https://wiki.zimbra.com/api.php?action=feedcontributions&user=Gettyless&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-19T09:36:39ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Relay_per_Domain&diff=18910Relay per Domain2010-03-31T18:52:14Z<p>Gettyless: </p>
<hr />
<div>Reference bug: http://bugzilla.zimbra.com/show_bug.cgi?id=32740<br />
<br />
<br />
Zimbra allows relaying emails to a specific server only, i.e using zimbraMtaRelayHost. However, there are needs to relay emails per domain basis based on '''the sender'''. For example, you want emails sent by users@domain1.com should be relayed through smtp.domain1.com and users@domain2.com through smtp.domain2.com servers. You can configure it using postfix's "sender_dependent_relayhost_maps". <br />
<br />
'''This is an example and tested on ZCS 5.0.16'''<br />
<br />
'''Note: Below settings will not survive zimbra upgrades. Make sure you take backup of config files before upgrading.'''<br />
<br />
1. Add following line to /opt/zimbra/postfix/conf/main.cf<br />
<br />
''sender_dependent_relayhost_maps = hash:/opt/zimbra/postfix/conf/bysender''<br />
<br />
2. Create file /opt/zimbra/postfix/conf/bysender and enter your domain names and relay server's IP addresses.<br />
<br />
''@domain1.com [10.10.10.1]''<br />
''@domain2.com [20.20.20.1]''<br />
<br />
You can even add individual email IDs to relay their emails to specific relay host.<br />
<br />
''user@domain.com [10.10.10.2]''<br />
<br />
3. Create the hash file.<br />
<br />
''postmap /opt/zimbra/postfix/conf/bysender''<br />
<br />
<br />
4. Restart zmmtactl<br />
<br />
''zmmtactl stop''<br />
''zmmtactl start''<br />
<br />
5. Test by sending emails.<br />
<br />
<br />
<br />
<br />
{{Article Footer|ZCS 5.0.16|6/4/2009}}<br />
<br />
[[Category:Administration]]<br />
[[Category:MTA]]<br />
[[Category:ZCS 5.0]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Relay_per_Domain&diff=18909Relay per Domain2010-03-31T18:50:32Z<p>Gettyless: </p>
<hr />
<div>Reference bug: http://bugzilla.zimbra.com/show_bug.cgi?id=32740<br />
<br />
<br />
Zimbra allows relaying emails to a specific server only, i.e using zimbraMtaRelayHost. However, there are needs to relay emails per domain basis based on '''the sender'''. For example, you want emails sent by users@domain1.com should be relayed through smtp.domain1.com and users@domain2.com through smtp.domain2.com servers. You can configure it using postfix's "sender_dependent_relayhost_maps". <br />
<br />
'''This is an example and tested on ZCS 5.0.16'''<br />
<br />
1. Add following line to /opt/zimbra/postfix/conf/main.cf<br />
<br />
''sender_dependent_relayhost_maps = hash:/opt/zimbra/postfix/conf/bysender''<br />
<br />
2. Create file /opt/zimbra/postfix/conf/bysender and enter your domain names and relay server's IP addresses.<br />
<br />
''@domain1.com [10.10.10.1]''<br />
''@domain2.com [20.20.20.1]''<br />
<br />
You can even add individual email IDs to relay their emails to specific relay host.<br />
<br />
''user@domain.com [10.10.10.2]''<br />
<br />
3. Create the hash file.<br />
<br />
''postmap /opt/zimbra/postfix/conf/bysender''<br />
<br />
<br />
4. Restart zmmtactl<br />
<br />
''zmmtactl stop''<br />
''zmmtactl start''<br />
<br />
5. Test by sending emails.<br />
<br />
'''Note: Above settings will not survive zimbra upgrades. Make sure you take backup of config files before upgrading.'''<br />
<br />
<br />
{{Article Footer|ZCS 5.0.16|6/4/2009}}<br />
<br />
[[Category:Administration]]<br />
[[Category:MTA]]<br />
[[Category:ZCS 5.0]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Relay_per_Domain&diff=18908Relay per Domain2010-03-31T18:48:54Z<p>Gettyless: </p>
<hr />
<div>Reference bug: http://bugzilla.zimbra.com/show_bug.cgi?id=32740<br />
<br />
<br />
Zimbra allows relaying emails to a specific server only, i.e using zimbraMtaRelayHost. However, there are needs to relay emails per domain basis based on *the sender*. For example, you want emails sent by users@domain1.com should be relayed through smtp.domain1.com and users@domain2.com through smtp.domain2.com servers. You can configure it using postfix's "sender_dependent_relayhost_maps". <br />
<br />
'''This is an example and tested on ZCS 5.0.16'''<br />
<br />
1. Add following line to /opt/zimbra/postfix/conf/main.cf<br />
<br />
''sender_dependent_relayhost_maps = hash:/opt/zimbra/postfix/conf/bysender''<br />
<br />
2. Create file /opt/zimbra/postfix/conf/bysender and enter your domain names and relay server's IP addresses.<br />
<br />
''@domain1.com [10.10.10.1]''<br />
''@domain2.com [20.20.20.1]''<br />
<br />
You can even add individual email IDs to relay their emails to specific relay host.<br />
<br />
''user@domain.com [10.10.10.2]''<br />
<br />
3. Create the hash file.<br />
<br />
''postmap /opt/zimbra/postfix/conf/bysender''<br />
<br />
<br />
4. Restart zmmtactl<br />
<br />
''zmmtactl stop''<br />
''zmmtactl start''<br />
<br />
5. Test by sending emails.<br />
<br />
'''Note: Above settings will not survive zimbra upgrades. Make sure you take backup of config files before upgrading.'''<br />
<br />
<br />
{{Article Footer|ZCS 5.0.16|6/4/2009}}<br />
<br />
[[Category:Administration]]<br />
[[Category:MTA]]<br />
[[Category:ZCS 5.0]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Firewall_Configuration&diff=18158Firewall Configuration2010-02-22T04:00:37Z<p>Gettyless: /* Standard Zimbra ports */</p>
<hr />
<div>== Firewall Configuration ==<br />
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall. <br />
<br />
=== Needed Ports ===<br />
==== Standard Zimbra ports ====<br />
<br />
<table border cellspacing=0 cellpadding=5><br />
<tr><td>SMTP</td><td>25</td><td>tcp</td><td></td></tr><br />
<tr><td>HTTP</td><td>80</td><td>tcp</td><td></td></tr><br />
<tr><td>POP3</td><td>110</td><td>tcp</td><td></td></tr><br />
<tr><td>IMAP</td><td>143</td><td>tcp </td><td>should probably be limited by a firewall to your local network only</td></tr><br />
<tr><td>LDAP</td><td>389</td><td>tcp</td><td></td></tr><br />
<tr><td>HTTPS</td><td>443</td><td>tcp</td><td></td></tr><br />
<tr><td>SMTPS</td><td>465</td><td>tcp</td><td></td></tr><br />
<tr><td>IMAPS</td><td>993</td><td>tcp</td><td></td></tr><br />
<tr><td>POP3S</td><td>995</td><td>tcp</td><td></td></tr><br />
<tr><td>(Admin Interface)</td><td>7071</td><td>tcp</td><td>This is the should probably be limited by a firewall to your local network only</td></tr><br />
<tr><td>LMTP</td><td>7025</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr><br />
</table><br />
<br />
==== Cluster Suite Ports ====<br />
These would only be used on a zimbra cluster. ''All of these ports should be limited by a firewall to your local network only.''<br />
<br />
*rgmanager<br />
**port 41966/tcp<br />
**port 41967/tcp<br />
**port 41968/tcp<br />
**port 41969/tcp<br />
*ccsd<br />
**port 50006/tcp<br />
**port 50007udp<br />
**port 50008/tcp<br />
**port 50009/tcp<br />
*dlm <br />
**port 21064/tcp<br />
*cman<br />
**port 6809/udp<br />
*gnbd<br />
**port 14567/tcp<br />
<br />
=== Example Configuration Files ===<br />
==== RedHat Advanced Server ====<br />
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.<br />
<br />
''/etc/sysconfig/iptables''<br />
# Firewall configuration written by system-config-securitylevel<br />
# Manual customization of this file is not recommended.<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
# enable ssh and snmp<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24<br />
# enable zimbra ports<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24<br />
# enable cluster communications<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24<br />
# reject everything else<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
<br />
<br />
{{Article Footer|unknown|1/26/2007}}<br />
<br />
[[Category:Configuration]]<br />
[[Category:Installation]]<br />
[[Category:Ports]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Firewall_Configuration&diff=18157Firewall Configuration2010-02-22T03:59:10Z<p>Gettyless: /* Standard Zimbra ports */</p>
<hr />
<div>== Firewall Configuration ==<br />
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall. <br />
<br />
=== Needed Ports ===<br />
==== Standard Zimbra ports ====<br />
<br />
<table border cellspacing=0 cellpadding=5><br />
<tr><td>SMTP</td><td>25</td><td>tcp</td><td></td></tr><br />
<tr><td>HTTP</td><td>80</td><td>tcp</td><td></td></tr><br />
<tr><td>POP3</td><td>110</td><td>tcp</td><td></td></tr><br />
<tr><td>IMAP</td><td>143</td><td>tcp </td><td>(''should probably be limited by a firewall to your local network only'')</td></tr><br />
<tr><td>LDAP</td><td>389</td><td>tcp</td><td></td></tr><br />
<tr><td>HTTPS</td><td>443</td><td>tcp</td><td></td></tr><br />
<tr><td>SMTPS</td><td>465</td><td>tcp</td><td></td></tr><br />
<tr><td>IMAPS</td><td>993</td><td>tcp</td><td></td></tr><br />
<tr><td>POP3S</td><td>995</td><td>tcp</td><td></td></tr><br />
</table><br />
<br />
<br />
<br />
*Admin Interface<br />
** port 7071/tcp ''should probably be limited by a firewall to your local network only''<br />
*LMTP<br />
** port 7025/tcp ''should probably be limited by a firewall to your local network only''<br />
<br />
==== Cluster Suite Ports ====<br />
These would only be used on a zimbra cluster. ''All of these ports should be limited by a firewall to your local network only.''<br />
<br />
*rgmanager<br />
**port 41966/tcp<br />
**port 41967/tcp<br />
**port 41968/tcp<br />
**port 41969/tcp<br />
*ccsd<br />
**port 50006/tcp<br />
**port 50007udp<br />
**port 50008/tcp<br />
**port 50009/tcp<br />
*dlm <br />
**port 21064/tcp<br />
*cman<br />
**port 6809/udp<br />
*gnbd<br />
**port 14567/tcp<br />
<br />
=== Example Configuration Files ===<br />
==== RedHat Advanced Server ====<br />
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.<br />
<br />
''/etc/sysconfig/iptables''<br />
# Firewall configuration written by system-config-securitylevel<br />
# Manual customization of this file is not recommended.<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
# enable ssh and snmp<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24<br />
# enable zimbra ports<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24<br />
# enable cluster communications<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24<br />
# reject everything else<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
<br />
<br />
{{Article Footer|unknown|1/26/2007}}<br />
<br />
[[Category:Configuration]]<br />
[[Category:Installation]]<br />
[[Category:Ports]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Firewall_Configuration&diff=18156Firewall Configuration2010-02-22T03:58:16Z<p>Gettyless: </p>
<hr />
<div>== Firewall Configuration ==<br />
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall. <br />
<br />
=== Needed Ports ===<br />
