Difference between revisions of "Zimbra Collaboration Postscreen"

(Zimbra attributes for Postscreen)
m (IP Whitelist and Blacklist using Postscreen)
 
(19 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{BC|Community Sandbox}}
+
{{BC|Certified}}
 
__FORCETOC__
 
__FORCETOC__
 
<div class="col-md-12 ibox-content">
 
<div class="col-md-12 ibox-content">
 
=Zimbra Collaboration Postscreen=
 
=Zimbra Collaboration Postscreen=
{{KB|{{Unsupported}}|{{ZCS 8.7}}||}}
+
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}||}}
{{WIP}}
+
 
 
Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail  server  overload.  One  postscreen  process  handles  multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.
 
Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail  server  overload.  One  postscreen  process  handles  multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.
  
Line 211: Line 211:
 
| style="text-align: center;" | server,globalConfig
 
| style="text-align: center;" | server,globalConfig
 
| style="text-align: center;" | static:all
 
| style="text-align: center;" | static:all
 +
| style="text-align: center;" |
 +
|-
 +
| zimbraMtaPostscreenDnsblMinTTL
 +
| Value for postconf [http://www.postfix.org/postconf.5.html#postscreen_dnsbl_min_ttl '''postscreen_dnsbl_min_ttl'''].
 +
| style="text-align: center;" | tbd
 +
| style="text-align: center;" | server,globalConfig
 +
| style="text-align: center;" | tbd
 +
| style="text-align: center;" | 60s
 +
|-
 +
| zimbraMtaPostscreenDnsblMaxTTL
 +
| Value for postconf [http://www.postfix.org/postconf.5.html#postscreen_dnsbl_max_ttl '''postscreen_dnsbl_max_ttl'''].
 +
| style="text-align: center;" | tbd
 +
| style="text-align: center;" | server,globalConfig
 +
| style="text-align: center;" | tbd
 +
| style="text-align: center;" | tbd
 +
|-
 +
| zimbraMtaPostscreenUpstreamProxyProtocol
 +
| Value for postconf [http://www.postfix.org/postconf.5.html#postscreen_upstream_proxy_protocol '''postscreen_upstream_proxy_protocol''']. Single valued, commas,separated list.
 +
| style="text-align: center;" | enum
 +
| style="text-align: center;" | server,globalConfig
 +
| style="text-align: center;" |
 
| style="text-align: center;" |  
 
| style="text-align: center;" |  
 
|}
 
|}
Line 217: Line 238:
 
Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute.
 
Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute.
  
===Quick Example configuring Postscreen (medium security)===
+
===Quick Example configuring Postscreen===
 
Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level:
 
Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level:
This configuration is '''medium level''', enforcing a few attributes instead of drop, change them to drop for higher level of security
+
This configuration is '''medium/high level''', enforcing a few attributes instead of ignore, change them to drop for higher level of security
 
  zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks
 
  zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks
  zmprov mcf zimbraMtaPostscreenBareNewlineAction enforce
+
  zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore
  zmprov mcf zimbraMtaPostscreenBareNewlineEnable yes
+
  zmprov mcf zimbraMtaPostscreenBareNewlineEnable no
  zmprov mcf zimbraMtaPostscreenBareNewlineTTL 20d
+
  zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d
  zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
+
  zmprov mcf zimbraMtaPostscreenBlacklistAction ignore
 
  zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h
 
  zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h
  zmprov mcf zimbraMtaPostscreenCacheRetentionTime 10d
+
  zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d
  zmprov mcf zimbraMtaPostscreenCommandCountLimit 15
+
  zmprov mcf zimbraMtaPostscreenCommandCountLimit 20
 
  zmprov mcf zimbraMtaPostscreenDnsblAction enforce
 
  zmprov mcf zimbraMtaPostscreenDnsblAction enforce
  zmprov mcf zimbraMtaPostscreenDnsblSites "domaintoblock.com*5, domaintoblock.com*5"
+
  zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2'
  zmprov mcf zimbraMtaPostscreenDnsblThreshold 5
+
zmprov mcf zimbraMtaPostscreenDnsblTTL 5m
  zmprov mcf zimbraMtaPostscreenDnsblTTL 2h
+
  zmprov mcf zimbraMtaPostscreenDnsblThreshold 8
 +
zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s
 +
  zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0
 
