
 
 
 
    Specify "-H ALL" to release all mail that is "on hold".  As a safety measure, the
 
    word ALL must be specified in upper case.
 
 
 
  -p Purge old temporary files that are left over after system or software crashes.
 
</pre>
 
 
 
=====To Delete Single Message From Queue=====
 
 
 
/opt/zimbra/postfix/sbin/postsuper -d [MSGID From postqueue -p]
 
 
 
=====To Delete ALL Messages From Queue=====
 
 
 
/opt/zimbra/postfix/sbin/postsuper -d ALL
 
 
 
Another way to do this:
 
 
 
mailq | awk '{print $1}' | postsuper -d -
 
 
 
======To Delete ALL Messages From The Deferred Queue======
 
 
 
/opt/zimbra/postfix/sbin/postsuper -d ALL deferred
 
 
 
======To Delete ALL Messages From The Hold Queue======
 
 
 
/opt/zimbra/postfix/sbin/postsuper -d ALL hold
 
 
 
=====To Delete Many Messages From Queue=====
 
 
 
To delete a large number of files one would use:
 
 
 
/opt/zimbra/postfix/sbin/postsuper -d - < filename-with-queue-ids.txt
 
 
 
The filename, filename-with-queue-ids.txt example, would have a listing of id's like:
 
 
 
<pre>
 
3E1C6CAFFFE
 
6B862CC9D76
 
0BC38CC1BC9
 
90628CC6F3C
 
E26B9CC3C62
 
92A35CC943D
 
A84BDBCE15D
 
EA57CB1DF04
 
0F102CC74CB
 
386E8CC4DFF
 
92606CC0BDA
 
0799FC8149A
 
024CFCBD0DE
 
2D30FC47DA0
 
31D85CC6308
 
B8B3FC3DEBC
 
AA4C7C913D0
 
280F5CC8C6C
 
9F341CC8A26
 
93CD1B3B0EC
 
433D0BF3716
 
A1435CB4C38
 
2DB04CC911D
 
56A29CC8819
 
11881C8268C
 
5C050A79851
 
C6739CC4BA5
 
11D3FCC7D09
 
8CBC0B20E0A
 
</pre>
 
 
 
=====Delete From Queue By Email Address=====
 
 
 
'''Note - ''Some of the shell scripting below might fail on messages with particular status ("on delivery" or "on hold") because a "*" or a "!" is appended to the ID of the message.'''''
 
 
 
'''Update''' need to look at adjusting commands below to include something like the following in them :
 
 
tr -d '*!'
 
 
 
 
 
======From CLI======
 
 
 
Change the [ email@address.com ] variable below first.
 
 
 
'''To first see what would be deleted.''' As '''root''':
 
 
 
/opt/zimbra/postfix/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \
 
| awk 'BEGIN { RS = "" } { if ($7 == "email@domain.com") print $1} ' | tr -d '*!'
 
 
 
If you get error about egrep, you might need to use this syntax:
 
 
 
/opt/zimbra/postfix/sbin/postqueue -p | /bin/egrep -v '*\(|-Queue ID-' \
 
| awk 'BEGIN { RS = "" } { if ($7 == "email@address.com") print $1} ' | tr -d '*!'
 
 
 
 
 
'''To now delete, just include the postsuper -d at end''':
 
 
 
/opt/zimbra/postfix/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \
 
| awk 'BEGIN { RS = "" } { if ($7 == "email@domain.com") print $1} ' \
 
| tr -d '*!' | /opt/zimbra/postfix/sbin/postsuper -d -
 
 
 
'''''Older example of what I had; the ''tail +2'' was rhel4 specific'''''
 
 
 
:To first see what would be deleted:
 
  
:: <pre>mailq | tail +2 | grep -v '^ *(' | awk  'BEGIN { RS = "" } { if ($8 == "email@address.com" && $9 == "") print $1 } ' | tr -d '*!'</pre>
+
Moved to [[Managing_The_Postfix_Queues#Delete_From_Queue_By_Email_Address]]
  
:To now delete, just include the postsuper -d at end:
+
======From CLI======
  
:: <pre>mailq | tail +2 | grep -v '^ *(' | awk  'BEGIN { RS = "" } { if ($8 == "email@address.com" && $9 == "") print $1 } ' | tr -d '*!' | postsuper -d -</pre>
+
Moved to [[Managing_The_Postfix_Queues#From_CLI]]
  
 
======Script To Delete From Queue By Email Address======
 
======Script To Delete From Queue By Email Address======
  
::'''Non-Zimbra Script and not QA'd or tested. Path adjusted though for /opt/zimbra/postfix/sbin/*'''
+
Moved to [[Managing_The_Postfix_Queues#Script_To_Delete_From_Queue_By_Email_Address]]
 
 
From http://www.ustrem.org/en/articles/postfix-queue-delete-en/
 
 
 
Save on file system, calling it something like - delete-queue-by-email.sh . Give it execute permission. '''Run as root'''. Example usage would be: ./delete-queue-by-email.sh  user-name@domain-test.com
 
 
 
<pre>
 
#!/usr/bin/perl -w
 
#
 
# pfdel - deletes message containing specified address from
 
# Postfix queue. Matches either sender or recipient address.
 
#
 
# Usage: pfdel <email_address>
 
#
 
 
 
use strict;
 
 
 
# Change these paths if necessary.
 
my $LISTQ = "/opt/zimbra/postfix/sbin/postqueue -p";
 
my $POSTSUPER = "/opt/zimbra/postfix/sbin/postsuper";
 
 
 
my $email_addr = "";
 
my $qid = "";
 
my $euid = $>;
 
 
 
if ( @ARGV !=  1 ) {
 
die "Usage: pfdel <email_address>\n";
 
} else {
 
$email_addr = $ARGV[0];
 
}
 
 
 
if ( $euid != 0 ) {
 
        die "You must be root to delete queue files.\n";
 
}
 
 
 
 
 
open(QUEUE, "$LISTQ |") ||
 
  die "Can't get pipe to $LISTQ: $!\n";
 
 
 
my $entry = <QUEUE>; # skip single header line
 
$/ = ""; # Rest of queue entries print on
 
# multiple lines.
 
while ( $entry = <QUEUE> ) {
 
if ( $entry =~ / $email_addr$/m ) {
 
($qid) = split(/\s+/, $entry, 2);
 
$qid =~ s/[\*\!]//;
 
next unless ($qid);
 
 
 
#
 
# Execute postsuper -d with the queue id.
 
# postsuper provides feedback when it deletes
 
# messages. Let its output go through.
 
#
 
if ( system($POSTSUPER, "-d", $qid) != 0 ) {
 
# If postsuper has a problem, bail.
 
die "Error executing $POSTSUPER: error " .
 