==== Standard Zimbra ports ====<br />
<br />
<table border cellspacing=0 cellpadding=5><br />
<tr><td>SMTP</td><td>25</td><td>tcp</td></td><td></tr><br />
<tr><td>HTTP</td><td>80</td><td>tcp</td></td><td></tr><br />
<tr><td>POP3</td><td>110</td><td>tcp</td></td><td></tr><br />
<tr><td>IMAP</td><td>143</td><td>tcp </td><td>(''should probably be limited by a firewall to your local network only'')</td></tr><br />
<tr><td>LDAP</td><td>389</td><td>tcp</td></td><td></tr><br />
<tr><td>HTTPS</td><td>443</td><td>tcp</td></td><td></tr><br />
<tr><td>SMTPS</td><td>465</td><td>tcp</td></td><td></tr><br />
<tr><td>IMAPS</td><td>993</td><td>tcp</td></td><td></tr><br />
<tr><td>POP3S</td><td>995</td><td>tcp</td></td><td></tr><br />
<br />
</table><br />
<br />
<br />
<br />
*Admin Interface<br />
** port 7071/tcp ''should probably be limited by a firewall to your local network only''<br />
*LMTP<br />
** port 7025/tcp ''should probably be limited by a firewall to your local network only''<br />
<br />
==== Cluster Suite Ports ====<br />
These would only be used on a zimbra cluster. ''All of these ports should be limited by a firewall to your local network only.''<br />
<br />
*rgmanager<br />
**port 41966/tcp<br />
**port 41967/tcp<br />
**port 41968/tcp<br />
**port 41969/tcp<br />
*ccsd<br />
**port 50006/tcp<br />
**port 50007udp<br />
**port 50008/tcp<br />
**port 50009/tcp<br />
*dlm <br />
**port 21064/tcp<br />
*cman<br />
**port 6809/udp<br />
*gnbd<br />
**port 14567/tcp<br />
<br />
=== Example Configuration Files ===<br />
==== RedHat Advanced Server ====<br />
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.<br />
<br />
''/etc/sysconfig/iptables''<br />
# Firewall configuration written by system-config-securitylevel<br />
# Manual customization of this file is not recommended.<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
# enable ssh and snmp<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24<br />
# enable zimbra ports<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24<br />
# enable cluster communications<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24<br />
# reject everything else<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
<br />
<br />
{{Article Footer|unknown|1/26/2007}}<br />
<br />
[[Category:Configuration]]<br />
[[Category:Installation]]<br />
[[Category:Ports]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Firewall_Configuration&diff=18155Firewall Configuration2010-02-22T03:56:44Z<p>Gettyless: /* Standard Zimbra ports */</p>
<hr />
<div>== Firewall Configuration ==<br />
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall. <br />
<br />
=== Needed Ports ===<br />
==== Standard Zimbra ports ====<br />
<br />
<table border cellspacing=0 cellpadding=5><br />
<tr><td>SMTP</td><td>25/tcp</td></tr><br />
<tr><td>HTTP</td><td>80/tcp</td></tr><br />
<tr><td>POP3</td><td>110/tcp</td></tr><br />
<tr><td>IMAP</td><td>143/tcp (''should probably be limited by a firewall to your local network only'')</td></tr><br />
<tr><td>LDAP</td><td>389/tcp</td></tr><br />
<tr><td>HTTPS</td><td>443/tcp</td></tr><br />
<tr><td>SMTPS</td><td>465/tcp</td></tr><br />
<tr><td>IMAPS</td><td>993/tcp</td></tr><br />
<tr><td>POP3S</td><td>995/tcp</td></tr><br />
<br />
</table><br />
<br />
<br />
<br />
*Admin Interface<br />
** port 7071/tcp ''should probably be limited by a firewall to your local network only''<br />
*LMTP<br />
** port 7025/tcp ''should probably be limited by a firewall to your local network only''<br />
<br />
==== Cluster Suite Ports ====<br />
These would only be used on a zimbra cluster. ''All of these ports should be limited by a firewall to your local network only.''<br />
<br />
*rgmanager<br />
**port 41966/tcp<br />
**port 41967/tcp<br />
**port 41968/tcp<br />
**port 41969/tcp<br />
*ccsd<br />
**port 50006/tcp<br />
**port 50007udp<br />
**port 50008/tcp<br />
**port 50009/tcp<br />
*dlm <br />
**port 21064/tcp<br />
*cman<br />
**port 6809/udp<br />
*gnbd<br />
**port 14567/tcp<br />
<br />
=== Example Configuration Files ===<br />
==== RedHat Advanced Server ====<br />
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.<br />
<br />
''/etc/sysconfig/iptables''<br />
# Firewall configuration written by system-config-securitylevel<br />
# Manual customization of this file is not recommended.<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
# enable ssh and snmp<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24<br />
# enable zimbra ports<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24<br />
# enable cluster communications<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24<br />
# reject everything else<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
<br />
<br />
{{Article Footer|unknown|1/26/2007}}<br />
<br />
[[Category:Configuration]]<br />
[[Category:Installation]]<br />
[[Category:Ports]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Firewall_Configuration&diff=18154Firewall Configuration2010-02-22T03:56:01Z<p>Gettyless: /* Firewall Configuration */</p>
<hr />
<div>== Firewall Configuration ==<br />
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall. <br />
<br />
=== Needed Ports ===<br />
==== Standard Zimbra ports ====<br />
<br />
<table border cellspacing=0 cellpadding=5><br />
<tr><br />
<td>SMTP</td><td>25/tcp</td><br />
<td>HTTP</td><td>80/tcp</td><br />
<td>POP3</td><td>110/tcp</td><br />
<td>IMAP</td><td>143/tcp (''should probably be limited by a firewall to your local network only'')</td><br />
<td>LDAP</td><td>389/tcp</td><br />
<td>HTTPS</td><td>443/tcp</td><br />
<td>SMTPS</td><td>465/tcp</td><br />
<td>IMAPS</td><td>993/tcp</td><br />
<td>POP3S</td><td>995/tcp</td><br />
<br />
</tr><br />
</table><br />
<br />
<br />
<br />
*Admin Interface<br />
** port 7071/tcp ''should probably be limited by a firewall to your local network only''<br />
*LMTP<br />
** port 7025/tcp ''should probably be limited by a firewall to your local network only''<br />
<br />
==== Cluster Suite Ports ====<br />
These would only be used on a zimbra cluster. ''All of these ports should be limited by a firewall to your local network only.''<br />
<br />
*rgmanager<br />
**port 41966/tcp<br />
**port 41967/tcp<br />
**port 41968/tcp<br />
**port 41969/tcp<br />
*ccsd<br />
**port 50006/tcp<br />
**port 50007udp<br />
**port 50008/tcp<br />
**port 50009/tcp<br />
*dlm <br />
**port 21064/tcp<br />
*cman<br />
**port 6809/udp<br />
*gnbd<br />
**port 14567/tcp<br />
<br />
=== Example Configuration Files ===<br />
==== RedHat Advanced Server ====<br />
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.<br />
<br />
''/etc/sysconfig/iptables''<br />
# Firewall configuration written by system-config-securitylevel<br />
# Manual customization of this file is not recommended.<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
# enable ssh and snmp<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24<br />
# enable zimbra ports<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24<br />
# enable cluster communications<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809 -j ACCEPT -s 10.10.3.0/24<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24<br />
# reject everything else<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
<br />
<br />
{{Article Footer|unknown|1/26/2007}}<br />
<br />
[[Category:Configuration]]<br />
[[Category:Installation]]<br />
[[Category:Ports]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Improving_Anti-spam_system&diff=18144Improving Anti-spam system2010-02-20T08:29:45Z<p>Gettyless: </p>
<hr />
<div>{{Unsupported}}<br />
<br />
These are some community suggested methods for improving Zimbra's anti-spam system. They have met with some success, but are not tested/supported by Zimbra. Additionally, changes made here will likely '''not''' persist across upgrades.<br />
<br />
--[[User:ApolloDS|ApolloDS]] 02:35, 10 February 2007 (CST) I setup today the following also on Zimbra 4.5.1 and it works without problems.<br />
<br />
--[[User:Centurion|Centurion]] 16:40, 15 June 2007 (Aust EST) I succesfully added a custom rule set to /opt/zimbra/conf/spamassassin (on our Zimbra 4.5.5 server). The rules were a series of files ending in ".cf" and contained known-working SpamAssassin rules. Seeing as I couldn't find any way to "lint" the rules from any code under /opt/zimbra, I simply used a different machine with the same version of SpamAssassin. Storing all your rules in salocal.cf.in can get cumbersome as your custom rules grow - so create ".cf" files, drop the rules into /opt/zimbra/conf/spamassassin and you're done. Also there are plenty of pre-written rules you can use to extend the Zimbra SpamAssassin rules, such as, [http://wiki.apache.org/spamassassin/CustomRulesets SpamAssassin's List] and [http://www.rulesemporium.com/ SARE].<br />
<br />
== salocal.cf.in ==<br />
<br />
The easiest way to "tweak" your spamassassin filtering setup is to edit your /opt/zimbra/conf/salocal.cf.in file, which is designed specifically for "local" (ie user) configuration. Modifying only this file makes for easier upgrades, and protects your spamassasin installation from inadvertant destruction. Keep in mind, however, that Zimbra replaces this file on every upgrade, so you'll want to create a cron job to copy it to the backup folder (or some other safe location) on a regular basis.<br />
<br />
====Blacklists and Whitelists====<br />
The simplest filtering methods for spamassasin are the blacklist and whitelist. Blacklist entries block all email from an address or domain, and whitelist entries bypass all filtering for an address or domain. To add blackist or whitelist entries to your salocal.cf.in file, simply add lines in the following format:<br />
<pre><br />
blacklist_from sales@traveloforange.com<br />
whitelist_from bill@yahoo.net<br />
blacklist_from *@emn-mysavingsnow.net<br />
</pre><br />
Note that * is a wildcard. In this example *@emn-mysavingsnow.net indicates all email from any user at emn-mysavingsnow.net.<br />
<br />
When you are finished editing the salocal.cf.in file, restart Zimbra spamassassin by issuing the following command at the server prompt (as the zimbra user):<br />
<br />
<pre>zmamavisdctl restart</pre><br />
<br />
====Basic Rules====<br />
Spamassasin works by reading the headers and content of an email, and applying rules to that content. Rules can be in the form of a particular word or phrase, as well as a variety of built in functions. When a rule is "hit" while evaluating an email, a point score is added to that email's total score. When an emails total score exceeds a certain threshold (typically 5 on a Zimbra system) the email is either marked as spam, or, if the score is high enough, deleted automatically.<br />
<br />