  zmprov mcf zimbraMtaPostscreenGreetAction enforce
 
  zmprov mcf zimbraMtaPostscreenGreetAction enforce
  zmprov mcf zimbraMtaPostscreenGreetTTL 5d
+
  zmprov mcf zimbraMtaPostscreenGreetTTL 1d
  zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction enforce
+
  zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
  zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable yes
+
  zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no
  zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 20d
+
  zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d
 
  zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
 
  zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
  zmprov mcf zimbraMtaPostscreenPipeliningEnable yes
+
  zmprov mcf zimbraMtaPostscreenPipeliningEnable no
  zmprov mcf zimbraMtaPostscreenPipeliningTTL 20d
+
  zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d
  zmprov mcf zimbraMtaPostscreenWatchdogTimeout 30s
+
  zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s
  zmprov mcf zimbraMtaPostscreenWhitelistInterfaces "1.2.3.4 static:all"
+
  zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all
  
===Quick Example configuring Postscreen (high security)===
+
==Testing the Zimbra Collaboration Postscreen==
Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level:
+
Customers might want to set up the DNSBLs first, for example, but leave it on ignore.  Postscreen will log what it would have done, but not do anything.  Once you are satisfied it looks correct, then you can set values to enforce or drop in certain cases.
This configuration is '''medium level''', enforcing a few attributes instead of drop, change them to drop for higher level of security
+
 
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks
+
A real-world log example where you can see the error '''550''' from postscreen:
zmprov mcf zimbraMtaPostscreenBareNewlineAction drop
+
<pre>Mar  1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438
zmprov mcf zimbraMtaPostscreenBareNewlineEnable yes
+
Mar  1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25
zmprov mcf zimbraMtaPostscreenBareNewlineTTL 20d
+
Mar  1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010
zmprov mcf zimbraMtaPostscreenBlacklistAction drop
+
Mar  1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=<hfxdgdsggfvfg@gmail.com>, to=<support@zimbra.com>, proto=ESMTP, helo=<gmail.com>
zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h
+
Mar  1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438 </pre>
  zmprov mcf zimbraMtaPostscreenCacheRetentionTime 10d
+
===IP Whitelist and Blacklist using Postscreen===
  zmprov mcf zimbraMtaPostscreenCommandCountLimit 15
+
You can use now Postfix to whitelist or Blacklist IPs in an easier way by following the next steps:
  zmprov mcf zimbraMtaPostscreenDnsblAction drop
+
* Create '''/opt/zimbra/common/conf/postscreen_wblist'''
  zmprov mcf zimbraMtaPostscreenDnsblSites "domaintoblock.com*2, domaintoblock.com*2"
+
* Add entries to it. I've only used it as a blacklist. The IP range should be on [https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation CIDR] format:
  zmprov mcf zimbraMtaPostscreenDnsblThreshold 2
+
  # Rules are evaluated in the order as specified.
  zmprov mcf zimbraMtaPostscreenDnsblTTL 2h
+
  # Blacklist 60.70.80.* except 60.70.80.91.
  zmprov mcf zimbraMtaPostscreenGreetAction drop
+
  60.70.80.91/32 permit
  zmprov mcf zimbraMtaPostscreenGreetTTL 5d
+
  60.70.80.0/24 reject
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
+
  70.70.70.0/24 reject
  zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable yes
+
* Set postscreen to use it:
  zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 20d
+
  zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist"
zmprov mcf zimbraMtaPostscreenPipeliningAction drop
+
  zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
zmprov mcf zimbraMtaPostscreenPipeliningEnable yes
 
zmprov mcf zimbraMtaPostscreenPipeliningTTL 20d
 
zmprov mcf zimbraMtaPostscreenWatchdogTimeout 30s
 
zmprov mcf zimbraMtaPostscreenWhitelistInterfaces "1.2.3.4 static:all"
 
  
==Testing the Zimbra Collaboration Postscreen==
+
* Wait for zmconfigd to pick up the change (60 seconds top)
Here is an example coming from GMail to Zimbra with a Postscreen set to '''medium''' (enforce), see the new postfix/postscreen checks
+
* After the 60 seconds, or a manual restart of the MTA services, you will see something like this on the Log:
<pre>Mar  1 17:22:57 zimbra86 postfix/postscreen[12538]: CONNECT from [209.85.213.181]:33183 to [46.101.92.202]:25
+
  Jun 29 05:16:22 edge04e postfix/postscreen[7546]: BLACKLISTED [70.70.70.100]:55699
Mar  1 17:23:03 zimbra86 postfix/tlsproxy[12682]: CONNECT from [209.85.213.181]:33183
 