  "code " .  ($?/256) . "\n";
 
}
 
}
 
}
 
close(QUEUE);
 
 
 
if (! $qid ) {
 
die "No messages with the address <$email_addr> " .
 
  "found in queue.\n";
 
}
 
 
 
exit 0;
 
</pre>
 
  
 
======Script To Delete From Queue By Various Variable Targets======
 
======Script To Delete From Queue By Various Variable Targets======
  
::'''Non-Zimbra Script and not QA'd or tested. Path adjusted though for /opt/zimbra/postfix/sbin/*'''
+
Moved to [[Managing_The_Postfix_Queues#Script_To_Delete_From_Queue_By_Various_Variable_Targets]]
  
From http://jwcub.wordpress.com/2006/01/20/bulk-delete-from-postfix-queue/
+
{{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}}
  
Perl script called “delete-from-mailq”:
+
----
 
 
<pre>
 
#!/usr/bin/perl
 
 
 
$REGEXP = shift || die “no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!”;
 
 
 
@data = qx;
 
for (@data) {
 
if (/^(\w+)(\*|\!)?\s/) {
 
$queue_id = $1;
 
}
 
if($queue_id) {
 
if (/$REGEXP/i) {
 
$Q{$queue_id} = 1;
 
$queue_id = “”;
 
}
 
}
 
}
 
 
 
open(POSTSUPER,”|/opt/zimbra/postfix/sbin/postsuper -d -”) || die “couldn’t open postsuper” ;
 
 
 
foreach (keys %Q) {
 
print POSTSUPER “$_\n”;
 
};
 
close(POSTSUPER);
 
</pre>
 
 
 
Save the above script to a file say “delete-queue.pl” in your home directory, and make it excutable:
 
 
 
chmod 755 delete-queue
 
 
 
Usage - '''Run as root''' :
 
 
 
*Delete all queued messages from or to the domain “iamspammer.com”
 
./delete-queue iamspammer.com
 
*Delete all queued messages to specific address “bogususer@mydomain.com”
 
./delete-queue bogususer@mydomain.com
 
*Delete all queued messages that begin with the word “bush” in the e-mail address:
 
./delete-queue bush*\@whateverdomain.com
 
*Delete all queued messages that contain the word “biz” in the e-mail address:
 
./delete-queue biz
 
  
 
[[Category: Community Sandbox]]
 
[[Category: Community Sandbox]]
 +
[[Category: Author:Ajcody]]
 +
[[Category: Zeta Alliance]]

Latest revision as of 19:28, 20 June 2016

Contents

Ajcody MTA Postfix Topics

   KB 2705        Last updated on 2016-06-20  




0.00
(0 votes)
24px ‎  - This is Zeta Alliance Certified Documentation. The content has been tested by the Community.


Postfix - MTA

Actual MTA & Postfix Topics Homepage

Please see Ajcody-MTA-Postfix-Topics

Missing main.cf Error

Moved to Missing_main.cf_Error_-_MTA

MTA Mail Flow - Birds-eye Overview

Moved to Postfix-Amavisd_Mail_Flow_-_Birds-eye_Overview_-_MTA

Understanding /var/log/zimbra.log And Postfix Log Events

Moved to: Understanding_zimbra.log_And_Postfix_Log_Events_-_MTA

Postfix Queue ID vs. message-id

Moved to: Postfix_Queue_ID_vs._message-id_-_MTA

Authentication Log Events

Moved to Understanding_And_Troubleshooting_Authentication_Log_Events

IMAP And Authenticated SMTP [SSL] Example

Moved to Understanding_And_Troubleshooting_Authentication_Log_Events#IMAP_And_Authenticated_SMTP_.5BSSL.5D_Example

IMAP Test Via Telnet And Logging Events Of It - Proxy Included

Moved to Understanding_And_Troubleshooting_Authentication_Log_Events#IMAP_Test_Via_Telnet_And_Logging_Events_Of_It_-_Proxy_Included

IMAP Login Via Openssl - LOGIN TLS - Proxy Included

Moved to Understanding_And_Troubleshooting_Authentication_Log_Events#IMAP_Login_Via_Openssl_-_LOGIN_TLS_-_Proxy_Included

Network Tracing Between A Remote Host And A ZCS MTA

Moved to Network_Tracing_Between_A_Remote_Host_And_A_ZCS_MTA

Finding Messages - zmmsgtrace

See the following for details [for 7.1.1+]:

Documentation at CLI_zmmsgtrace . Note, if you get command not found as the zimbra user, try /opt/zimbra/libexec/zmmsgtrace instead.

How To Increase SMTP Debug Logging - MTA

Moved to How_To_Increase_SMTP_Debug_Logging_-_MTA

Simple Troubleshooting For SMTP Via Telnet, Openssl

Moved to Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl

First - Understanding Your Authentication Requirements In ZCS

Moved to Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#First_-_Understanding_Your_Authentication_Requirements_In_ZCS

Second - Encoding Username And Passwords For AUTH Sequence

Moved to Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#Second_-_Encoding_Username_And_Passwords_For_AUTH_Sequence

For ESMTP Auth is LOGIN - Example

Moved to Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#For_ESMTP_Auth_is_LOGIN_-_Example

For ESMTP Auth is Plain - Example

Moved to Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#For_ESMTP_Auth_is_Plain_-_Example

For TLS/SSL - Example

Moved to Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#For_TLS.2FSSL_-_Example

Testing Against Port 465

Moved to Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#Testing_Against_Port_465

To Confirm An Auth User Can't Send With Another FROM Address

Moved to Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl#To_Confirm_An_Auth_User_Can.27t_Send_With_Another_FROM_Address

Adding A New MTA Server

Basic instructions can be found here:

Additional instructions needed beyond the above will follow as I hear about them.

Load Balancing For SMTP - Out Bound Mail

Currently, 5.x code, you have the following options:

    • An external load balancing device that will then split the traffic behind it
    • Setup a round-robin A record situation in your DNS for the external mta's you'll be using.

In, GNR/6.x, you are able to add multiple targets to the variables and we'll have some degree of "balancing" between them.

User Alias Mapping And Mail Transport with Postfix & LDAP

See User_Alias_Mapping_and_Mail_Transport_with_Postfix_&_LDAP

Multiple LDAP Servers?

Completed RFE:

  • "mta should be able to take a list of LDAP servers to take advantage of replicas."