Rules are in the form of a test followed by a score. The rule mechanism typically uses perl regular expressions to search for specific content within an email. Custom rules should be added to the salocal.cf.in file in the following format:<br />
<pre><br />
body LOCAL_RULE /sale/<br />
score LOCAL_RULE 0.5<br />
</pre><br />
The above text creates a rule called LOCAL_RULE that searches the body of the message for the word "sale" in lower case. If it finds the word "sale" anywhere in the body, it adds 0.5 to the total score of the email. Note that the score is only applied once - multiple instances of the word "sale" in the same email will not be scored separately. Also note that you should always precede the name of your own rules with the word LOCAL, as in the example above, to distinguish them from built in spamassasin rules, and prevent accidental duplicate names.<br />
<br />
Perl regular expressions are quite a powerful mechanism for locating text. Some additional examples of perl regular expression based rules:<br />
<pre>body LOCAL_SALE /sale/i</pre> performs a case-insensitive search for the word "sale"<br />
<pre>body LOCAL_STOCK1 /^hot stock tip/i</pre> searches for a line that starts with the words "hot stock tip" in any case<br />
<pre>body LOCAL_4CAPS /[A-Z][A-Z][A-Z][A-Z]/</pre> searches for any 4 capital letters in a row (generally a stock symbol)<br />
<pre>body LOCAL_MONEY /\d?\d?\d?.\d\d\b/</pre> searches for 3 digits, a decimal point, and 2 more digits, and treats as a word<br />
<br />
Google for "perl regular expressions" for help constructing your spamassassin rules.<br />
<br />
You can also search headers for values, and assign a score to them, using the following format:<br />
<pre><br />
header LOCAL_LOCALHOST reply-to =~ /@localhost/<br />
</pre><br />
where "LOCAL_LOCALHOST" is the rule name and "reply-to" is the header field name. The above rule would generate a "hit" if "@localhost" exists anywhere in the header field "reply-to." You can easily view several header options in Zimbra by right clicking on an email in the message list, and choosing "Show Original" from the context menu.<br />
<br />
URIs can be detected as well in the content of an email. URI rules are in the following format:<br />
<pre><br />
uri LOCAL_SALES /sales/<br />
</pre><br />
The above would generate a "hit" only in a URI that has the word "sales" in it, but would not hit on the word "sales" if it does not appear in a URI.<br />
<br />
====Meta Rules====<br />
You can also search for a combination of rules, and apply a score to that combination by creating a "meta" rule, in the following format:<br />
<pre><br />
body LOCAL_FOUR_CAPS /[A-Z][A-Z][A-Z][A-Z]/ <br />
body LOCAL_MONEY /\d?\d?\d?.\d\d\b/<br />
meta LOCAL_STOCK (LOCAL_MONEY && LOCAL_FOUR_CAPS)<br />
score LOCAL_STOCK 1<br />
</pre><br />
The above rule would add 1 to an email's score only if both "LOCAL_FOUR_CAPS" AND "LOCAL_MONEY" were hits. Be careful when creating meta rules, as it is easy to "over-score" and email," such as in the case of the following:<br />
<pre><br />
body LOCAL_FOUR_CAPS /[A-Z][A-Z][A-Z][A-Z]/<br />
score LOCAL_FOUR_CAPS 1 <br />
body LOCAL_MONEY /\d?\d?\d?.\d\d\b/<br />
score LOCAL_MONEY 1<br />
meta LOCAL_STOCK (LOCAL_MONEY && LOCAL_FOUR_CAPS)<br />
score LOCAL_STOCK 1<br />
</pre><br />
The above could add 3 points to the email score, if the meta rule hits.<br />
<br />
When you are finished editing the salocal.cf.in file, restart Zimbra spamassassin by issuing the following command at the server prompt (as the zimbra user):<br />
<br />
<pre>zmamavisdctl restart</pre><br />
<br />
====Class A IP Address Blocks====<br />
<br />
For mail servers in Unites States, below is a list of Class "A" blocks of IP's registered to non-ARIN entities.<br />
I also have US ISP's that have been bad in the past, so have added IP's using format examples below.<br />
Since it's one of those YMMV things, am only including the Non-ARIN Class "A" blocks below for starters.<br />
[http://www.arin.net Arin's Website]<br />
<br />
As 'root' :<br />
vi /opt/zimbra/conf/salocal.cf.in<br />
<br />
Copy and paste below in salocal.cf.in and save.<br />
Then,<br />
<pre><br />
su zimbra<br />
zmamavisdctl restart<br />
</pre><br />
<br />
<pre><br />
header LOCAL_RULE_RIPE_1 Received =~ /\[25\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_1 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_1 4.123<br />
<br />
header LOCAL_RULE_RIPE_4 Received =~ /\[62\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_4 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_4 4.123<br />
<br />
header LOCAL_RULE_RIPE_5 Received =~ /\[80\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_5 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_5 4.123<br />
<br />
header LOCAL_RULE_RIPE_6 Received =~ /\[81\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_6 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_6 4.123<br />
<br />
header LOCAL_RULE_RIPE_7 Received =~ /\[82\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_7 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_7 4.123<br />
<br />
header LOCAL_RULE_RIPE_8 Received =~ /\[83\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_8 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_8 4.123<br />
<br />
header LOCAL_RULE_RIPE_9 Received =~ /\[84\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_9 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_9 4.123<br />
<br />
header LOCAL_RULE_RIPE_10 Received =~ /\[85\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_10 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_10 4.123<br />
<br />
header LOCAL_RULE_RIPE_11 Received =~ /\[86\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_11 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_11 4.123<br />
<br />
header LOCAL_RULE_RIPE_12 Received =~ /\[87\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_12 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_12 4.123<br />
<br />
header LOCAL_RULE_RIPE_13 Received =~ /\[88\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_13 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_13 4.123<br />
<br />
header LOCAL_RULE_RIPE_14 Received =~ /\[89\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_14 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_14 4.123<br />
<br />
header LOCAL_RULE_RIPE_15 Received =~ /\[80\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_15 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_15 4.123<br />
<br />
header LOCAL_RULE_RIPE_16 Received =~ /\[90\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_16 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_16 4.123<br />
<br />
header LOCAL_RULE_RIPE_17 Received =~ /\[91\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_17 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_17 4.123<br />
<br />
header LOCAL_RULE_RIPE_18 Received =~ /\[188\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_18 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_18 4.123<br />
<br />
header LOCAL_RULE_RIPE_19 Received =~ /\[193\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_19 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_19 4.123<br />
<br />
header LOCAL_RULE_RIPE_20 Received =~ /\[194\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_20 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_20 4.123<br />
<br />
header LOCAL_RULE_RIPE_21 Received =~ /\[195\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_21 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_21 4.123<br />
<br />
header LOCAL_RULE_RIPE_22 Received =~ /\[212\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_22 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_22 4.123<br />
<br />
header LOCAL_RULE_RIPE_23 Received =~ /\[213\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_23 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_23 4.123<br />
<br />
header LOCAL_RULE_RIPE_24 Received =~ /\[217\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_RIPE_24 Spam passed through possible spammer relay<br />
score LOCAL_RULE_RIPE_24 4.123<br />
<br />
header LOCAL_RULE_APNIC_1 Received =~ /\[58\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_1 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_1 4.123<br />
<br />
header LOCAL_RULE_APNIC_2 Received =~ /\[59\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_2 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_2 4.123<br />
<br />
header LOCAL_RULE_APNIC_3 Received =~ /\[60\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_3 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_3 4.123<br />
<br />
header LOCAL_RULE_APNIC_4 Received =~ /\[61\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_4 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_4 4.123<br />
<br />
header LOCAL_RULE_APNIC_5 Received =~ /\[121\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_5 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_5 4.123<br />
<br />
header LOCAL_RULE_APNIC_6 Received =~ /\[122\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_6 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_6 4.123<br />
<br />
header LOCAL_RULE_APNIC_7 Received =~ /\[123\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_7 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_7 4.123<br />
<br />
header LOCAL_RULE_APNIC_8 Received =~ /\[124\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_8 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_8 4.123<br />
<br />
header LOCAL_RULE_APNIC_9 Received =~ /\[125\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_9 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_9 4.123<br />
<br />
header LOCAL_RULE_APNIC_10 Received =~ /\[126\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_10 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_10 4.123<br />
<br />
header LOCAL_RULE_APNIC_11 Received =~ /\[202\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_11 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_11 4.123<br />
<br />
header LOCAL_RULE_APNIC_12 Received =~ /\[203\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_12 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_12 4.123<br />
<br />
header LOCAL_RULE_APNIC_13 Received =~ /\[210\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_13 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_13 4.123<br />
<br />
header LOCAL_RULE_APNIC_14 Received =~ /\[211\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_14 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_14 4.123<br />
<br />
header LOCAL_RULE_APNIC_15 Received =~ /\[218\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_15 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_15 4.123<br />
<br />
header LOCAL_RULE_APNIC_16 Received =~ /\[219\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_16 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_16 4.123<br />