Mar  1 17:23:03 zimbra86 postfix/tlsproxy[12682]: Anonymous TLS connection established from [209.85.213.181]:33183: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
 
Mar  1 17:23:03 zimbra86 postfix/postscreen[12538]: NOQUEUE: reject: RCPT from [209.85.213.181]:33183: 450 4.3.2 Service currently unavailable; from=<testzimbra@gmail.com>, to=<admin@example.com>, proto=ESMTP, helo=<mail-ig0-f181.google.com>
 
Mar  1 17:23:03 zimbra86 postfix/tlsproxy[12682]: DISCONNECT [209.85.213.181]:33183
 
Mar 1 17:23:03 zimbra86 postfix/postscreen[12538]: HANGUP after 0.82 from [209.85.213.181]:33183 in tests after SMTP handshake
 
Mar  1 17:23:03 zimbra86 postfix/postscreen[12538]: PASS NEW [209.85.213.181]:33183
 
Mar  1 17:23:03 zimbra86 postfix/postscreen[12538]: DISCONNECT [209.85.213.181]:33183
 
</pre>
 
  
===Domain white/blacklist===
+
==Quick note on for MTA on Cloud Environments==
Postscreen is really easy to configure, you can white or blacklist domains easily.
+
If you are using Amazon’s Elastic Load Balancer for handling SMTP traffic include simple load-based autoscaling, load distribution that’s aware of distribution across availability zones, you will need to configure the
 +
zmprov mcf zimbraMtaPostscreenUpstreamProxyProtocol haproxy
  
First you need to configure the '''DnsblThreshold''' to the score you want your Customers needs to reach before being rejected, for example we can set it to two:
+
And then, verify the change it's in progress:
zimbra@zimbra86:~$ zmprov mcf zimbraMtaPostscreenDnsblThreshold 2
+
<pre>tail -f /var/log/zimbra.log
Now that the '''DnsblThreshold''' is set up to two, we will add the domain we want to block, giving score '''2''' which means Postscreen will reject it, even before talk to our Zimbra MTA SMTP
+
Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: Fetching All configs
zimbra@zimbra86:~$ zmprov mcf zimbraMtaPostscreenDnsblSites "gmail.com*2"
+
Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: All configs fetched in 0.08 seconds
Restart the MTA services
+
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Watchdog: service antivirus status is OK.
<pre>zimbra@zimbra86:~$ zmmtactl restart
+
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Var zimbraMtaPostscreenUpstreamProxyProtocol changed from 'None' -> 'haproxy'
Rewriting configuration files...done.
+
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_originating.re with mode 440 (0.01 sec)
Stopping saslauthd...done.
+
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/postfix_header_checks with mode 440 (0.00 sec)
Starting saslauthd...done.
+
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_foreign.re with mode 440 (0.01 sec)
/postfix-script: refreshing the Postfix mail system</pre>
+
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/master.cf with mode 440 (0.01 sec)
 +
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/mta_milter_options with mode 440 (0.00 sec)
 +
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: All rewrite threads completed in 2.93 sec
 +
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: controlProcess mta restart (-1)
 +
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: CONTROL mta: bin/zmmtactl reload norewrite
 +
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: mta reload initiated from zmconfigd
 +
Jun 24 17:24:36 zre-ldap004 saslauthd[20153]: server_exit    : master exited: 20153
 +
Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: detach_tty      : master pid is: 2925
 +
Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: ipc_init        : listening on socket: /opt/zimbra/data/sasl2/state/mux
 +
Jun 24 17:24:38 zre-ldap004 /postfix-script[2959]: refreshing the Postfix mail system
 +
Jun 24 17:24:38 zre-ldap004 postfix/master[20304]: reload -- version 3.1.1, configuration /opt/zimbra/common/conf
 +
Jun 24 17:24:38 zre-ldap004 zmconfigd[17944]: All restarts completed in 1.82 sec</pre>
  
And then test to send an email from GMail to our Zimbra with Postscreen:
+
And verify by running this command:
<pre>Mar 1 18:03:26 zimbra86 postfix/postscreen[6364]: CONNECT from [209.85.213.177]:34931 to [46.101.92.202]:25
+
  postconf postscreen_upstream_proxy_protocol
Mar  1 18:03:33 zimbra86 postfix/tlsproxy[6374]: CONNECT from [209.85.213.177]:34931
+
  postscreen_upstream_proxy_protocol = haproxy
Mar  1 18:03:33 zimbra86 postfix/tlsproxy[6374]: Anonymous TLS connection established from [209.85.213.177]:34931: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
 