From :

        server_host (default: localhost)
              The name of the host running the LDAP server,  e.g.

                  server_host = ldap.example.com

              Depending  on the LDAP client library you're using,
              it should be possible to specify  multiple  servers
              here,  with the library trying them in order should
              the first one fail. It should also be  possible  to
              give  each  server  in  the  list  a different port
              (overriding server_port below), by naming them like

                  server_host = ldap.example.com:1444

              With OpenLDAP, a (list of) LDAP URLs can be used to
              specify both the hostname(s) and the port(s):

                  server_host = ldap://ldap.example.com:1444
                              ldap://ldap2.example.com:1444

              All LDAP URLs accepted by the OpenLDAP library  are
              supported,  including  connections over UNIX domain
              sockets, and LDAP SSL (the last one  provided  that
              OpenLDAP was compiled with support for SSL):

                  server_host = ldapi://%2Fsome%2Fpath
                              ldaps://ldap.example.com:636

 **my note**
 This thread - http://archives.neohapsis.com/archives/postfix/2004-09/1763.html
 give me the impression they made a mistake in modifying the help file on this
 and they dropped the use/need of the command:

  server_host = ldap://ldap.example.com:1444, ldap://ldap2.example.com:1444

Just a small note on where var shows up:

[root@mail3 conf]# pwd
/opt/zimbra/conf
[root@mail3 conf]# grep server_host *
amavisd.conf.in:$myhostname = '@@zimbra_server_hostname@@';  # must be a fully-qualified domain name!
ldap-scm.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
ldap-transport.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
ldap-vad.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
ldap-vam.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
ldap-vmd.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
ldap-vmm.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389
localconfig.xml:  <key name="zimbra_server_hostname">
zmmta.cf:	LOCAL zimbra_server_hostname
zmmta.cf:	POSTCONF myhostname		LOCAL zimbra_server_hostname

References:

Traditional Aliases Use - /etc/aliases Type Lookups

Moved to Traditional_Aliases_Use_-_/etc/aliases_Type_Lookups

Allowing Accounts To Change The From Address

Please see:

Related BUG/RFE's

Creating A Domain Alias

Please see ManagingDomains#Creating_a_Domain_Alias

Relay Domain Forwarding

Please see ManagingDomains#Relaying.2FDomain_Forwarding

Domain Catchall

Please see ManagingDomains#Domain_Catchall

Rewriting From Address For Outbound Email

Please see ManagingDomains#Domain_Masquerading

Rewrite Recipient Address For Incoming Email

There is a way to rewrite the incoming mail, but it's not a standard Zimbra feature. You can implement it as a configuration change in Postfix. Here's what you do:

  1. Create a file in /opt/zimbra/conf named 'postfix_recipientmap'.
    • The format is a single line that reads something like: @alias.domain.com @domain.com
  2. Run 'postmap postfix_recipientmap' in the conf directory.
  3. Run "postconf -e recipient_canonical_maps=hash:/opt/zimbra/conf/postfix_recipientmap".
  4. Run 'postfix reload'.

This will cause postfix to map any incoming mail with a recipient of '@alias.domain.com' to '@domain.com'. You will need to re-apply this postconf change after upgrades, though the postfix_recipientmap file should survive.

Automatic BCC

Option 1 - Via Postfix Customization

From the postfix website:

  • always_bcc = address
    • Deliver a copy of all mail to the specified address. In Postfix versions before 2.1, this feature is implemented by smtpd(8), qmqpd(8), or pickup(8).
  • sender_bcc_maps = type:table
    • Search the specified "type:table" lookup table with the envelope sender address for an automatic BCC address. This feature is available in Postfix 2.1 and later.
  • recipient_bcc_maps = type:table
    • Search the specified "type:table" lookup table with the envelope recipient address for an automatic BCC address. This feature is available in Postfix 2.1 and later.
  • Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC recipients are not generated for mail that Postfix forwards internally, nor for mail that Postfix generates itself.

Please see the following:

Option 2 - Via ZCS Legal Intercept

Generally used for Managing Legal Requests for Information

Description:

The ZCS legal intercept feature is used to obtain copies of email messages that are sent, received, or saved as drafts from targeted accounts and send these message to a designated “shadow” email address. Legal Intercept can be configured to send the complete content of the message or to send only the header information. When a targeted account sends, receives, or saves a draft message, an intercept message is automatically created to forward copies of the messages as attachments to the specified email address.

Please see:

Option 3 - Zimbra's Archiving And Discovery

See Ajcody-Notes-Archive-Discovery concerning A&D setup and options.

Limiting Or Increasing Number Of Recipents / Messages

Mailing Lists - Distribution Lists

Please see Ajcody-MailingLists-And-Mailman#Problems_Resolving_Virtual_Aliases_For_Members_Of_Large_Distribution_Lists

Policy Daemon

If you want to restrict messages per hour, you can look into Policy Daemon:

Beta release in ZCS 7 , see:

Postfix

Also, there are some default postfix parameters set to control sending a message to x amount recipients. The parameters you will need to look at are smtpd_recipient_limit & smtpd_recipient_overshoot_limit, these have a default value of 1000.

Postfix defines these parameters as:

  • smtpd_recipient_limit: The maximum number of recipients that the Postfix SMTP server accepts per message delivery request.
  • smtpd_recipient_overshoot_limit: The number of recipients that a remote SMTP client can send in excess of the limit specified with $smtpd_recipient_limit, before the Postfix SMTP server increments the per-session error count for each excess recipient.

From the command line you can change the default values.

su - zimbra
postconf -e smtpd_recipient_limit=<new value>
postconf -e smtpd_recipient_overshoot_limit=<new value>
postfix reload

Bugs RFE's For Customers To Get Behind

I'm wondering if policyd gives one the control everyone is looking for? I've not used it myself.

Policyd References:

There's other additions [add-on's] one can get for policyd.

We have this RFE in regards to policyd support:

Other related rfe/bugs, specially to push variables into admin web console:

Controlling SMTPD Client Connections

Mmorse did a good write up on these variables in the forum:

Postfix Resources At Their Site (All Clients/Connections):

Postfix Resources At Their Site (Exceptions To Clients/Connections Or Single Source):

Restrictions

Besides using external mailing list software, Mailman or Sympa, here's some other topical items in regards to restrictions.