<br />
header LOCAL_RULE_APNIC_17 Received =~ /\[220\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_17 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_17 4.123<br />
<br />
header LOCAL_RULE_APNIC_18 Received =~ /\[221\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_18 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_18 4.123<br />
<br />
header LOCAL_RULE_APNIC_19 Received =~ /\[222\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_APNIC_19 Spam passed through possible spammer relay<br />
score LOCAL_RULE_APNIC_19 4.123<br />
<br />
header LOCAL_RULE_JPNIC_1 Received =~ /\[43\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_JPNIC_1 Spam passed through possible spammer relay<br />
score LOCAL_RULE_JPNIC_1 4.123<br />
<br />
header LOCAL_RULE_JPNIC_2 Received =~ /\[133\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_JPNIC_2 Spam passed through possible spammer relay<br />
score LOCAL_RULE_JPNIC_2 4.123<br />
<br />
header LOCAL_RULE_AFRINIC_1 Received =~ /\[41\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_AFRINIC_1 Spam passed through possible spammer relay<br />
score LOCAL_RULE_AFRINIC_1 4.123<br />
<br />
header LOCAL_RULE_AFRINIC_2 Received =~ /\[196\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_AFRINIC_2 Spam passed through possible spammer relay<br />
score LOCAL_RULE_AFRINIC_2 4.123<br />
<br />
header LOCAL_RULE_LACNIC_1 Received =~ /\[189\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_LACNIC_1 Spam passed through possible spammer relay<br />
score LOCAL_RULE_LACNIC_1 4.123<br />
<br />
header LOCAL_RULE_LACNIC_2 Received =~ /\[190\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_LACNIC_2 Spam passed through possible spammer relay<br />
score LOCAL_RULE_LACNIC_2 4.123<br />
<br />
header LOCAL_RULE_LACNIC_3 Received =~ /\[200\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_LACNIC_3 Spam passed through possible spammer relay<br />
score LOCAL_RULE_LACNIC_3 4.123<br />
<br />
header LOCAL_RULE_LACNIC_4 Received =~ /\[201\.\d{1,3}\.\d{1,3}\.\d{1,3}\]/<br />
describe LOCAL_RULE_LACNIC_4 Spam passed through possible spammer relay<br />
score LOCAL_RULE_LACNIC_4 4.123<br />
<br />
</pre><br />
<br />
==SPF==<br />
<br />
First of all, zimbra spamassassin has no SPF enabled. Since perl enviroment is system way integrated, adding SPF support is fair simple.<br />
<br />
Read more about SPF and how to configure it for your domain: http://www.openspf.org/<br />
<br />
Also, there are tools for testing your SPF settings: http://www.openspf.org/Tools<br />
<br />
===RedHat/CentOS===<br />
If you use RedHat or CentOS, you can "yum-it" from dag.wieers.com repositories by executing:<br />
<pre>yum install perl-Mail-SPF</pre><br />
<br />
Important note: perl-Mail-SPF and perl-Mail-SPF-Query are mutually exclusive. If you install one, don't install the other. Per this thread (http://lists.rpmforge.net/pipermail/users/2007-October/thread.html#1044), it appears that perl-Mail-SPF-Query has not been updated since Feb 2006, while perl-Mail-SPF was updated as recently as May 2007 and is more RFC compliant. So, the recommendation is to use perl-Mail-SPF and not perl-Mail-SPF-Query.<br />
<br />
You can add the dag.wieers.com repository to your server by installing an rpm for your system. See:<br />
<br />
http://dag.wieers.com/rpm/FAQ.php#B2<br />
<br />
===Ubuntu 6.06LTS (Dapper)===<br />
<pre>sudo apt-get install libmail-spf-query-perl</pre><br />
<br />
===Other===<br />
For every other platform you can install SPF by opening, and configuring in case you didn't, cpan command line utility and executing:<br />
<pre><br />
perl -MCPAN -eshell<br />
install Mail::SPF::Query<br />
</pre><br />
----<br />
<br />
==Razor2==<br />
<br />
Second, we added Razor2 in order to improve score. <br />
<br />
===Installing Razor===<br />
<br />
====CentOS====<br />
<br />
There are several ways to install Razor-Agent. Two common ways are listed below:<br />
<br />
=====Yum / RPM package=====<br />
<br />
The perl-Razor-Agent is available through Dag Wiers apt/yum repository:<br />
<br />
You will need to configure yum to use Dag Wiers repository for your Release and Architecture which is outside the scope of this document (google rpmforge-release). Enable Dag's repository and append the following line to Dag's repository section:<br />
<pre><br />
includepkgs=perl-Razor-Agent perl-Digest-HMAC perl-Digest-SHA1 perl-Net-DNS perl-Net-IP razor-agents<br />
</pre><br />
<br />
Install the Razor-Agnet and its dependencies:<br />
<pre><br />
# yum install perl-Razor-Agent razor-agents<br />
</pre><br />
<br />
Alternatively you can download the specific packages directly from Dag's mirrors and install manually with the rpm command. The downside is you are not notified if there is a patch or update to these packages.<br />
<br />
Open your firewall ports for razor2 (TCP/2703 outgoing).<br />
<br />
<br />
=====Compile=====<br />
<br />
As root: Get razor-agents-sdk from razor.sourceforge.net, untar it and <br />
<pre><br />
perl Makefile.PL<br />
make<br />
make install<br />
</pre><br />
<br />
Get also razor-agents from razor.sourceforge.net, untar it and <br />
<pre><br />
perl Makefile.PL<br />
make <br />
make install<br />
</pre><br />
<br />
Open your firewall ports for razor2 (TCP/2703 outgoing).<br />
<br />
====Fedora====<br />
<pre><br />
Downloading Packages:<br />
(1/2): perl-Razor-Agent-2 100% |=========================| 84 kB 00:07 <br />
(2/2): razor-agents-2.81- 100% |=========================| 51 kB 00:06 <br />
Running Transaction Test<br />
Finished Transaction Test<br />
Transaction Test Succeeded<br />
Running Transaction<br />
Installing: perl-Razor-Agent ######################### [1/2] <br />
Installing: razor-agents ######################### [2/2] <br />
<br />
Installed: razor-agents.i386 0:2.81-2.fc5.rf<br />
Dependency Installed: perl-Razor-Agent.i386 0:2.81-2.fc5.rf<br />
Complete!<br />
</pre><br />
<br />
===Configuring Razor===<br />
<br />
Create .razor folder in /opt/zimbra/amavisd and give zimbra user permissions <br />
<pre><br />
mkdir /opt/zimbra/amavisd/.razor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.razor<br />
</pre><br />
<br />
As zimbra user, create your razor account: <br />
<pre><br />
razor-admin -home=/opt/zimbra/amavisd/.razor -create <br />
razor-admin -home=/opt/zimbra/amavisd/.razor -discover <br />
razor-admin -home=/opt/zimbra/amavisd/.razor -register<br />
</pre><br />
<br />
<br />
And finally enable razor. Edit /opt/zimbra/conf/spamassassin/v310.pre and uncomment line <br />
<pre><br />
loadplugin Mail::SpamAssassin::Plugin::Razor2<br />
</pre><br />
<br />
----<br />
<br />
==Pyzor==<br />
<br />
Now we are going to add pyzor support for increase (again) spam score<br />
<br />
===Installing Pyzor===<br />
<br />
====CentOS====<br />
<br />
As root, install python support. <br />
<pre><br />
yum install python<br />
</pre><br />
<br />
Get pyzor package from pyzor.sourceforge.net, untar it and: <br />
<pre><br />
python setup.py build <br />
python setup.py install<br />
</pre><br />
<br />
Set perms according with pyzor readme. <br />
<pre><br />
chmod -R a+rX /usr/share/doc/pyzor /usr/lib/python2.3/site-packages/pyzor /usr/bin/pyzor /usr/bin/pyzord<br />
</pre><br />
<br />
Set perms for RHEL 5 x86_64 slightly different than above<br />
<pre><br />
chmod -R a+rX /usr/share/doc/pyzor /usr/lib/python2.4/site-packages/pyzor/usr/local/bin/pyzor /usr/bin/pyzord<br />
</pre><br />
<br />
====Fedora====<br />
<br />
As root, install pyzor RPM. It's included in the extra Repository of Fedora.<br />
<pre><br />
yum install pyzor<br />
.<br />
.<br />
Downloading Packages:<br />
(1/1): pyzor-0.4.0-10.fc5 100% |=========================| 65 kB 00:01 <br />
Running Transaction Test<br />
Finished Transaction Test<br />
Transaction Test Succeeded<br />
Running Transaction<br />
Installing: pyzor ######################### [1/1] <br />
<br />
Installed: pyzor.noarch 0:0.4.0-10.fc5<br />
Complete!<br />
</pre><br />
<br />
====SUSE 10====<br />
<br />
As root, install python and python-devel via ''yast2 Software -> Software Management'' menu. <br />
<br />
Get pyzor package from [http://pyzor.sourceforge.net pyzor.sourceforge.net], untar it and: <br />
<pre><br />
python setup.py build <br />
python setup.py install<br />
</pre><br />
<br />
Set perms according with pyzor readme. <br />
<pre><br />
chmod -R a+rX /usr/local/share/doc/pyzor /usr/local/lib/python2.4/site-packages/pyzor /usr/local/bin/pyzor /usr/local/bin/pyzord<br />
</pre><br />
<br />
===Configuring Pyzor===<br />
<br />
Create .pyzor folder into zimbra-amavisd home and set perms <br />
<pre><br />
mkdir /opt/zimbra/amavisd/.pyzor; chown zimbra:zimbra /opt/zimbra/amavisd/.pyzor<br />
</pre><br />
<br />
Open your firewall ports for pyzor (UDP/24441 outgoing)<br />
<br />
And ready to go, as zimbra user, with: <br />
<pre><br />
pyzor --homedir /opt/zimbra/amavisd/.pyzor discover<br />
</pre><br />
<br />
<br />
----<br />
<br />
==Spamassassin Config==<br />
<br />
Now we have PYZOR + RAZOR + SPF. But it would be advisable to enable it and give SPF a higher score. Those admins with wrong SPF entries should be punished since it's not mandatory and so, if you enable it, do it well. So open your spamassassin config at /opt/zimbra/conf/spamassassin/local.cf and add this rules at the end (customize it at your own):<br />
<pre><br />
ok_languages en es <br />
ok_locales en es <br />
trusted_networks 127. 10.70. 192.168.<br />
use_bayes 1<br />
skip_rbl_checks 0<br />
use_razor2 1<br />
#use_dcc 1 <<< WORK IN PROGRESS<br />
use_pyzor 1 <br />
dns_available yes <br />
<br />
## Optional Score Increases <br />
## Choose your preferred values...<br />
score DCC_CHECK 4.000<br />
score SPF_FAIL 10.000 <br />
score SPF_HELO_FAIL 10.000<br />
score RAZOR2_CHECK 2.500<br />
score PYZOR_CHECK 2.500<br />
score BAYES_99 4.300<br />
score BAYES_90 3.500<br />
score BAYES_80 3.000<br />
bayes_ignore_header Received: from mail3.example.com<br />
bayes_ignore_header Received: from localhost<br />
bayes_ignore_header Received: from mail1.example.com<br />
bayes_ignore_header Received: from mail2.example.com<br />
</pre><br />
Note that these numbers can be made even higher if you want the particular filter to have more weight. Check your headers and adjust as needed to achieve the desired result.<br />
<br />
'''required_score'''<br />
<br />
To tweak the ''required_score'' parameter in Zimbra you don't need to edit any config file. This value is calculated from a setting in Zimbra admin page. Enter administration, go to Global Settings >> AV/AS. The ''required_score'' is ''' ''tag percent'' * 0,2'''. So a tag percent value of 25 will result in a required score of 5 (25*0,5=5).<br />
<br />
----<br />
<br />
===Externally-Maintained Whitelists===<br />
