IP Address whitelisting: Difference between revisions
No edit summary |
No edit summary |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{BC|Community Sandbox}} | |||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=IP Address whitelisting= | |||
{{KB|{{Unsupported}}|{{ZCS 7.0}}|{{ZCS 6.0}}|}} | |||
{{WIP}} | |||
'''Warning, this page is out of date, and contains extremely invalid and incorrect information even for releases where it was once valid.''' | |||
At times, you may want to bypass or whitelist certain IP ranges, either because they are known to be trusted and internal, or because they provide specific services that should not be checked for spam. It is very important that you don't whitelist an MTA that sends untrusted email, though, for example an inbound MTA (from the Internet) that has not already been checked for spam will then allow all email to arrive unchecked. | At times, you may want to bypass or whitelist certain IP ranges, either because they are known to be trusted and internal, or because they provide specific services that should not be checked for spam. It is very important that you don't whitelist an MTA that sends untrusted email, though, for example an inbound MTA (from the Internet) that has not already been checked for spam will then allow all email to arrive unchecked. | ||
Line 21: | Line 29: | ||
$ zmamavisdctl restart | $ zmamavisdctl restart | ||
Once set, amavis bypasses SpamAssassin for all messages originating | Once set, amavis bypasses SpamAssassin for all messages originating internal trusted networks. These networks are configured by modifying the global or server configuration attribute zimbraMtaMyNetworks: | ||
<attr id="311" name="zimbraMtaMyNetworks" type="astring" max="10240" cardinality="multi" optionalIn="globalConfig,server" flags="serverInherited" requiresRestart="mta"> | |||
<desc>value of postfix mynetworks</desc> | |||
</attr> | |||
Retrieve current settings: | |||
$ zmprov gcf zimbraMtaMyNetworks | |||
$ zmprov gs `zmhostname` zimbraMtaMyNetworks | |||
Configure MTA networks: | |||
$ zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 10.0.0.0/8 192.168.0.0/16' | |||
(note: zmconfigd will automatically restart the MTA processes after this change is made). | |||
The zimbraMtaMyNetworks configuration is then included in Amavis in @mynetworks, according to this entry in amavisd.conf, which causes those IPs to be white-listed: | |||
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users | $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users | ||
Line 92: | Line 114: | ||
zmmtactl restart && zmamavisdctl restart | zmmtactl restart && zmamavisdctl restart | ||
{{Article Footer|Zimbra Collaboration 7.0, 6.0|04/16/2014}} | |||
[[Category:Anti-spam]] | [[Category:Anti-spam]] |
Latest revision as of 09:50, 12 July 2015
IP Address whitelisting
Warning, this page is out of date, and contains extremely invalid and incorrect information even for releases where it was once valid.
At times, you may want to bypass or whitelist certain IP ranges, either because they are known to be trusted and internal, or because they provide specific services that should not be checked for spam. It is very important that you don't whitelist an MTA that sends untrusted email, though, for example an inbound MTA (from the Internet) that has not already been checked for spam will then allow all email to arrive unchecked.
Bypassing Internal Networks
amavis_originating_bypass_sa
In 8.0 (IronMaiden) and later, there is a feature in ZCS to automatically bypass SpamAssassin for mail originating from all IPs within the postfix "mynetworks" IP ranges:
Bypass SA for emails sent from internal ZWC users (or provide a way to score them) [1] - Fixed: 8.0
By default, this bypass is not enabled:
Default:
$ zmlocalconfig amavis_originating_bypass_sa amavis_originating_bypass_sa = false
In order to enable, set to true and restart the MTA processes:
$ zmlocalconfig -e amavis_originating_bypass_sa=true $ zmamavisdctl restart
Once set, amavis bypasses SpamAssassin for all messages originating internal trusted networks. These networks are configured by modifying the global or server configuration attribute zimbraMtaMyNetworks:
<attr id="311" name="zimbraMtaMyNetworks" type="astring" max="10240" cardinality="multi" optionalIn="globalConfig,server" flags="serverInherited" requiresRestart="mta"> <desc>value of postfix mynetworks</desc> </attr>
Retrieve current settings:
$ zmprov gcf zimbraMtaMyNetworks $ zmprov gs `zmhostname` zimbraMtaMyNetworks
Configure MTA networks:
$ zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 10.0.0.0/8 192.168.0.0/16' (note: zmconfigd will automatically restart the MTA processes after this change is made).
The zimbraMtaMyNetworks configuration is then included in Amavis in @mynetworks, according to this entry in amavisd.conf, which causes those IPs to be white-listed:
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users ... bypass_spam_checks_maps => [1], # don't spam-check internal mail ...
Manual Whitelisting
This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:
postfix_recipient_restrictions.cf
Enter following line at the top of: /opt/zimbra/conf/postfix_recipient_restrictions.cf
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist
amavis_client_whitelist
Create a file: /opt/zimbra/postfix/conf/amavis_client_whitelist
vi /opt/zimbra/postfix/conf/amavis_client_whitelist 192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:10026
Converting amavis_client_whitelist an ASCII form file into maptype database file:
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist
That will create a Berkeley DB:
zimbra@zimbra:~$ file /opt/zimbra/postfix/conf/amavis_client_whitelist.db /opt/zimbra/postfix/conf/amavis_client_whitelist.db: Berkeley DB (Hash, version 8, native byte-order)
amavisd.conf.in
Enter following in /opt/zimbra/conf/amavisd.conf.in:
NOTE: Make sure you use the amavisd.conf.in and NOT amavisd.conf
NOTE: If you paste this section in directly, you will need to comment out the existing $inet_socket_port paramater
$inet_socket_port = [10024, 10026]; # change from original setting $interface_policy{'10026'} = 'CLIENTWHITELIST'; $policy_bank{'CLIENTWHITELIST'} = { bypass_spam_checks_maps => [1], final_spam_destiny => D_PASS, };
if you want to bypass virus checking too:
$policy_bank{'CLIENTWHITELIST'} = { bypass_spam_checks_maps => [1], final_virus_destiny => D_PASS, final_spam_destiny => D_PASS, };
http://www.webservertalk.com/archive390-2006-8-1467502.html
Restart postfix and amavisd
zmmtactl restart && zmamavisdctl restart