Some user contributed articles:

Some Postfix references:

Some RFE's related to mta based restrictions [targets are based upon today - July 21, 2010]:

Spam Control And Related Issues

High Over View Steps Of What To Do

  • Step 1: Confirm your not an open relay and double check your postfix $mynetworks variable.
  • Step 2: Stop or put on-hold mail queue.
    • Put all messages into HOLD queue:
      • Get a report of your current mailq [can be useful if you clean out the queue later but need to identify what external mail hosts are now denying you and who you'll need to contact about getting removed from their denial list]
        • Example: /opt/zimbra/postfix/sbin/mailq > /tmp/zimbra_mailq_report.txt
      • /opt/zimbra/postfix/sbin/postsuper -h ALL
    • Or put all messages match compromised account into HOLD queue:
      • /opt/zimbra/postfix/sbin/mailq | grep user_compromised@domain | awk '{ print $1 }' | tr -d '!*' | /opt/zimbra/postfix/sbin/postsuper -h -
        • Note, this is an example - you might with the grep grab more than the compromised account with the match.
    • See whole section - Managing The Postfix Queue
  • Step 3: Check your mail log [On ZCS servers running MTA services] - /var/log/zimbra.log
  • Step 4: Identify compromised account authenticating SMTP AUTH connection or block ip address where emails are coming from at firewall.
    • Who's My Spammer?
    • Continue to monitor compromised account and block ip addresses:
      • tail -f /var/log/zimbra.log | grep username | grep sasl
        • Jun 8 18:14:10 mail postfix/smtpd[15794]: 004358EEB16: client=unknown[XXXX.236.197.216], sasl_method=LOGIN, sasl_username=username@domain
  • Step 5: Disable the exploited email account, expire auth session, etc.
  • Step 6: Move the mail queue or delete the spam email
  • Step 7: Release Mail queue

Who's My Spammer?

Getting Some Initial Summary Data
zmdialyreport

First, some notable bug/RFE's in regards to the zmdailyreport:

You can first get some summary data by doing the following:

[zimbra@zcs806 ~]$ /opt/zimbra/libexec/zmdailyreport

Grand Totals
------------
messages

      7   received
     11   delivered
      0   forwarded
      0   deferred
      0   bounced
      3   rejected (21%)
      0   reject warnings
      0   held
      0   discarded (0%)

   2780   bytes received
  10914   bytes delivered
      2   senders
      1   sending hosts/domains
      1   recipients
      1   recipient hosts/domains


Per-Hour Traffic Summary
    time          received  delivered   deferred    bounced     rejected
    --------------------------------------------------------------------
    0000-0100           0          0          0          0          0
    0100-0200           1          3          0          0          0
    0200-0300           0          0          0          0          0
    0300-0400           0          0          0          0          0
    0400-0500           0          0          0          0          0
    0500-0600           0          0          0          0          0
    0600-0700           0          0          0          0          0
    0700-0800           1          0          0          0          2
    0800-0900           1          0          0          0          0
    0900-1000           0          0          0          0          1
    1000-1100           0          0          0          0          0
    1100-1200           0          0          0          0          0
    1200-1300           4          8          0          0          0
    1300-1400           0          0          0          0          0
    1400-1500           0          0          0          0          0
    1500-1600           0          0          0          0          0
    1600-1700           0          0          0          0          0
    1700-1800           0          0          0          0          0
    1800-1900           0          0          0          0          0
    1900-2000           0          0          0          0          0
    2000-2100           0          0          0          0          0
    2100-2200           0          0          0          0          0
    2200-2300           0          0          0          0          0
    2300-2400           0          0          0          0          0

Host/Domain Summary: Message Delivery (top 50)
 sent cnt  bytes   defers   avg dly max dly host/domain
 -------- -------  -------  ------- ------- -----------
     11    10914        0     7.4 s   24.0 s  zcs806.DOMAIN.com

Host/Domain Summary: Messages Received (top 50)
 msg cnt   bytes   host/domain
 -------- -------  -----------
      5     2780   zcs806.DOMAIN.com

top 50 Senders by message count
-------------------------------
      4   zimbra@zcs806.DOMAIN.com
      1   admin@zcs806.DOMAIN.com

top 50 Recipients by message count
----------------------------------
     11   admin@zcs806.DOMAIN.com

top 50 Senders by message size
------------------------------
   1974   zimbra@zcs806.DOMAIN.com
    806   admin@zcs806.DOMAIN.com

top 50 Recipients by message size
---------------------------------
  10914   admin@zcs806.DOMAIN.com

message deferral detail: none

message bounce detail (by relay): none

message reject detail
---------------------
  MAIL
    5.3.4 Message size exceeds fixed limit (total: 3)
           3   domain-ext.com

message reject warning detail: none

message hold detail: none

message discard detail: none

smtp delivery failures: none

Warnings
--------
  sendmail (total: 3)
         1   or the command is run from a set-uid root process
         1   the Postfix sendmail command has set-uid root file permissions
         1   the Postfix sendmail command must be installed without set-uid ...
  smtpd (total: 1)
         1   7A735345A: queue file size limit exceeded

Fatal Errors: none

Panics: none

Master daemon messages: none
client_usage_report.py

This will give some stats on your mail activity. Note, there are some issue with this script double reporting mail counts etc, but it's useful to identify the top 50 for activity.

[zimbra@zcs806 ~]$ /opt/zimbra/libexec/client_usage_report.py
Reading /opt/zimbra/log/access_log.2014-04-17 ..
Reading /opt/zimbra/log/access_log.2014-04-18 ..
Reading /opt/zimbra/log/access_log.2014-04-19 ..
Reading /opt/zimbra/log/access_log.2014-04-20 ..
Reading /opt/zimbra/log/access_log.2014-04-21 ..
Reading /opt/zimbra/log/access_log.2014-04-22 ..
Reading /opt/zimbra/log/access_log.2014-04-23 ..
Writing /opt/zimbra/zmstat/client_usage_report_2014-04-24.csv ..

Then review the file it will create , it will give : "user_agent","client_IP","req_count"

[zimbra@zcs806 ~]$ cat /opt/zimbra/zmstat/client_usage_report_2014-04-24.csv
"user_agent","client_IP","req_count"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","14"
"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","93"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.174","6"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","71"
qshape

You can also look at the results of [qshape] - the default is the active queue. For more on qshape, see [Postfix Qshape Readme] .

qshape deferred
               T  5 10 20 40 80 160 320 640 1280 1280+
        TOTAL 12  0  0  0  0  0   0   0   0    0     12
    gmail.com  9  0  0  0  0  0   0   0   0    0     9
    yahoo.com  3  0  0  0  0  0   0   0   0    0     3
3rd Party Log Reports - postfix-logwatch and amavis-logwatch

Created RFE for us to include these in ZCS:

You can download them from http://logreporters.sourceforge.net/ . It's a fairly simply install, download and then extract - cd into extracted directory and as root type :

make install-standalone

They will install to /usr/local/bin/amavis-logwatch & postfix-logwatch . The config files are in /usr/local/etc/amavis-logwatch.conf & postfix-logwatch.conf . Here's an example of the output.