Even with the Bayes configurations above, some messages with high Bayes scores get through due to the existence of several externally-maintained whitelists. Essentially these are programs whereby those who subscribe to the program--for a price and agreement to follow certain rules of conduct--get a pass to send unsolicited messages. Spamassassin uses these trusted lists to REDUCE your spam score by assigning a negative point score to the message, which offsets the positive (i.e. "spammy") scores that might result from other filters in your system. <br />
<br />
Some of these lists, such as dnswl.org, are maintained by an all-volunteer group; others, such as the Bonded Sender Program (now known as SenderScoreCertified at www.senderscorecertified.com) and Habeas (www.habeas.com) are commercial enterprises. Each describes their standards on their website; one can, of course, find plenty of heated discussion as to the extent to which the commercial ones enforce their standards.<br />
<br />
Without engaging in the debate as to the motives or purity of one list or another, the administrator needs to evaluate each list and determine whether he/she is comfortable having that list's maintainers influence the performance of local spam filters. This section is intended to help the administrator adjust the relative scoring influences of these whitelists if so desired.<br />
<br />
As with any technology, the services change with time. It is probably a good discipline to review your SpamAssassin configuration files from time to time (after an update in particular) looking for anything that gives your messages a negative score, so you can evaluate if you want to accept that scoring for your local system.<br />
====Bonded Sender Program (BSP)====<br />
The Bonded Sender Program is described at www.senderscorecertified.com. Spamassassin gives BSP hits a -4.5 score, which pretty well overrides everything else you've done and makes the message come through anyhow (BSP's own website actually advocates a -100 score!). The following adjustment in your local.cf file can reduce, or if you wish, neutralize, the effect of BSP on your spam scores:<br />
<pre><br />
# Score to reduce the effect of Bonded Sender Program (BSP) whitelisting<br />
score RCVD_IN_BSP_TRUSTED -0.500<br />
score RCVD_IN_BSP_OTHER -0.500<br />
score RCVD_IN_BONDEDSENDER -0.500<br />
</pre><br />
Change these values to zero and it goes away completely!<br />
<br />
====Habeas====<br />
Habeas, at www.habeas.com, is another such subscription-based whitelisting program. Habeas also recommends a -100 score for the most highly-rated senders in their list, although Spamassassin gives them the more conservative score of -8.0 for the highest-rated senders. A reduced impact score for Habeas (again in local.cf) might look like this: <br />
<pre><br />
# Score to reduce the effect of Habeas whitelisting<br />
score HABEAS_ACCREDITED_COI 0 -0.5 0 -0.5<br />
score HABEAS_ACCREDITED_SOI 0 -0.25 0 -0.25<br />
score HABEAS_CHECKED 0 -0.1 0 -0.1<br />
</pre><br />
Again, all zeros would completely negate these scores<br />
<br />
====ISIPP's SuretyMail (IADB)====<br />
The Institute for Spam and Internet Public Policy (ISIPP) is another for-profit whitelister whose stated purpose in its marketing materials (www.suretymail.com) is to "Send Legitimate E-mail in a Spam-Filtered World." The ISIPP settings appear in SpamAssassin as IADB, and can be modified as follows:<br />
<pre><br />
# Score to reduce the effect of ISIPP/IADB SuretyMail whitelisting<br />
score RCVD_IN_IADB_VOUCHED 0 -0.2 0 -0.2<br />
score RCVD_IN_IADB_DOPTIN 0 -0.4 0 -0.4<br />
score RCVD_IN_IADB_ML_DOPTIN 0 -0.6 0 -0.6<br />
</pre><br />
And of course zeros work as well.<br />
<br />
====dnswl.org====<br />
DNSWL is different from the lists described above, in that it is deliberately a noncommercial list, and its maintainers recognize the potential conflict of interest in having an economic incentive to let senders off the hook (see their "background" page to hear it in their own words. Nevertheless, it is conceivable that administrators will find DNSWL's judgment to be allowing messages through local filters in contravention of local policy. DNSWL's default scores in Spamassassin are -1, -4, and -8. Administrators wishing to reduce these could use the following settings:<br />
<pre><br />
# Score to reduce the effect of DNSWL whitelisting<br />
score RCVD_IN_DNSWL_LOW 0 -0.1 0 -0.1<br />
score RCVD_IN_DNSWL_MED 0 -0.4 0 -0.4<br />
score RCVD_IN_DNSWL_HI 0 -0.8 0 -0.8<br />
</pre><br />
----<br />
<br />
==Amavisd Config==<br />
<br />
Some notes about this: In zimbra, by default, spam with 15 score of higher is discarded by amavisd. If you want your user receive these mails, you have to modify amavisd.conf settings (/opt/zimbra/conf/amavisd.conf) in order to pass this email.<br />
<br />
<pre><br />
$final_spam_destiny = D_PASS<br />
</pre><br />
<br />
==Enable a Milter-based product for AS/AV==<br />
<br />
The following steps have been shown to work on Release 6.0.3_GA_1915.F11_20091118105056 on Fedora 12<br />
<br />
1) Become the Zimbra user<br />
<br />
<pre><br />
su - zimbra<br />
</pre><br />
<br />
2) [Optional] Disable the built-in spam and virus services<br />
<br />
<pre><br />
zmprov -l ms `zmhostname` -zimbraServiceEnabled antivirus<br />
zmprov -l ms `zmhostname` -zimbraServiceEnabled antispam<br />
</pre><br />
<br />
2a) Verify that you don't see the following two lines in the enabled services list<br />
<br />
<pre><br />
zimbraServiceEnabled: antivirus<br />
zimbraServiceEnabled: antispam<br />
</pre><br />
<br />
<pre><br />
zmprov gs `zmhostname` zimbraServiceEnabled<br />
<br />
# name <your-host><br />
zimbraServiceEnabled: logger<br />
zimbraServiceEnabled: mailbox<br />
zimbraServiceEnabled: mta<br />
zimbraServiceEnabled: stats<br />
zimbraServiceEnabled: snmp<br />
zimbraServiceEnabled: ldap<br />
zimbraServiceEnabled: spell<br />
</pre><br />
<br />
3) Add your Milter to the Postfix configuration file:<br />
<br />
<pre><br />
postconf -e 'smtpd_milters = inet:127.0.0.1:2704'<br />
postconf -e 'non_smtpd_milters = inet:127.0.0.1:2704'<br />
</pre><br />
<br />
(the format of Postfix's milter option value is "inet:<host or IP of milter>:<port of milter>")<br />
<br />
4) Restart Zimbra<br />
<br />
<pre><br />
zmcontrol stop<br />
zmcontrol start<br />
</pre><br />
<br />
5) [Optional] Configure the mail store to send messages with specific headers to the "Junk" folder:<br />
<br />
The following example will automatically folder messages containing the header "X-Cloudmark-Verdict: spam":<br />
<br />
<pre><br />
zmprov mcf zimbraSpamHeader X-Cloudmark-Verdict<br />
zmprov mcf zimbraSpamHeaderValue spam<br />
</pre><br />
<br />
After you've made your changes, check that you're changes were stored correctly:<br />
<br />
<pre><br />
zmprov gacf | grep Header<br />
</pre><br />
<br />
Output should look like this:<br />
<pre><br />
zimbraSpamHeader: X-Cloudmark-Local-Verdict<br />
zimbraSpamHeaderValue: spam<br />
</pre><br />
<br />
6) Send a test message through and verify that your milter has received the file.<br />
<br />
Your Milter callout from Postfix should now be configured.<br />
<br />
==Enabling DCC==<br />
<br />
To setup DCC: Download dcc from [http://rhyolite.com/anti-spam/dcc/source/dcc.tar.Z DCC Site]<br />
<br />
I compile on different system to build an rpm to install in production environment. Use [http://www.zimbra.com/forums/attachment.php?attachmentid=509 this spec file] (rename it to .spec) to build an rpm with the command:<br />
<br />
<pre><br />
rpmbuild -ba /usr/src/redhat/SPECS/dcc.spec<br />
</pre><br />
<br />
install it on the production server: <br />
<pre><br />
rpm -ivh dcc-x.y.z.rpm<br />
</pre><br />
<br />
Change /etc/dcc/dcc_conf to read:<br />
<pre><br />
DCCUID=zimbra <br />
DCCD_ENABLE=off<br />
</pre><br />
<br />
Change /opt/zimbra/conf/spamassassin/v310.pre to enable the DCC plugin:<br />
<pre> <br />
loadplugin Mail::SpamAssassin::Plugin::DCC <br />
</pre><br />
<br />
Enable DCC on firewall (UDP/6277 outgoing)<br />
<br />
Have fun. I use sqlgrey as greylist server, so I don't need another one. As to me the standard value DCC == 2.5 Spamassassin point is ok, so I do not change it. With SA 3.xx you do not need to use enable_dcc in local.cf. That's the same for razor2 indeed...<br />
<br />
==Implementing Whitelist/Blacklist==<br />
<br />
=== Domain white/black list ===<br />
<br />
This can be accomplished by modifying /opt/zimbra/conf/amavisd.conf.in and adding a score for the domain that you want to change.<br />
<br />
When scoring the domain, remember that '''negative scores whitelist, positive scores blacklist'''<br />
<br />
Here's a whitelisting example:<br />
<br />
Edit the file /opt/zimbra/conf/amavisd.conf.in and look for this section:<br />
<br />
{ # a hash-type lookup table (associative array)<br />
'nobody@cert.org' => -3.0,<br />
'cert-advisory@us-cert.gov' => -3.0,<br />
'owner-alert@iss.net' => -3.0,<br />
'slashdot@slashdot.org' => -3.0,<br />
'bugtraq@securityfocus.com' => -3.0,<br />
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,<br />
'security-alerts@linuxsecurity.com' => -3.0,<br />
<br />
<br />
At the top, add the domain you want to whitelist (eg, zimbra.com), with a strong negative score:<br />
<br />
{ # a hash-type lookup table (associative array)<br />
'zimbra.com' => -10.0,<br />
'nobody@cert.org' => -3.0,<br />
'cert-advisory@us-cert.gov' => -3.0,<br />
'owner-alert@iss.net' => -3.0,<br />
'slashdot@slashdot.org' => -3.0,<br />
'bugtraq@securityfocus.com' => -3.0,<br />
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,<br />
'security-alerts@linuxsecurity.com' => -3.0,<br />
'mailman-announce-admin@python.org' => -3.0,<br />
<br />
'''Remember, if you want to blacklist a domain, make the score positive'''<br />
<br />
Then restart amavis:<br />
zmamavisdctl stop && zmamavisdctl start <br />
<br />
Remember - you're trusting the sender's domain to be valid, so any email sent with an address in that domain will receive the score weighting - the address is not verified.<br />
<br />
This can also be used with individual sender email addresses, as seen above.<br />
<br />
=== User white/black list ===<br />
It very simple changing amavis config:<br />
<br />
put in /opt/zimbra/conf/amavis.conf*<br />
<br />
<pre><br />
read_hash(\%whitelist_sender, '/etc/zimbra/whitelist');<br />
read_hash(\%blacklist_sender, '/etc/zimbra/blacklist');<br />
read_hash(\%spam_lovers, '/etc/zimbra/spamlovers');<br />
</pre><br />
<br />
In /etc/zimbra/* put sender address or domain, one per line. Wildcards allowed.<br />
Example:<br />
<br />
<pre><br />
hotstuff@sexnzen.com<br />
spammersites.net<br />
</pre><br />
<br />