Mar 1 18:03:33 zimbra86 postfix/postscreen[6364]: NOQUEUE: reject: RCPT from [209.85.213.177]:34931: 450 4.3.2 Service currently unavailable; from=<testzimbra@gmail.com>, to=<admin@example.com>, proto=ESMTP, helo=<mail-ig0-f177.google.com>
 
Mar  1 18:03:33 zimbra86 postfix/postscreen[6364]: HANGUP after 0.82 from [209.85.213.177]:34931 in tests after SMTP handshake
 
Mar  1 18:03:33 zimbra86 postfix/postscreen[6364]: PASS NEW [209.85.213.177]:34931
 
Mar  1 18:03:33 zimbra86 postfix/tlsproxy[6374]: DISCONNECT [209.85.213.177]:34931
 
Mar  1 18:03:33 zimbra86 postfix/postscreen[6364]: DISCONNECT [209.85.213.177]:34931</pre>
 
  
To '''whitelist''' a domain just use a negative number, for example to block gmail.com but allow example.net:
+
[https://www.agari.com/scaling-postfix-on-aws-with-elastic-load-balancing/ '''More information here''']
zimbra@zimbra86:~$ zmprov mcf zimbraMtaPostscreenDnsblSites "gmail.com*2, example.net*-1"
 
Restart the MTA services
 
<pre>zimbra@zimbra86:~$ zmmtactl restart
 
Rewriting configuration files...done.
 
Stopping saslauthd...done.
 
Starting saslauthd...done.
 
/postfix-script: refreshing the Postfix mail system</pre>
 
  
 
==Additonal Content==
 
==Additonal Content==
* See the [http://www.postfix.org/postscreen.8.html '''Official Postfix Postscreen page''']  
+
* See the [http://www.postfix.org/postscreen.8.html '''Official Postfix Postscreen page''']
 +
* Rob0's Postscreen Configuration [http://rob0.nodns4.us/postscreen.html A non-official but real-world example ]
  
 
==Identified Support Issues==
 
==Identified Support Issues==
Line 322: Line 333:
 
{{Article Footer|Zimbra Collaboration Suite 8.7|01/03/2016}}
 
{{Article Footer|Zimbra Collaboration Suite 8.7|01/03/2016}}
 
{{NeedSME|SME1|SME2|Copyeditor}}
 
{{NeedSME|SME1|SME2|Copyeditor}}
 +
[[Category:ZCS 8.7]]
 +
[[Category: Postscreen]]

Latest revision as of 02:43, 11 July 2019

Zimbra Collaboration Postscreen

   KB 22511        Last updated on 2019-07-11  




0.00
(0 votes)

Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.

Zimbra Collaboration Postscreen should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deployment, postscreen handles the MX service on TCP port 25, while MUA clients submit mail via the submission service on TCP port 587 which requires client authentication. Alternatively, a site could set up a dedicated, non-postscreen, "port 25" server that provides submission service and client authentication, but no MX service.

Zimbra Collaboration Postscreen maintains a temporary white-list for clients that have passed a number of tests. When an SMTP client IP address iswhitelisted, postscreen hands off the connection immediately to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.

In a typical production setting, postscreen is configured to reject mail from clients that fail one or more tests. Zimbra Collaboration Postscreen logs rejected mail with the client address, helo, sender and recipient information.

Zimbra Collaboration Postscreen is not an SMTP proxy; this is intentional. The purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic.

How it works

Scenario without Postscreen

A typical scenario without Postscreen, and without other Anti-SPAM security, will suffer of this common Problem, where bot and zombies talks with all the smtpd listeners that Zimbra is offering.

In this scenario, the good connections, or called other in this diagram, must wait until the bot or zombie finishes the communication, which sometimes can create a Timeout Error on Postfix for the good connections:

Mar 01 19:29:54 zimbrauk postfix/smtpd[24266]: timeout after RCPT from mail.example.com[60.60.60.70]

Postscreen-001.png

Scenario with Postscreen

A typical scenario with Postscreen, where bot and zombies talks with Postscreen, who do all the basic checks, and who can deny the connection if the message is clearly from a bot or zombie, if the connection is not in the temporary whitelist, Postscreen will pass the Email to the local Anti-SPAM and Anti-Virus engines, who can accept it or deny it as usual. You can see how is the Mail Flow in Postscreen on the section below.

In this scenario, the good connections, or called other in this diagram, pass the Postscreen security and talks directly with the smtp daemon, who will scan the Email as usual with the AS/AV. All the bot or zombie are rejected by default.