/usr/local/bin/amavis-logwatch output example:

[root@zcs806 amavis-logwatch-1.51.02]# /usr/local/bin/amavis-logwatch /var/log/zimbra.log
****** Summary *************************************************************************************

       4   Total messages scanned ------------------  100.00%
   1.926K  Total bytes scanned                          1,972
========   ==================================================

       4   Passed ----------------------------------  100.00%
       4     Clean passed                             100.00%
========   ==================================================

       4   Ham -------------------------------------  100.00%
       4     Clean passed                             100.00%
========   ==================================================


==================================================================================
Spam Score Percentiles        0%       50%       90%       95%       98%      100%
----------------------------------------------------------------------------------
Score Ham (4)             -1.900    -1.900    -1.900    -1.900    -1.900    -1.900
==================================================================================

======================================================================================================
Spam Score Frequency      <= -10     <= -5      <= 0      <= 5     <= 10     <= 20     <= 30      > 30
------------------------------------------------------------------------------------------------------
Hits (4)                       0         0         4         0         0         0         0         0
Percent of Hits            0.00%     0.00%   100.00%     0.00%     0.00%     0.00%     0.00%     0.00%
======================================================================================================

/usr/local/bin/postfix-logwatch output example:

[root@zcs806 amavis-logwatch-1.51.02]# /usr/local/bin/postfix-logwatch /var/log/zimbra.log

****** Summary *************************************************************************************

       1   *Warning: Queue file size limit exceeded

   6.512K  Bytes accepted                               6,668
   1.928K  Bytes sent via SMTP                          1,974
   4.584K  Bytes sent via LMTP                          4,694
========   ==================================================

      10   Accepted                                    76.92%
       3   Rejected                                    23.08%
--------   --------------------------------------------------
      13   Total                                      100.00%
========   ==================================================

       3   5xx Reject message size                    100.00%
--------   --------------------------------------------------
       3   Total 5xx Rejects                          100.00%
========   ==================================================

      10   Connections
      10   Disconnections
       8   Removed from queue
       4   Sent via SMTP
       4   Sent via LMTP
       4   Filtered

****** Detail (10) *********************************************************************************

       3   5xx Reject message size -----------------------------------------------------------------
       3      192.168.1.166     remote.domain.com
       3         *unavailable
       3            *unavailable

       4   Sent via SMTP ---------------------------------------------------------------------------
       4      zcs806.DOMAIN.com

       4   Sent via LMTP ---------------------------------------------------------------------------
       4      zcs806.DOMAIN.com

       4   Filtered --------------------------------------------------------------------------------
       2      smtp-amavis:[127.0.0.1]:10024
       2         Sender address
       1            admin@zcs806.DOMAIN.com
       1               admin@zcs806.DOMAIN.com
       1                  192.168.1.166     remote.domain.com
       1            user@DOMAIN.com
       1               admin@zcs806.DOMAIN.com
       1                  192.168.1.184     remote2.domain.com
       2      smtp-amavis:[127.0.0.1]:10026
       2         Sender address
       1            admin@zcs806.DOMAIN.com
       1               admin@zcs806.DOMAIN.com
       1                  192.168.1.166     remote.domain.com
       1            user@DOMAIN.com
       1               admin@zcs806.DOMAIN.com
       1                  192.168.1.184     remote2.domain.com

=== Delivery Delays Percentiles ============================================================
                    0%       25%       50%       75%       90%       95%       98%      100%
--------------------------------------------------------------------------------------------
Before qmgr       0.04      0.09      0.11      0.11      0.23      0.35      0.43      0.48
In qmgr           0.00      0.00      0.01      0.01      0.04      0.07      0.08      0.09
Conn setup        0.00      0.01      0.29      1.30      2.05      2.23      2.33      2.40
Transmission      0.10      2.81      4.85      9.60     21.00     21.00     21.00     21.00
Total             0.20      2.91      5.20     11.00     23.30     23.65     23.86     24.00
============================================================================================

Note - First, look at the options each command has using the -h output. You might want to use --full when doing an investigation and also include a wildcard - /var/log/zimbra.lo* to take in all the log data. For example:

[zimbra@zcs806 ~]$ /usr/local/bin/postfix-logwatch --full /var/log/zimbra.lo*
****** Summary *************************************************************************************

       9   *Fatal:   General fatal
       1   *Warning: Queue file size limit exceeded
      21   Miscellaneous warnings

 710.888K  Bytes accepted                             727,949
 193.036K  Bytes sent via SMTP                        197,669
 520.114K  Bytes sent via LMTP                        532,597
========   ==================================================

    1041   Accepted                                    99.71%
       3   Rejected                                     0.29%
--------   --------------------------------------------------
    1044   Total                                      100.00%
========   ==================================================

       3   5xx Reject message size                    100.00%
--------   --------------------------------------------------
       3   Total 5xx Rejects                          100.00%
========   ==================================================

      65   Connections
      65   Disconnections
    1041   Removed from queue
     523   Sent via SMTP
     517   Sent via LMTP
       2   Bounced (local)
       1   Bounced (remote)
       9   Filtered
       2   Notifications sent

       4   Timeouts (inbound)
       1   PIX workaround enabled

****** Detail (10) *********************************************************************************

       9   *Fatal:   General fatal -----------------------------------------------------------------
       3      Queue report unavailable - mail system is down
       3      Usage: sendmail [options]
       2      The Postfix mail system is not running
       1      Usage: send-mail [options]

      21   Miscellaneous warnings ------------------------------------------------------------------
       7      or the command is run from a set-uid root process
       7      the Postfix sendmail command has set-uid root file permissions
       7      the Postfix sendmail command must be installed without set-uid root file permissions

       3   5xx Reject message size -----------------------------------------------------------------
       3      10.X.X.166     fence.DOMAIN.com
       3         *unavailable
       3            *unavailable

     523   Sent via SMTP ---------------------------------------------------------------------------
     507      86.lab
      15      zcs806.DOMAIN.com
       1      domaina.com

     517   Sent via LMTP ---------------------------------------------------------------------------
     507      86.lab
      10      zcs806.DOMAIN.com

       2   Bounced (local) -------------------------------------------------------------------------
       2      5.0.0: Permanent failure: Other/Undefined status: Other undefined status
       2         zcs806.DOMAIN.com
       2            Zcs806.DOMAIN.com
       1               subject:test
       1               zimbra

       1   Bounced (remote) ------------------------------------------------------------------------
       1      5.0.0: Permanent failure: Other/Undefined status: Other undefined status
       1         domain.com
       1            user
       1               64.X.X.28      sentry.DOMAIN.com
       1                  505 5.0.0 Unknown recipient: RCPT TO