A spamlovers list is for that accounts that always need to receive all messages, even if spam. According to rfc 2822 postmaster, abuse and other account of this kind should be spam lovers.<br />
<br />
<br />
I think we should prepare a script to save and restore this config changes upon zimbra updates...<br />
<br />
<br />
== Postfix Tweaks ==<br />
(Added by L. Mark Stone 12 May 2007)<br />
<br />
Postfix itself features a number of anti-UCE capabilities. Some of them are available via the admin console, but some are not. <br />
<br />
=== Simultaneous Connection Throttling ===<br />
If your Zimbra system gets targeted by spammers, you'll notice that a spammer's email server can open up a large number of simultaneous connections to Zimbra's Postfix.<br />
<br />
Most of these connections will fail, often because the recipients don't actually exist on the system. But, these connections still use resources.<br />
<br />
So, we have for years on our other Postfix mail servers been taking advantage of two Postfix configuration settings that have reduced this problem significantly. We have now updated our Zimbra installations with the same settings, so I thought I would pass them on.<br />
<br />
The two settings we add to main.cf are:<br><br />
<pre><br />
smtpd_soft_error_limit = 2<br />
smtpd_hard_error_limit = 3<br />
</pre><br />
<br />
We do this by becoming the zimbra user and then running:<br />
<pre><br />
postconf -e 'smtpd_hard_error_limit = 3'<br />
postconf -e 'smtpd_soft_error_limit = 2'<br />
</pre><br />
<br />
We then restart Postfix to implement the changes. To restart Postfix, you need to be root and to run the Zimbra-supplied Postfix binary:<br />
<pre><br />
viognier:~ # cd /opt/zimbra/postfix/sbin<br />
viognier:/opt/zimbra/postfix/sbin # ./postfix stop<br />
postfix/postfix-script: stopping the Postfix mail system<br />
viognier:/opt/zimbra/postfix/sbin # postfix start<br />
postfix/postfix-script: starting the Postfix mail system<br />
viognier:/opt/zimbra/postfix/sbin #<br />
</pre><br />
<br />
Documentation from Postfix is here:<br />
http://www.postfix.org/postconf.5.html#smtpd_soft_error_limit<br />
<br />
== Greylisting ==<br />
<br />
In the forums, you'll probably get the most support for postgrey (below) as it's the fastest to setup.<br />
<br />
followed by http://wiki.zimbra.com/index.php?title=Connecting_with_SQLGrey<br />
<br />
then http://wiki.zimbra.com/index.php?title=Postfix_Policyd<br />
<br />
Google or see http://Greylisting.org for some examples & see all sorts of ideas. There are tons of different greylist programs, for example: Some can be configure so that you hold the mail for up to 30min, (unless they get a reattempt response sooner), and then deliver it anyway with an additional spam score tacked on etc.<br />
<br />
----<br />
<br />
=== Postgrey ===<br />
Postfix Greylisting Policy Server-the original authors site http://postgrey.schweikert.ch/ <br />
<br />
When a request for delivery of a mail is received by Postfix via SMTP, the triplet CLIENT_IP / SENDER / RECIPIENT is built. If it is the first time that this triplet is seen, or if the triplet was first seen less than 5 minutes ago, then the mail gets rejected with a temporary 450 deffer error. <br />
<br />
It auto-remembers valid senders for up to xdays (default 35days) who are auto-whitelisted to skip the delivery delay. You can also define permanent whitelist based on clients/email addresses.<br />
<br />
'''Example install on Ubuntu 6.06LTS (Dapper) Install (Tested by K. Diebold 25 July 2007)'''<br />
<br />
==== Installing Postgrey: ====<br />
<pre><br />
sudo apt-get install postgrey<br />
.<br />
.<br />
Creating config file /etc/postgrey/whitelist_clients with new version (some big companies are put here-you can add your own)<br />
Creating config file /etc/postgrey/whitelist_recipients with new version (as needed put in users who do not want greylisting)<br />
Creating config file /etc/default/postgrey with new version<br />
Starting postfix greylisting daemon: postgrey.<br />
</pre><br />
The package adds the appropriate init scripts (update-rc.d postgrey defaults) and is configured to answer on localhost:60000.<br />
<br />
==== Configuring the Zimbra Postfix: ====<br />
<pre>sudo vi /opt/zimbra/conf/postfix_recipient_restrictions.cf</pre><br />
<br />
...and add the following above any lines that contain '%%' at the beginning and end. The final line should contain only 'permit':<br />
<br />
<pre>check_policy_service inet:127.0.0.1:60000</pre><br />
<br />
...then restart Postfix (which will re-create /opt/zimbra/postfix/main.cf)<br />
<br />
<pre>postfix reload</pre><br />
<br />
----<br />
Notes:<br />
See the stuff that get's added to smtpd_recipient_restrictions?<br />
<br />
'''Changing the delay '''<br />
<br />
-The default is 5/10 minutes depending on where you get your download so if you wanted it 10 minutes:<br />
/etc/default/postgrey<br />
Depending on your version/if you download the package and manually edit before you install:<br />
POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=300"<br />
OR before hand<br />
delay => $opt{delay} || 300,<br />
max_age => $opt{'max-age'} || 35,<br />
<br />
Whitelists allow you to specify client addresses or recipient address, for<br />
which no greylisting should be done. Per default postgrey will read the<br />
following files:<br />
/etc/postfix/postgrey_whitelist_clients<br />
/etc/postfix/postgrey_whitelist_clients.local<br />
/etc/postfix/postgrey_whitelist_recipients<br />
<br />
Add-ons:<br />
p0f - passive OS detection and white-listing based on detected OS<br />
<br />
taRgrey (tarpit + greylist) - a patch that makes postgrey into a tarpitting policy server.<br />
[[Category:Anti-spam]]<br />
<br />
== Discarding Emails Sent to Invalid Addresses ==<br />
<br />
To reduce email to accounts that you don't even have:<br />
Change the entry in zmmta.cf for smtpd_reject_unlisted_recipients to 'yes', save the file and restart postfix. (postfix reload)<br />
<br />
-This rejects the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. <br />
(ie: there's no such user account on the server)<br />
<br />
If 5.0.12+ using alias domains enable set postfix_enable_smtpd_policyd=yes instead.<br />
[[ManagingDomains#Email_to_non-existant_accounts]]<br />
<br />
----<br />
<br />
One email server I administered got 400,000 messages a day. 99.2% of them were sent to addresses that didn't exist on my domain. However, my server happily scanned all of them for spam, viruses, etc. You can configure Zimbra to reject such messages with 450, saying the address doesn't exist. In addition, once an RCPT TO: command is sent specifying an invalid address, Zimbra delays about 5 seconds before it accepts another command, slowing down the spammer.<br />
<br />
Add the following lines to /opt/zimbra/conf/postfix_recipient_restrictions.cf:<br />
<br />
reject_unknown_recipient_domain <br />
-Which rejects when:<br />
<br />
a) the RCPT TO address has no DNS A or MX record<br />
<br />
b) when Postfix is not final destination for the recipient address<br />
<br />
c) or when it has a malformed MX record such as a record with a zero-length MX hostname<br />
<br />
reject_unverified_recipient<br />
-Rejects the request when mail to the RCPT TO address is known to bounce, or when the recipient address destination is not reachable.<br />
<br />
I add these lines just after the first line, which should be reject_non_fqdn_recipient.<br />
<br />
Restart Zimbra and enjoy. :)<br />
<br />
--BJ Quinn<br />
<br />
Caveat: There is a possible downside to this. These mass e-mailings to non-existant addresses at your domain are often part of a directory harvesting attack. By enabling this feature you will reveal legitimate addresses at your domain (through process of elimination). These will then be sold to spammers, or worse used as sender addresses by spammers.<br />
<br />
--CG<br />
<br />
== References ==<br />
<br />
http://www.zimbra.com/forums/administrators/4933-improving-spam-filtering.html<br />
<br />
{{Article_Footer|ZCS 4.5.x|12/14/2006}}<br />
<br />
<br />
[[Category:CentOS]]<br />
[[Category:Fedora]]<br />
[[Category:SUSE]]<br />
[[Category:RHEL]]<br />
[[Category:Ubuntu]]<br />
[[Category:ZCS 4.5]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Domain_level_blocking_of_users&diff=18143Domain level blocking of users2010-02-20T08:15:34Z<p>Gettyless: </p>
<hr />
<div>Below mentioned are the steps to "REJECT" an external email address from sending mail to the users of the Zimbra Domain. <br />
<br />
The same results can also be achieved using Amavis via [http://wiki.zimbra.com/index.php?title=Improving_Anti-spam_system#Implementing_Whitelist.2FBlacklist blacklisting].<br />
<br />
1. Edit zmmta.cf<br />
<br />
vi /opt/zimbra/conf/zmmta.cf<br />
Add this line below (smtpd_recipient_restrictions):<br />
POSTCONF smtpd_sender_restrictions FILE postfix_sender_restrictions.cf<br />
<br />
2. Create file /opt/zimbra/conf/postfix_sender_restrictions.cf with the below line:<br />
hash:/opt/zimbra/postfix/conf/reject<br />
<br />
or:<br />
<br />
echo "hash:/opt/zimbra/postfix/conf/reject" > /opt/zimbra/conf/postfix_sender_restrictions.cf<br />
<br />
3. Create file /opt/zimbra/postfix/conf/reject with the list of email address to be rejected in the below format:<br />
user@domain.com REJECT<br />
<br />
4. postmap it and restart postfix<br />
postmap /opt/zimbra/postfix/conf/reject<br />
zmmtactl stop && zmmtactl start<br />
<br />
You'll be able to see the changes show up in <tt>/opt/zimbra/log/zmmtaconfig.log</tt> .<br />
<br />
Please note that this change will not survive an upgrade and you will have to redo these after the upgrade.<br />
<br />
Reject messages will be logged in <tt>/var/log/zimbra.log</tt> ; format looks like this:<br />
<br />
[date / hostname] postfix/smtpd[####] NOQUEUE: reject: RCPT from [remote mta]: 554 5.7.1 <senders-email@DOMAIN>: <br />
Sender address rejected: Access denied: from=<senders-email@DOMAIN> to=<local-zimbra-user@domain> proto=ESMTP helo=<remote mta><br />
<br />
The sender will receive a returned email declaring the rejection.<br />
<br />
{{Article Footer|Unknown|10/29/2008}}<br />
<br />
[[Category:Administration]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IMAP_and_Outlook_Spam_training&diff=17683IMAP and Outlook Spam training2010-02-01T00:55:00Z<p>Gettyless: just adding headings</p>
<hr />
<div>{{Unsupported}}<br />
<br />
== ZCS 5.0.11+ ==<br />
<br />
ZCS 5.0.11+ Junk/Spam folders are 'item-move-aware' per [http://bugzilla.zimbra.com/show_bug.cgi?id=9532 bug 9532]. In other words, when you move mail into your Junk/Spam folder it will be "queued for processing by the spam filter/trainer". Previously, this was NOT the case.<br />
<br />
<br />
== Prior to ZCS 5.0.11 ==<br />
<br />
