Revision as of 00:54, 31 March 2021 by King0770 (talk | contribs) (→‎Section IV - Header checks syntax by example)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Section I - General Info

As a long time fan of Postfix, I use Postfix's header_check feature to discard messages (or redirect) I don't want coming off the wire. In my opinion, using Postfix to discard unwanted messages is a good way to keep spam messages away. However, using header_checks must be used with care. The purpose of this wiki is to guide you to add your own header_checks file for the Zimbra-MTA system.

Section II - Prepare ZCS Machines

First, look at the postfix_header_checks in Zimbra's localconfig.
If you are using versions beyond 8.5, don't use zmlocalconfig; see

zmlocalconfig | grep header_checks

Most likely you will see the following:
postfix_header_checks = pcre:/opt/zimbra/conf/postfix_header_checks

Now, lets create our own header_checks file. Note: For this wiki, I am going to create a "custom_header_checks" file, but you can create your own file.

touch /opt/zimbra/conf/custom_header_checks

zmlocalconfig -e postfix_header_checks="pcre:/opt/zimbra/conf/postfix_header_checks, pcre:/opt/zimbra/conf/custom_header_checks"

zmmtactl restart

zmlocalconfig | grep postfix_header_checks

You should see:
postfix_header_checks = pcre:/opt/zimbra/conf/postfix_header_checks, pcre:/opt/zimbra/conf/custom_header_checks

Don't forget to use postconf to make sure the changes are picked up.

postconf | grep header_checks

If the header_checks are not picked up from the postconf command, run the following command.

zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE

zmmtactl restart

Section III - Editing your custom header checks file

Editing your /opt/zimbra/conf/custom_header_checks is fairly straight forward, just use your favorite editor, i.e vi, nano, emacs.

No need to run postmap against the /opt/zimbra/conf/custom_header_checks

Section IV - Header checks syntax by example

In the interest of brevity and simplicity, I am only going provide a few examples. Honestly, I've only scratched the surface of this feature.

/^Subject:(.*)From U.S. Ambassador to Nigeria/   DISCARD #spam rule no msgs from Nigeria

/^Subject:(.*)\?KOI8-R\?/ DISCARD #spam rule Russian encoding not allowed by this server

/^Subject:.*Bad Word*/ REPLACE Subject: Censored

/^From:(.*)Slice-O-Matic Reviews/   DISCARD #spam rule No slice o-matics

/^From:(.*)Your Free iPad/   DISCARD #spam rule No thank you

/^From:(.*)   DISCARD #spam Known spammer address

/^From:(.*)Tarot Reading/   DISCARD #spam rule No Tarot reading

/^From:(.*) REDIRECT #spam rule redirect all messages from this address

/^From:(.*)<(.*)>(.*)/    REDIRECT

/^To:(.*)<(.*)>(.*)/  REDIRECT

/^To:(.*)*		FILTER

/^To:(.*)*@myprivatecompany.local/		FILTER smtp:

/^Cc:(.*) .     DISCARD     # Drop any messages that are CC'd to a specific address

/^To:(.*) BCC     #BCC to the manager       <<== This feature is available in Postfix 3.0 and later

/^Received: from .+\..+\.mydomain\.com .+(by mail\.mydomain\.com .+) / REPLACE Received: $1

/^Received: from mac7\.local/ IGNORE

/^Received: from .*\.local/  IGNORE

/^Received:.*\[192\.168\.0\.[0-9]/      IGNORE

/^Received:.*\[192\.168\.99\.254/      IGNORE      # Hide my internal IP

/^Received:/ IGNORE     # Hide my internal IP

!if /^From:(.*)<(.*)>(.*)/i
/^Subject: (.+)$/ REPLACE Subject: [TAG] $1

Section V - FAQ's

Question: I want to implement header_checks of my own, will Zimbra Support officially support custom header_checks?
Answer: No. However, you are free to add your own header_checks.

Question: I noticed Zimbra uses /opt/zimbra/conf/, can I edit this file?
Answer: I would suggest if you are wanting to use your own header_checks, keep your header_checks files separate; header_checks for Zimbra, and your own custom header_checks file.

Question: I noticed you are using "DISCARD" in your examples, why are you not using "REJECT"?
Answer: Because using "DISCARD" means the MTA will delete the message; which is what I want given the regexp syntax. The "REJECT" notation will let senders know that their message was rejected, and the MTA refused to deliver their message.

Question: I've added a header_check rule, but it's not working, what do I do?
Answer: Postfix does a good job notating why a specific header_check rule didn't work. Check the /var/log/zimbra.log file.

grep warning /var/log/zimbra.log

Question: Should I do the changes as root or zimbra user?
Answer: zimbra

Question: I noticed in your examples you are using #spam rule, why?
Answer: Easy grepping of the /var/log/zimbra.log file.

grep "spam rule" /var/log/zimbra.log

Question: Are there any examples on the Internet?
Answer: Yes. Just search for "header_checks by example"

Section VI - ZCS 8.5, 8.6, 8.7, 8.8

If you are using ZCS-8.5, 8.6, or 8.7, update the zimbraMtaHeaderChecks setting, instead of updating the local config by running zmlocalconfig.

zmprov mcf zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks  pcre:/opt/zimbra/conf/custom_header_checks'

zmmtactl restart

Section VII - Body Checks

By default, Zimbra does not touch the MTA body_checks feature. However, updating the and localconfig should make postfix start using the body_checks setting. See,
If you want to implement the MTA's body_checks feature, you can do the following.
Note: This is for versions for 8.5, 8.6, 8.7, 8.8

Add the following to the /opt/zimbra/conf/ file (right below delay_warning_time, and above header_checks)

POSTCONF body_checks    LOCAL postfix_body_checks

Then update zimbra's localconfig...

zmlocalconfig -e postfix_body_checks="pcre:/opt/zimbra/conf/custom_body_checks"

touch /opt/zimbra/conf/custom_body_checks

Restart the MTA to pick up the changes. 

zmmtactl stop

zmmtactl start

Then check it...

postconf | grep "^body_checks ="

body_checks = pcre:/opt/zimbra/conf/custom_body_checks  <<== Should see this line

More articles written by me,

Jump to: navigation, search