       9   Filtered --------------------------------------------------------------------------------
       7      smtp-amavis:[127.0.0.1]:10026
       7         Sender address
       3            admin@zcs806.DOMAIN.com
       3               admin@zcs806.DOMAIN.com
       2                  10.X.X.36     zcs806.DOMAIN.com
       1                  10.X.X.166     gatewayXX.DOMAIN.com
       2            zimbra@zcs806.DOMAIN.com
       2               admin@zcs806.DOMAIN.com
       2                  10.X.X.36     zcs806.DOMAIN.com
       1            ajcody@DOMAIN.com
       1               admin@zcs806.DOMAIN.com
       1                  10.X.X.184     edgeXX.DOMAIN.com
       1            san5@zcs806.DOMAIN.com
       1               b@zcs806.DOMAIN.com
       1                  10.X.X.36     zcs806.DOMAIN.com
       2      smtp-amavis:[127.0.0.1]:10024
       2         Sender address
       1            admin@zcs806.DOMAIN.com
       1               admin@zcs806.DOMAIN.com
       1                  10.X.X.166     gatewayXX.DOMAIN.com
       1            ajcody@DOMAIN.com
       1               admin@zcs806.DOMAIN.com
       1                  10.X.X.184     edgeXX.DOMAIN.com

       2   Notifications sent ----------------------------------------------------------------------
       2      Non-delivery
       2         sender

       4   Timeouts (inbound) ----------------------------------------------------------------------
       4      After END-OF-MESSAGE

       1   PIX workaround enabled ------------------------------------------------------------------
       1      disable_esmtp delay_dotcrlf
       1         64.X.X.28      sentry.DOMAIN.com

=== Delivery Delays Percentiles ============================================================
                    0%       25%       50%       75%       90%       95%       98%      100%
--------------------------------------------------------------------------------------------
Before qmgr       0.01      0.03      0.06      0.14      0.27      0.34      0.48      2.60
In qmgr           0.00      0.00      0.08    117.50    193.00    216.00    231.48    246.00
Conn setup        0.00      0.00      0.00      0.00      0.02      0.04      0.22     20.00
Transmission      0.05      0.09      3.60      9.80     10.00     10.00     11.00    160.00
Total             0.07      0.13      3.80    129.00    203.00    226.00    241.64    259.00
============================================================================================
zmaccts

One way to note accounts that are actively logging in vs. those that aren't, can help shrink the number of accounts you might want to investigate or monitor. [example below, I cut out a lot of the accounts]

           account                          status             created       last logon
------------------------------------   -----------     ---------------  ---------------
zcstest001@zcs806.DOMAIN.com                active      01/20/14 18:47   03/02/14 21:11
zcstest002@zcs806.DOMAIN.com                active      01/30/14 01:48   02/19/14 00:07
admin-20140415@zcs806.DOMAIN.com            active      04/15/14 14:42            never
archtest-prod-20140402@zcs806.DOMAIN        active      04/02/14 07:42            never

           account                          status             created       last logon
------------------------------------   -----------     ---------------  ---------------
bruce@test1.lab                             active      02/22/14 09:32            never
test.cal@test1.lab                          active      04/06/14 05:35   04/06/14 05:35
test200@test1.lab                           active      04/12/14 00:50            never

                                 domain summary

    domain                  active    closed    locked    maintenance     total
-----------------------   --------  --------  --------  -------------  --------
test1.lab                        3         0         0              0         3
test2.com                        2         0         0              0         2
angad.com                        2         0         0              0         2
test.test                        3         0         0              0         3
test.DOMAIN.com                  6         0         0              0         6
zcs806.DOMAIN.com               58         0         0              0        58
zcs806.DOMAIN.com                2         0         0              0         2
By Authentication Attempts

A fast way to see who is doing a lot of authentications, which normally happens when a spammer has compromised an account with a weak password, is to do:

# cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
      1 Auser@domain.com
      3 Buser@domain.com
      4 Cuser@domain.com
      5 Duser@domain.com
     36 SPAMMER@domain.com

Note - This might take a long time, if so - try pruning it down

Example:

# cat /var/log/zimbra.log | grep sasl_username > /tmp/zimbra_sasl_username.txt
# cat /tmp/zimbra_sasl_username.txt | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
      1 Auser@domain.com
      3 Buser@domain.com
      4 Cuser@domain.com
      5 Duser@domain.com
     36 SPAMMER@domain.com

The full log event will look like this:

zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

Against your older logs, you could:

# zcat /var/log/zimbra.log* | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n

And you can look at the specific information for the user in question with:

# grep -C2 "sasl_username=SPAMMER@domain.com" /var/log/zimbra.log

Or if searching against the older logs:

# zgrep -C2 "sasl_username=SPAMMER@domain.com" /var/log/zimbra.log*

If you want to check on a specific message ID, do:

grep 9DF7520804A /var/log/zimbra.log*

For older message logs:

zgrep 9DF7520804A /var/log/zimbra.log*

To read/view the message in the queue:

/opt/zimbra/postfix/sbin/postcat -q 9DF7520804A 

One would then normally lock/change password on the one account showing the most activity. Grep'ing the /var/log/zimbra.log with the username in question will also show the ip address being used, this can be blocked with your firewall.

To be alerted of a compromised account and have it lock automatically see below. Slightly modified from this reference : http://www.zimbra.com/forums/administrators/62613-identify-compromised-accounts.html#post278732 :


#!/bin/bash
# checks log file and gets a count of authentications sent per minute, per user
# and if the count exceeds the maxmails value the user's account is locked.

logfile="/var/log/zimbra.log"
maxmails="10"
mydomain="example.com"
support="<postmaster-userid>@$mydomain"
accounts="/tmp/active_accounts"

su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts

zgrep -i "auth ok" $logfile | sed 's/  / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
while read line
do
    count=`echo ${line} | cut -d' ' -f 1`
    userid=`echo ${line} | cut -d' ' -f 3`
    timestamp=`echo ${line} | cut -d' ' -f 2`
    active=`grep "$userid@$mydomain" $accounts`

    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
        echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
        su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
        subject="$userid account locked due to excessive connections"
        # Email text/message
        message="/tmp/emailmessage.txt"
        echo "$userid account has been locked as there were $count connections made at"> $message
        echo "$timestamp.  Please have the user change their password, and check for phishing" >>$message
        echo "emails if possible." >>$message
        # send an email using /bin/mail
        /usr/bin/mail -s "$subject" "$support" < $message
        rm -f $message

        #update list of active accounts
        su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
    fi
done

rm -f $accounts

Then run it as a cron job. The frequency will depend on the number of accounts you're managing.