IMAP/Outlook move to junk doesn't train anti-spam - It seems that when you move a mail to junk folder on IMAP client (like Thunderbird) anti-spam filter on MTA does not use that mail as a spam example for training... See [http://bugzilla.zimbra.com/show_bug.cgi?id=9532 bug 9532]<br />
<br />
Here is a bash script created from the comments against this bug. I have tested it on our system and it appears to work OK. Feel free to contribute and enhance! Full credit for this script is due to bobby@zimbra.com and dmangot@terracottatech.com who wrote the bits which I just pasted together!<br />
<br />
<pre><br />
#!/bin/bash<br />
<br />
wikiuser=`zmprov getConfig zimbraNotebookAccount | cut -d ' ' -f 2`;<br />
hamuser=`zmprov getConfig zimbraSpamIsNotSpamAccount | cut -d ' ' -f 2`;<br />
spamuser=`zmprov getConfig zimbraSpamIsSpamAccount | cut -d ' ' -f 2`;<br />
<br />
users=`zmprov getAllAccounts | grep -v -e $wikiuser -e $hamuser -e $spamuser`;<br />
<br />
for zuser in $users<br />
do<br />
echo "Train spam for $zuser"<br />
/opt/zimbra/bin/zmtrainsa $zuser spam junk<br />
done<br />
<br />
echo "Zimbra spam training complete"<br />
</pre><br />
<br />
To install, save the above script as 'learnmorespam.sh', copy to /opt/zimbra/learnmorespam.sh on your Zimbra server. Set ownership and make executable:<br />
<pre><br />
[root@mail ~]# chmod +x /opt/zimbra/learnmorespam.sh<br />
[root@mail ~]# chown zimbra:zimbra /opt/zimbra/learnmorespam.sh<br />
</pre><br />
<br />
And then create this crontab entry, /etc/crontab<br />
<pre><br />
#Learn more spam 6am daily<br />
0 6 * * * zimbra /opt/zimbra/learnmorespam.sh > /dev/null 2>&1<br />
</pre><br />
<br />
That should be it :)<br />
<br />
Another:<br />
<pre><br />
#!/usr/bin/perl<br />
use strict;<br />
use warnings;<br />
use Mail::IMAPClient;<br />
my $host="<edit>";<br />
my $username="<edit>";<br />
my $password="<edit>";<br />
my @real_users=`/opt/scalix/bin/omshowu -m all -i`; # get all real user names.<br />
foreach my $punter (@real_users) # Loop over them all.<br />
{<br />
chomp $punter; # Remove trailing carriage return.<br />
if ("$punter" ne "postmaster")<br />
{<br />
print "$punter\n"; # Some output. Feel free to remove.<br />
#$punter =~s/@/\\@/;<br />
my $user="mboxadmin:$username:$punter"; # Set up superuser login.<br />
my $imap = new Mail::IMAPClient( 'Server' => $host , 'User' => $user , 'Password' => $password ) or next; # connect to server.<br />
my @folders=$imap->folders; # list folders.<br />
foreach my $i ( @folders ) { print $i; }<br />
foreach my $folder (@folders) # Look through each of them.<br />
{<br />
print lc($folder),"\n";<br />
if (lc($folder) eq "junk e-mail") # "junk email" folder.<br />
{<br />
print "Found a spam folder: $folder\n";<br />
$imap->select($folder) or next; # Select the folder.<br />
print "Folder $folder selected.\n";<br />
my @list=$imap->messages or next; # List all messages in folder.<br />
print scalar(@list)." messages in folder.\n";<br />
foreach my $msg (reverse(@list)) # Loop over them all.<br />
{<br />
my @email=$imap->fetch($msg,'RFC822'); # Fetch message.<br />
open (SALEARN,"|/usr/bin/spamassassin -d | /usr/bin/sa-learn --spam") or print "$!\n"; # Feed to sa-learn.<br />
print SALEARN "$email[1]";<br />
close SALEARN;<br />
open (REPORT,"|/usr/bin/spamassassin -d | /usr/bin/spamassassin -r") or print "$!\n"; # Report it. (SpamCop and Pyzor).<br />
print REPORT "$email[1]";<br />
close REPORT;<br />
$imap->delete_message($msg) or next; # Delete it.<br />
}<br />
$imap->expunge($folder) or next; #Expunge folder.<br />
}<br />
elsif(lc($folder) eq "not spam")<br />
{<br />
$imap->select($folder) or next; # Select the folder.<br />
print "Folder $folder selected.\n";<br />
my @list=$imap->messages or next; # List all messages in folder.<br />
print scalar(@list)." messages in folder.\n";<br />
foreach my $msg (reverse(@list)) # Loop over them all.<br />
{<br />
my @email=$imap->fetch($msg,'RFC822'); # Fetch message.<br />
open (SALEARN,"|/usr/bin/spamassassin -d | /usr/bin/sa-learn --forget") or print "$!\n";# Sa-learn forget this message if already seen.<br />
print SALEARN "$email[1]";<br />
close SALEARN or print "$!\n";<br />
open (SALEARN,"|/usr/bin/spamassassin -d | /usr/bin/sa-learn --ham") or next; # Feed to sa-learn as ham.<br />
print SALEARN "$email[1]";<br />
close SALEARN;<br />
$imap->delete_message($msg) or next;<br />
}<br />
$imap->expunge($folder) or next;<br />
<br />
}<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
{{Article_Footer|unknown|3/5/2008}}<br />
<br />
[[Category: Anti-spam]]<br />
[[Category: Clients]]<br />
[[Category: ZCO]]<br />
[[Category: ZCS 5.0]]<br />
[[Category: ZCS 4.5]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=Mail_Queue_Monitoring&diff=17672Mail Queue Monitoring2010-01-29T05:02:21Z<p>Gettyless: /* Common Errors */</p>
<hr />
<div>== Mail Queue Overview ==<br />
<br />
Incoming and outgoing mail is processed by postfix in a series of queues; normally, mail moves from the ''incoming'' queue to the ''active'' queue, from which it is delivered. If delivery is deferred, mail is moved to the ''deferred'' queue, and automatically reprocessed later.<br />
<br />
Additionally, mail can be put in the ''hold'' queue, which will prevent it from being delivered until it is manually removed from the ''hold'' queue.<br />
<br />
== Monitoring Queues ==<br />
<br />
Queues can be monitored from within the admin console; select ''Manage Mail Queues'' from the left sidebar and your queue information will be shown.<br />
<br />
== Troubleshooting Queue Monitoring ==<br />
<br />
=== Common Errors ===<br />
<br />
The most common problem is authentication to the mta server. This shows in the mailbox.log logfile as:<br />
<br />
Message: system failure: exception during auth {RemoteManager: MAIL.DOMAIN.COM->zimbra@MAIL.DOMAIN.COM:22}<br />
com.zimbra.cs.service.ServiceException: system failure: exception during auth {RemoteManager: <br />
MAIL.DOMAIN.COM->zimbra@MAIL.DOMAIN.COM:22}<br />
at com.zimbra.cs.service.ServiceException.FAILURE(ServiceException.java:174)<br />
at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:197)<br />
at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:134) <br />
<br />
etc...<br />
<br />
Regenerating keys may very well fix this however, one other place to look is your ''/var/log/secure'' file. If you see something similar to:<br />
<pre><br />
sshd[16312]: Authentication refused: bad ownership or modes for directory /opt/zimbra<br />
</pre><br />
<br />
It's possible you only need to fix your ownership and permissions.<br />
<br />
<pre><br />
su - zimbra<br />
zmcontrol stop<br />
exit<br />
</pre><br />
<br />
Now login as root -- this command must be run as root, run zmfixperms, and start zimbra back up:<br />
<pre><br />
/opt/zimbra/libexec/zmfixperms <br />
su - zimbra<br />
zmcontrol start<br />
</pre><br />
<br />
If this doesn't fix any errors you'll probably need to regenerate your keys.<br />
<br />
=== Regenerating Keys ===<br />
<br />
To regenerate the ssh keys, on all hosts (as the zimbra user):<br />
zmsshkeygen<br />
<br />
To deploy the keys, on all hosts (as the zimbra user):<br />
zmupdateauthkeys<br />
<br />
=== Verifying sshd configuration ===<br />
<br />
The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:<br />
<br />
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
(Swap MAIL.DOMAIN.COM for your hostname, as it appears in the error).<br />
<br />
You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.<br />
<br />
If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:<br />
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222<br />
<br />
Verify in /etc/sshd_config that the zimbra user is an allow user<br />
AllowUsers admin zimbra<br />
<br />
Note: applying this change resulted in not being to ssh as root. Should we add root to the list of AllowUsers!<br />
<br />
=== /etc/hosts.allow ===<br />
The Zimbra hostname may be different than the system. Add the Zimbra hostname to ''/etc/hosts.allow''.<br />
ALL: zimbra.domain.tld<br />
<br />
=== Another cause, Zimbra account has been disabled ===<br />
If the above steps do not work then enable verbose output for ssh with:<br />
ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
If the output from ssh indicates that ''Next authentication method: password'' as below, then the Zimbra account may be locked.<br />
<br />
debug1: Next authentication method: publickey<br />
debug1: Offering public key: /opt/zimbra/.ssh/zimbra_identity<br />
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive<br />
debug1: Next authentication method: keyboard-interactive<br />
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive<br />
debug1: Next authentication method: password<br />
zimbra@MAIL.DOMAIN.COM's password:<br />
<br />
To verify this, as root check /etc/shadow. Locate the zimbra account. If the account has one or more ! in the line then the account is locked.<br />
zimbra:!!:13634:0:99999:7:::<br />
<br />
Use this command to unlock the zimbra account (or you can edit the shadow file directly and remove them).<br />
usermod -U zimbra<br />
<br />
Then check /etc/shadow again, there should be no ! for the zimbra account. You may need to do this multiple times to remove the ! and unlock the account.<br />
<br />
Once the account is unlocked, this command should work (it did for us!).<br />
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
[[Category:Pending Certification]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16694IP Address whitelisting2009-12-23T01:22:13Z<p>Gettyless: /* amavis_client_whitelist */</p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
That will create a Berkeley DB:<br />
<br />
<pre><br />
zimbra@zimbra:~$ file /opt/zimbra/postfix/conf/amavis_client_whitelist.db<br />
/opt/zimbra/postfix/conf/amavis_client_whitelist.db: Berkeley DB (Hash, version 8, native byte-order)<br />
</pre><br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
if you want to bypass virus checking too:<br />
<br />
<pre><br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_virus_destiny => D_PASS,<br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
http://www.webservertalk.com/archive390-2006-8-1467502.html<br />
<br />
== Restart postfix and amavisd == <br />
<br />
zmmtactl restart && zmamavisdctl restart<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16186IP Address whitelisting2009-12-10T02:02:54Z<p>Gettyless: /* amavisd.conf.in */</p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
oh noes:<br />
<br />
<pre><br />
zimbra@zimbra:~$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
Segmentation fault<br />
</pre><br />
<br />
but ...:<br />
<br />
<pre><br />
zimbra@zimbra:~$ file /opt/zimbra/postfix/conf/amavis_client_whitelist.db<br />
/opt/zimbra/postfix/conf/amavis_client_whitelist.db: Berkeley DB (Hash, version 8, native byte-order)<br />