Postscreen-002.png

Postscreen workflow

See attached the workflow for Zimbra Collaboration Postscreen

Postscreen-003.png

Zimbra attributes for Postscreen

Here you can find all the new attributes for Postscreen, and the link to the original Postfix description help per attribute.

Please note the difference between the ignore, enforce and drop for certain attributes:

  • ignore (default) - Ignore this result. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
  • enforce - Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
  • drop - Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
Name Description Type Optional in Default value Options
zimbraMtaPostscreenAccessList Value for postconf postscreen_access_list. Single valued, commas,separated list. string server,globalConfig permit_mynetworks
zimbraMtaPostscreenBareNewlineAction Value for postconf postscreen_bare_newline_action. enum server,globalConfig ignore ignore,enforce,drop
zimbraMtaPostscreenBareNewlineEnable Value for postconf postscreen_bare_newline_enable. enum server,globalConfig no yes,no
zimbraMtaPostscreenBareNewlineTTL Value for postconf postscreen_bare_newline_ttl. string server,globalConfig 30d
zimbraMtaPostscreenBlacklistAction Value for postconf postscreen_blacklist_action. enum server,globalConfig ignore ignore,enforce,drop
zimbraMtaPostscreenCacheCleanupInterval Value for postconf postscreen_cache_cleanup_interval. string server,globalConfig 12h
zimbraMtaPostscreenCacheRetentionTime Value for postconf postscreen_cache_retention_time. string server,globalConfig 7d
zimbraMtaPostscreenCommandCountLimit Value for postconf postscreen_command_count_limit. integer server,globalConfig 20
zimbraMtaPostscreenDnsblAction Value for postconf postscreen_dnsbl_action. enum server,globalConfig ignore ignore,enforce,drop
zimbraMtaPostscreenDnsblSites Value for postconf postscreen_dnsbl_sites. Multi valued, one DNSBL,value pair per attribute value. string server,globalConfig
zimbraMtaPostscreenDnsblThreshold Value for postconf postscreen_dnsbl_threshold. integer server,globalConfig 1
zimbraMtaPostscreenDnsblTTL Value for postconf postscreen_dnsbl_ttl. string server,globalConfig 1h
zimbraMtaPostscreenDnsblWhitelistThreshold Value for postconf postscreen_dnsbl_whitelist_threshold. integer server,globalConfig 0
zimbraMtaPostscreenGreetAction Value for postconf postscreen_greet_action. enum server,globalConfig ignore ignore,enforce,drop
zimbraMtaPostscreenGreetTTL Value for postconf postscreen_greet_ttl. string server,globalConfig 1d
zimbraMtaPostscreenNonSmtpCommandAction Value for postconf postscreen_non_smtp_command_action. enum server,globalConfig drop ignore,enforce,drop
zimbraMtaPostscreenNonSmtpCommandEnable Value for postconf postscreen_non_smtp_command_enable. enum server,globalConfig no yes,no
zimbraMtaPostscreenNonSmtpCommandTTL Value for postconf postscreen_non_smtp_command_ttl. string server,globalConfig 30d
zimbraMtaPostscreenPipeliningAction Value for postconf postscreen_pipelining_action. enum server,globalConfig enforce ignore,enforce,drop
zimbraMtaPostscreenPipeliningEnable Value for postconf postscreen_pipelining_enable. enum server,globalConfig no yes,no
zimbraMtaPostscreenPipeliningTTL Value for postconf postscreen_pipelining_ttl. string server,globalConfig 30d
zimbraMtaPostscreenWatchdogTimeout Value for postconf postscreen_watchdog_timeout. string server,globalConfig 10s
zimbraMtaPostscreenWhitelistInterfaces Value for postconf postscreen_whitelist_interfaces. Single valued,,comma separated list. string server,globalConfig static:all
zimbraMtaPostscreenDnsblMinTTL Value for postconf postscreen_dnsbl_min_ttl. tbd server,globalConfig tbd 60s
zimbraMtaPostscreenDnsblMaxTTL Value for postconf postscreen_dnsbl_max_ttl. tbd server,globalConfig tbd tbd
zimbraMtaPostscreenUpstreamProxyProtocol Value for postconf postscreen_upstream_proxy_protocol. Single valued, commas,separated list. enum server,globalConfig

How to enable it

Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute.