* * * * * /opt/zimbra/find_spammer.sh
By Connecting IP - Useful For Blocking IP At Firewall

See also the following:

To find the originating IP address of where the emails are coming from:

grep 'connect from' /var/log/zimbra.log | sed 's/.*connect from.*\[\(.[^]]*\)\]/\1/g' | sort | uniq -c | sort -nr | head

To check your older logs [example output below]:

zgrep 'connect from' /var/log/zimbra.log* | sed 's/.*connect from.*\[\(.[^]]*\)\]/\1/g' | sort | uniq -c | sort -nr | head
     36 10.137.xx.34
     34 127.0.0.1
Open Relay Check

You should also confirm you aren't an open relay.

$ host -t mx DOMAIN.com
DOMAIN.com mail is handled by 10 mail.DOMAIN.com.

$ telnet mail.DOMAIN.com 25
Trying 184.###.##.## ...
Connected to mail.DOMAIN.com.
Escape character is '^]'.
220 mail.DOMAIN.com ESMTP Postfix
helo support.test
250 mail.DOMAIN.com
mail from:<SPAMMER@domain.com>
250 2.1.0 Ok
rcpt to:<TEST@DOMAIN.COM>
554 5.7.1 <TEST@DOMAIN.COM>: Relay access denied

rcpt to:<SPAMMER@domain.com>
554 5.7.1 Service unavailable; Client host [71.XXX.XX.XX] blocked 
 using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=71.202.XX.XX
quit
221 2.0.0 Bye
Connection closed by foreign host.
Telnet Test To Confirm/Show Authentication Required For SMTP/Port 25

This is an example:

esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25

Trying 10.137.27.32...
Connected to zcs723.EXAMPLE.com.
Escape character is '^]'.
220 zcs723.EXAMPLE.com ESMTP Postfix
helo zcs723.EXAMPLE.com   << I typed
250 zcs723.EXAMPLE.com
mail from:ajcody@zcs723.EXAMPLE.com   << I typed
250 2.1.0 Ok
rcpt to:ajcody2@zcs723.EXAMPLE.com   << I typed
553 5.7.1 <ajcody@zcs723.EXAMPLE.com>: Sender address rejected: not logged in

But note - if you do this from the ZCS server or a server that is within the ip range or has it's specific ip listed in the mynetworks, you will not get this authentication requirement.

[root@zcs723 ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 zcs723.EXAMPLE.com ESMTP Postfix
helo myworkstation
250 zcs723.EXAMPLE.com
ehlo myworkstation
250-zcs723.EXAMPLE.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<ajcody@zcs723.EXAMPLE.com>
250 2.1.0 Ok
rcpt to: <ajcody2@zcs723.EXAMPLE.com>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
From: Adam <ajcody@zcs723.EXAMPLE.com>
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com>
Subject: From Localhost - NOT Auth
test
.
250 2.0.0 Ok: queued as 8B19E1E78D1
quit
221 2.0.0 Bye
Connection closed by foreign host.

Resources

A list of resources you'll find useful:

Wiki articles that have been assigned to the anit-spam category:

Down to the end-user:

External Relay Test Pages
  • http://www.checkor.com/
    • Note - this test is in regards to the From spoofing spammers sometimes do for DL's.
    • Also, for the test - make an account/DL on your system for test1@[your domain] . Otherwise you'll just error about account not existing.
RSET
250 2.0.0 Ok
MAIL FROM: spam@mail59.DOMAIN.com
250 2.1.0 Ok
RCPT TO: test1@mail59.DOMAIN.com
Test Failed, 250 2.1.5 Ok 

Blocking MAIL FROM - smtpd_sender_restrictions - Default Is Empty

External References
Zimbra References And Bugs & RFE's
Protecting DL's From Spammers - Forging Mail From
First Recommendation - As Given By Dev's From Critical Meeting Notes

  • Enabled SASL/SMTP Authentication
  • Implement how-to as described in :
    • Permitted Senders: RestrictPostfixRecipients
      • Note: You'll see on the above page a reference to the spoof hole.
        • "This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs."
      • Note: You'll also modify the instructions as above with addition details provided below.
  • Force authentication for local-domain senders:
    • modify the main.cf to have the following:
      • smtpd_sender_restrictions = check_sender_access hash:/path/to/file
    • Then for the /path/to/file that you used in the mail.cf for smtpd_sender_restrictions, you'll have a line like:
      • example.com permit_sasl_authenticated, reject
Second Recommendation - Unpredictable DL name or Non-routing Domain

Do not use predictable DL names. Instead of using everyone@company.com , use something like everyone-[random-string]@company.com .

Another option is to use a non-routing domain - company.local - and setup your DL's there. You'll want to configure your main domain to be able to query the GAL of this domain.

To see the existing setting:

zmprov gd [domainname] zimbraGalLdapSearchBase

To change the variable for the domain:

zmprov md [domainname] zimbraGalInternalSearchBase ROOT
Third Recommendation - Using smtpd_sender_restrictions

Work In Progress. I'm testing this now. Please don't attempt until this line is removed.

Update: See the following:

This should work if your "clients" are using ZWC, ZCO, or ActiveSync mobile devices. If you are using IMAP/POP + STMP thick clients, you'll most likely have to enable smtp authentication [sasl] and use the reject_authenticated_sender_login_mismatch variable instead.

postconf -e smtpd_sender_restrictions=reject_sender_login_mismatch
postfix reload

This option is described as:

reject_sender_login_mismatch
Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps. Man page

Some Other SMTP Sending Restrictions

Blocking Incoming From Domain And By User

See the following:

check_client_access

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from. The default behavior is to allow SMTP connections from any client. This is discussed under Spam Controls on the Postfix site.

Example:

check_client_access regexp:/etc/postfix/access_sender_client_server,

Example:

check_sender_access regexp:/etc/postfix/access_sender_toplevel
smtpd_reject_unlisted_sender

Details can be found on the mail.cf Postfix page.

Example:

smtpd_reject_unlisted_sender = yes

Possible Bug:

http://bugzilla.zimbra.com/show_bug.cgi?id=24889

What's Your SPF Records Say, When Getting "does not designate 74.x.x.x as permitted sender Errors"

This is most likely related to the SPF records for your domain and what the header content of the sending email states as it's Mail From. For example, this is from the header of an email that was "received":

Received: from mail.XYZ-FAKE.com (mailhost.XYZ-FAKE.com [74.X.X.244]) by mta01.ABC-FAKE.com with ESMTP id 
Cft0mO3fjlFGQjTA for <support@ABC-FAKE.com>; Tue, 21 Apr 2009 05:14:13 -0700 (PDT)
X-Barracuda-Envelope-From: testuser@XYZ-FAKE.com
Received-SPF: pass (mta01.ABC-FAKE.com: domain of testuser@XYZ-FAKE.com designates 74.X.X.244 as permitted sender) 
receiver=mta01.ABC-FAKE.com; client_ip=74.X.X.244; envelope-from=testuser@XYZ-FAKE.com;

To see what this check was done against, do the following below. I'll trim the output and adjust the information used to protect the innocent. Also, notice how a DNS "alias" might cause an issue here? :


$ host 74.X.X.244
244.X.X.74.in-addr.arpa domain name pointer mailhost.XYZ-FAKE.com.