</pre><br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
if you want to bypass virus checking too:<br />
<br />
<pre><br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_virus_destiny => D_PASS,<br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
http://www.webservertalk.com/archive390-2006-8-1467502.html<br />
<br />
== Restart postfix and amavisd == <br />
<br />
zmmtactl restart && zmamavisdctl restart<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16185IP Address whitelisting2009-12-10T02:01:49Z<p>Gettyless: /* amavisd.conf.in */</p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
oh noes:<br />
<br />
<pre><br />
zimbra@zimbra:~$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
Segmentation fault<br />
</pre><br />
<br />
but ...:<br />
<br />
<pre><br />
zimbra@zimbra:~$ file /opt/zimbra/postfix/conf/amavis_client_whitelist.db<br />
/opt/zimbra/postfix/conf/amavis_client_whitelist.db: Berkeley DB (Hash, version 8, native byte-order)<br />
</pre><br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
http://www.webservertalk.com/archive390-2006-8-1467502.html<br />
<br />
== Restart postfix and amavisd == <br />
<br />
zmmtactl restart && zmamavisdctl restart<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16181IP Address whitelisting2009-12-10T01:32:06Z<p>Gettyless: /* Restart postfix and amavisd */</p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
oh noes:<br />
<br />
<pre><br />
zimbra@zimbra:~$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
Segmentation fault<br />
</pre><br />
<br />
but ...:<br />
<br />
<pre><br />
zimbra@zimbra:~$ file /opt/zimbra/postfix/conf/amavis_client_whitelist.db<br />
/opt/zimbra/postfix/conf/amavis_client_whitelist.db: Berkeley DB (Hash, version 8, native byte-order)<br />
</pre><br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
== Restart postfix and amavisd == <br />
<br />
zmmtactl restart && zmamavisdctl restart<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16180IP Address whitelisting2009-12-10T01:31:40Z<p>Gettyless: /* Restart postfix and amavisd */</p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
oh noes:<br />
<br />
<pre><br />
zimbra@zimbra:~$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
Segmentation fault<br />
</pre><br />
<br />
but ...:<br />
<br />
<pre><br />
zimbra@zimbra:~$ file /opt/zimbra/postfix/conf/amavis_client_whitelist.db<br />
/opt/zimbra/postfix/conf/amavis_client_whitelist.db: Berkeley DB (Hash, version 8, native byte-order)<br />
</pre><br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
== Restart postfix and amavisd == <br />
<br />
postfix restart && zmamavisdctl restart<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16179IP Address whitelisting2009-12-10T01:19:59Z<p>Gettyless: /* amavis_client_whitelist */</p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
oh noes:<br />
<br />
<pre><br />
zimbra@zimbra:~$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
Segmentation fault<br />
</pre><br />
<br />
but ...:<br />
<br />
<pre><br />
zimbra@zimbra:~$ file /opt/zimbra/postfix/conf/amavis_client_whitelist.db<br />
/opt/zimbra/postfix/conf/amavis_client_whitelist.db: Berkeley DB (Hash, version 8, native byte-order)<br />
</pre><br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
== Restart postfix and amavisd == <br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16178IP Address whitelisting2009-12-10T01:18:39Z<p>Gettyless: /* amavis_client_whitelist */</p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
oh noes:<br />
<br />
<pre><br />
zimbra@zimbra:~$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
Segmentation fault<br />
</pre><br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
== Restart postfix and amavisd == <br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16177IP Address whitelisting2009-12-10T01:15:35Z<p>Gettyless: </p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
== Restart postfix and amavisd == <br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16175IP Address whitelisting2009-12-10T01:09:21Z<p>Gettyless: /* amavisd.conf.in */</p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
== Restart postfix and amavisd == <br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16174IP Address whitelisting2009-12-10T01:08:44Z<p>Gettyless: </p>
<hr />
<div>This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16173IP Address whitelisting2009-12-10T01:08:11Z<p>Gettyless: /* amavis_client_whitelist */</p>
<hr />
<div>This document describes how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16172IP Address whitelisting2009-12-10T01:07:57Z<p>Gettyless: /* amavis_client_whitelist */</p>
<hr />
<div>This document describes how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
<br />
== amavisd.conf.in ==<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16171IP Address whitelisting2009-12-10T01:07:22Z<p>Gettyless: /* postfix_recipient_restrictions.cf */</p>
<hr />
<div>This document describes how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
== amavis_client_whitelist ==<br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16170IP Address whitelisting2009-12-10T01:07:07Z<p>Gettyless: </p>
<hr />
<div>This document describes how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
<br />
== postfix_recipient_restrictions.cf ==<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16169IP Address whitelisting2009-12-10T01:06:49Z<p>Gettyless: </p>
<hr />
<div>This document describes how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16168IP Address whitelisting2009-12-10T01:05:37Z<p>Gettyless: /* Amavisd - Whitelist an IP address. */</p>
<hr />
<div>This document describes how to disable anti-spam checking of all emails coming from an IP address, i.e. whitelisting an IP address instead of conventional domainname whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16167IP Address whitelisting2009-12-10T01:04:46Z<p>Gettyless: /* Amavisd - Whitelist an IP address. */</p>
<hr />
<div>== '''Amavisd - Whitelist an IP address.''' ==<br />
<br />
<br />
This document describes how to disable anti-spam checking of all emails coming from an IP address, i.e. whitelisting an IP address instead of conventional domainname whitelisting.<br />
<br />
Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1<br />
<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16166IP Address whitelisting2009-12-10T01:04:01Z<p>Gettyless: /* Amavisd - Whitelist an IP address. */</p>
<hr />
<div>== '''Amavisd - Whitelist an IP address.''' ==<br />
<br />
<br />
This document describes how to disable anti-spam checking of all emails coming from an IP address, i.e. whitelisting an IP address instead of conventional domainname whitelisting.<br />
<br />
Everything here is done as the zimbra user. I want to whitelist all the emails coming from 192.168.1.1<br />
<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16165IP Address whitelisting2009-12-10T01:03:43Z<p>Gettyless: /* Amavisd - Whitelist an IP address. */</p>
<hr />
<div>== '''Amavisd - Whitelist an IP address.''' ==<br />
<br />
<br />
This document describes how to disable anti-spam checking of all emails coming from an IP address, i.e. whitelisting an IP address instead of conventional domainname whitelisting.<br />
<br />
Everything here is done as the zimbra user. I want to whitelist all the emails coming from 192.168.1.1<br />
<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16164IP Address whitelisting2009-12-10T01:03:13Z<p>Gettyless: /* Amavisd - Whitelist an IP address. */</p>
<hr />
<div>== '''Amavisd - Whitelist an IP address.''' ==<br />
<br />
<br />
This document describes how to disable anti-spam checking of all emails coming from an IP address, i.e. whitelisting an IP address instead of conventional domainname whitelisting.<br />
<br />
Everything here is done as the zimbra user. I want to whitelist all the emails coming from 192.168.1.1<br />
<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting <tt>amavis_client_whitelist</tt> an ASCII form file into maptype database file:<br />
<br />
''/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist''<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16163IP Address whitelisting2009-12-10T01:02:55Z<p>Gettyless: /* Amavisd - Whitelist an IP address. */</p>
<hr />
<div>== '''Amavisd - Whitelist an IP address.''' ==<br />
<br />
<br />
This document describes how to disable anti-spam checking of all emails coming from an IP address, i.e. whitelisting an IP address instead of conventional domainname whitelisting.<br />
<br />
Everything here is done as the zimbra user. I want to whitelist all the emails coming from 192.168.1.1<br />
<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
Create a file: <tt>/opt/zimbra/postfix/conf/amavis_client_whitelist</tt><br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
Converting "amavis_client_whitelist" an ASCII form file into maptype database file:<br />
<br />
''/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist''<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettylesshttps://wiki.zimbra.com/index.php?title=IP_Address_whitelisting&diff=16162IP Address whitelisting2009-12-10T01:01:18Z<p>Gettyless: /* Amavisd - Whitelist an IP address. */</p>
<hr />
<div>== '''Amavisd - Whitelist an IP address.''' ==<br />
<br />
<br />
This document describes how to disable anti-spam checking of all emails coming from an IP address, i.e. whitelisting an IP address instead of conventional domainname whitelisting.<br />
<br />
Everything here is done as the zimbra user. I want to whitelist all the emails coming from 192.168.1.1<br />
<br />
Enter following line at the top of: <tt>/opt/zimbra/conf/postfix_recipient_restrictions.cf</tt><br />
<br />
<pre><br />
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist<br />
</pre><br />
<br />
'''Create a file "/opt/zimbra/postfix/conf/amavis_client_whitelist".'''<br />
<br />
vi /opt/zimbra/postfix/conf/amavis_client_whitelist'<br />
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:1002''6<br />
<br />
'''Converting "amavis_client_whitelist" an ASCII form file into maptype database file.'''<br />
<br />
''/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist''<br />
<br />
Enter following in <tt>/opt/zimbra/conf/amavisd.conf.in</tt>:<br />
<br />
'''NOTE:''' Make sure you use the <tt>amavisd.conf.in</tt> and '''NOT''' <tt>amavisd.conf</tt><br />
<br />
<pre><br />
$inet_socket_port = [10024, 10026]; # change from original setting<br />
$interface_policy{'10026'} = 'CLIENTWHITELIST'; <br />
$policy_bank{'CLIENTWHITELIST'} = { <br />
bypass_spam_checks_maps => [1], <br />
final_spam_destiny => D_PASS, <br />
};<br />
</pre><br />
<br />
Restart postfix and amavisd:<br />
<br />
'''Postfix stop/start'''<br />
<br />
'''Amavisd stop/start'''<br />
<br />
[[Category:Anti-spam]]</div>Gettyless