Quick Example configuring Postscreen

Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level: This configuration is medium/high level, enforcing a few attributes instead of ignore, change them to drop for higher level of security

zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks
zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore
zmprov mcf zimbraMtaPostscreenBareNewlineEnable no
zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d
zmprov mcf zimbraMtaPostscreenBlacklistAction ignore
zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h
zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d
zmprov mcf zimbraMtaPostscreenCommandCountLimit 20
zmprov mcf zimbraMtaPostscreenDnsblAction enforce
zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2'
zmprov mcf zimbraMtaPostscreenDnsblTTL 5m
zmprov mcf zimbraMtaPostscreenDnsblThreshold 8
zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s
zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0
zmprov mcf zimbraMtaPostscreenGreetAction enforce
zmprov mcf zimbraMtaPostscreenGreetTTL 1d
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no
zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d
zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
zmprov mcf zimbraMtaPostscreenPipeliningEnable no
zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d
zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s
zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all

Testing the Zimbra Collaboration Postscreen

Customers might want to set up the DNSBLs first, for example, but leave it on ignore. Postscreen will log what it would have done, but not do anything. Once you are satisfied it looks correct, then you can set values to enforce or drop in certain cases.

A real-world log example where you can see the error 550 from postscreen:

Mar  1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438 
Mar  1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25 
Mar  1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010 
Mar  1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=<hfxdgdsggfvfg@gmail.com>, to=<support@zimbra.com>, proto=ESMTP, helo=<gmail.com>
Mar  1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438 

IP Whitelist and Blacklist using Postscreen

You can use now Postfix to whitelist or Blacklist IPs in an easier way by following the next steps:

  • Create /opt/zimbra/common/conf/postscreen_wblist
  • Add entries to it. I've only used it as a blacklist. The IP range should be on CIDR format:
# Rules are evaluated in the order as specified.
# Blacklist 60.70.80.* except  60.70.80.91.
60.70.80.91/32 permit
60.70.80.0/24 reject
70.70.70.0/24 reject
  • Set postscreen to use it:
zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist"
zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
  • Wait for zmconfigd to pick up the change (60 seconds top)
  • After the 60 seconds, or a manual restart of the MTA services, you will see something like this on the Log:
Jun 29 05:16:22 edge04e postfix/postscreen[7546]: BLACKLISTED [70.70.70.100]:55699

Quick note on for MTA on Cloud Environments

If you are using Amazon’s Elastic Load Balancer for handling SMTP traffic include simple load-based autoscaling, load distribution that’s aware of distribution across availability zones, you will need to configure the

zmprov mcf zimbraMtaPostscreenUpstreamProxyProtocol haproxy

And then, verify the change it's in progress:

tail -f /var/log/zimbra.log
Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: Fetching All configs
Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: All configs fetched in 0.08 seconds
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Watchdog: service antivirus status is OK.
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Var zimbraMtaPostscreenUpstreamProxyProtocol changed from 'None' -> 'haproxy'
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_originating.re with mode 440 (0.01 sec)
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/postfix_header_checks with mode 440 (0.00 sec)
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_foreign.re with mode 440 (0.01 sec)
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/master.cf with mode 440 (0.01 sec)
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/mta_milter_options with mode 440 (0.00 sec)
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: All rewrite threads completed in 2.93 sec
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: controlProcess mta restart (-1)
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: CONTROL mta: bin/zmmtactl reload norewrite
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: mta reload initiated from zmconfigd
Jun 24 17:24:36 zre-ldap004 saslauthd[20153]: server_exit     : master exited: 20153
Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: detach_tty      : master pid is: 2925
Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: ipc_init        : listening on socket: /opt/zimbra/data/sasl2/state/mux
Jun 24 17:24:38 zre-ldap004 /postfix-script[2959]: refreshing the Postfix mail system
Jun 24 17:24:38 zre-ldap004 postfix/master[20304]: reload -- version 3.1.1, configuration /opt/zimbra/common/conf
Jun 24 17:24:38 zre-ldap004 zmconfigd[17944]: All restarts completed in 1.82 sec

And verify by running this command:

postconf postscreen_upstream_proxy_protocol
postscreen_upstream_proxy_protocol = haproxy

More information here

Additonal Content

Identified Support Issues

  • No Support issues reported yet.
Verified Against: Zimbra Collaboration Suite 8.7 Date Created: 01/03/2016
Article ID: https://wiki.zimbra.com/index.php?title=Zimbra_Collaboration_Postscreen Date Modified: 2019-07-11



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 Copyeditor Last edit by Heera Singh Koranga
Jump to: navigation, search