$ host mailhost.XYZ-FAKE.com
mailhost.XYZ-FAKE.com has address 74.X.X.244

$ host mail.XYZ-FAKE.com
mail.XYZ-FAKE.com is an alias for mailhost.XYZ-FAKE.com.
mailhost.XYZ-FAKE.com has address 74.X.X.244

$ dig XYZ-FAKE.com MX

;; QUESTION SECTION:
;XYZ-FAKE.com.			IN	MX

;; ANSWER SECTION:
XYZ-FAKE.com.		3600	IN	MX	22 serverA.DNS-FAKE.com.
XYZ-FAKE.com.		3600	IN	MX	11 serverB.DNS-FAKE.com.

$ dig XYZ-FAKE.com TXT

;; QUESTION SECTION:
;XYZ-FAKE.com.			IN	TXT

;; ANSWER SECTION:
XYZ-FAKE.com.		3600	IN	TXT	"v=spf1 a:mail.XYZ-FAKE.com ~all"

See the following for more information:

Using Different SMTP Server For Webclient (ZWC), Mobiles, And ZCO

Note Of Caution About Using External MTAs

Using non-zimbra MTA's can cause some options in zimbra to not function anymore - since it no longer has zimbra's mta services available.

Zimbra Mail Forwarding Possibly Will Not Work - Turn Off User Option To Set MailForwarding

Mail forwarding might no longer work depending on the configuration you setup regarding the use of your external mta's. When this happens you'll most likely want to disable the option for users to set a mail forwarding address in their preferences. This can be done via their COS or USER configuration.

  • In the admin console, goto the COS configuration the user/s are using and the "Features" tab. Uncheck the option "Allow the user to specify a forwarding address" under Mail Features. It is in the same location under a USERs configuration panel in the admin console.

In the CLI, you will see these set as the defaults for the default COS. The admin gui option above only adjusts the zimbraFeatureMailForwardingEnabled variable :

$ zmprov gc default | grep zimbraFeatureMailForwarding
    zimbraFeatureMailForwardingEnabled: TRUE
    zimbraFeatureMailForwardingInFiltersEnabled: TRUE
$ zmprov ga ajcody@`zmhostname` | grep zimbraFeatureMailForwarding
    zimbraFeatureMailForwardingEnabled: TRUE
    zimbraFeatureMailForwardingInFiltersEnabled: TRUE

More details about them are in the /opt/zimbra/conf/attrs/zimbra-attrs.xml file.

<attr id="342" name="zimbraFeatureMailForwardingEnabled" type="boolean" cardinality="single" 
 optionalIn="account,cos" flags="accountInfo,accountInherited,domainAdminModifiable">
  <defaultCOSValue>TRUE</defaultCOSValue>
  <desc>enable end-user mail forwarding features</desc>
</attr>

<attr id="704" name="zimbraFeatureMailForwardingInFiltersEnabled" type="boolean" 
 cardinality="single" optionalIn="account,cos" flags="accountInfo,accountInherited,
 domainAdminModifiable" since="5.0.10">
  <defaultCOSValue>TRUE</defaultCOSValue>
  <desc>enable end-user mail forwarding defined in mail filters features</desc>
</attr>
Configure External MTA To Use LDAP Virtual Alias Maps

Here's the basic info in regards to how Zimbra's mta [postfix/etc] uses Zimbra's LDAP to get the forwarding information:

$ grep Forward conf/ldap-*
conf/ldap-vam.cf:result_attribute =  
zimbraMailDeliveryAddress,zimbraMailForwardingAddress,
zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
$ postconf |grep vam
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf

See http://www.postfix.org/postconf.5.html#virtual_alias_maps for more information.

Confirming And Setting zimbraMtaRelayHost And zimbraMtaDnsLookupsEnabled

First we'll set zimbraMtaRelayHost and zimbraMtaDnsLookupsEnabled variables. These options are also shown in the admin console and can be configured there. These variable alone will not redirect ALL traffic to an external MTA first though. There's alao a variable called zimbraSmtpHostname that is in the global (zmprov gacf) and server (zmprov gs `hostname`) configs - addressed in the section below. It's defaulted value is 'localhost' - at least on a single ZCS configuration.

In situations where you need/want all mail to be processed by, for example, an external non-Zimbra spam filter box you could set this variable to the spam filter servers hostname.

Normally, when zimbraMtaRelayHost is set to a non-zimbra external MTA would disable DNS lookups. If you disable DNS Lookups (under the MTA tab of the admin console, or with zmprov), Zimbra will end up using (according to the postconf man page) the "gethostbyname() system library routine which normally also looks in /etc/hosts" (based on the entries on the "hosts" line in /etc/nsswitch.conf). If you do this but don't also specify an SMTP relay host (typically your ISP's SMTP server), which will take care of checking DNS, you will reverse your ability to send mail: suddenly you can send mail to other users on the Zimbra server, but you can't send to the internet (though you can still receive mail from the internet either way).

Query Global - `zmhostname` would use the value returned, you can manual type out the servername as well :

zmprov gacf zimbraMtaRelayHost
zmprov gacf zimbraMtaDnsLookupsEnabled

Query Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :

zmprov gs `zmhostname` zimbraMtaRelayHost
zmprov gs `zmhostname` zimbraMtaDnsLookupsEnabled

Note - if you get errors about doing the query on your non-mailstores like, "ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)" then you might need to adjust this variable. First query it, it's most likely set to localhost

zmlocalconfig zimbra_zmprov_default_soap_server

If you had the error and it was set to localhost, modify it to be one of your mailstores.

zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com

No restart of anything is needed, the zmprov query should now work.

Modify Global - `zmhostname` would use the value returned, you can manual type out the servername as well :

zmprov mcf zimbraMtaRelayHost hostname-of-ext-server:PORT
 ** ex : zmprov mcf zimbraMtaRelayHost primary.YYY.state.XX.us:25
 ** At the end, 25 is the port number for smtp on the targeted system. 
 ** Adjust this number if you changed the smtp port.
zmprov mcf zimbraMtaDnsLookupsEnabled FALSE

Modify Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well