Zimbra Collaboration Postscreen: Difference between revisions
(16 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
{{BC| | {{BC|Certified}} | ||
__FORCETOC__ | __FORCETOC__ | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=Zimbra Collaboration Postscreen= | =Zimbra Collaboration Postscreen= | ||
{{KB|{{ | {{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}||}} | ||
Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions. | Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions. | ||
Line 211: | Line 211: | ||
| style="text-align: center;" | server,globalConfig | | style="text-align: center;" | server,globalConfig | ||
| style="text-align: center;" | static:all | | style="text-align: center;" | static:all | ||
| style="text-align: center;" | | |||
|- | |||
| zimbraMtaPostscreenDnsblMinTTL | |||
| Value for postconf [http://www.postfix.org/postconf.5.html#postscreen_dnsbl_min_ttl '''postscreen_dnsbl_min_ttl''']. | |||
| style="text-align: center;" | tbd | |||
| style="text-align: center;" | server,globalConfig | |||
| style="text-align: center;" | tbd | |||
| style="text-align: center;" | 60s | |||
|- | |||
| zimbraMtaPostscreenDnsblMaxTTL | |||
| Value for postconf [http://www.postfix.org/postconf.5.html#postscreen_dnsbl_max_ttl '''postscreen_dnsbl_max_ttl''']. | |||
| style="text-align: center;" | tbd | |||
| style="text-align: center;" | server,globalConfig | |||
| style="text-align: center;" | tbd | |||
| style="text-align: center;" | tbd | |||
|- | |||
| zimbraMtaPostscreenUpstreamProxyProtocol | |||
| Value for postconf [http://www.postfix.org/postconf.5.html#postscreen_upstream_proxy_protocol '''postscreen_upstream_proxy_protocol''']. Single valued, commas,separated list. | |||
| style="text-align: center;" | enum | |||
| style="text-align: center;" | server,globalConfig | |||
| style="text-align: center;" | | |||
| style="text-align: center;" | | | style="text-align: center;" | | ||
|} | |} | ||
Line 217: | Line 238: | ||
Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute. | Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute. | ||
===Quick Example configuring Postscreen | ===Quick Example configuring Postscreen=== | ||
Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level: | Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level: | ||
This configuration is '''medium level''', enforcing a few attributes instead of | This configuration is '''medium/high level''', enforcing a few attributes instead of ignore, change them to drop for higher level of security | ||
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks | zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks | ||
zmprov mcf zimbraMtaPostscreenBareNewlineAction | zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore | ||
zmprov mcf zimbraMtaPostscreenBareNewlineEnable | zmprov mcf zimbraMtaPostscreenBareNewlineEnable no | ||
zmprov mcf zimbraMtaPostscreenBareNewlineTTL | zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d | ||
zmprov mcf zimbraMtaPostscreenBlacklistAction | zmprov mcf zimbraMtaPostscreenBlacklistAction ignore | ||
zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h | zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h | ||
zmprov mcf zimbraMtaPostscreenCacheRetentionTime | zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d | ||
zmprov mcf zimbraMtaPostscreenCommandCountLimit | zmprov mcf zimbraMtaPostscreenCommandCountLimit 20 | ||
zmprov mcf zimbraMtaPostscreenDnsblAction enforce | zmprov mcf zimbraMtaPostscreenDnsblAction enforce | ||
zmprov mcf zimbraMtaPostscreenDnsblSites | zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2' | ||
zmprov mcf zimbraMtaPostscreenDnsblThreshold | zmprov mcf zimbraMtaPostscreenDnsblTTL 5m | ||
zmprov mcf | zmprov mcf zimbraMtaPostscreenDnsblThreshold 8 | ||
zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s | |||
zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0 | |||
zmprov mcf zimbraMtaPostscreenGreetAction enforce | zmprov mcf zimbraMtaPostscreenGreetAction enforce | ||
zmprov mcf zimbraMtaPostscreenGreetTTL | zmprov mcf zimbraMtaPostscreenGreetTTL 1d | ||
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction | zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop | ||
zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable | zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no | ||
zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL | zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d | ||
zmprov mcf zimbraMtaPostscreenPipeliningAction enforce | zmprov mcf zimbraMtaPostscreenPipeliningAction enforce | ||
zmprov mcf zimbraMtaPostscreenPipeliningEnable | zmprov mcf zimbraMtaPostscreenPipeliningEnable no | ||
zmprov mcf zimbraMtaPostscreenPipeliningTTL | zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d | ||
zmprov mcf zimbraMtaPostscreenWatchdogTimeout | zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s | ||
zmprov mcf zimbraMtaPostscreenWhitelistInterfaces " | zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all | ||
==Testing the Zimbra Collaboration Postscreen== | |||
Customers might want to set up the DNSBLs first, for example, but leave it on ignore. Postscreen will log what it would have done, but not do anything. Once you are satisfied it looks correct, then you can set values to enforce or drop in certain cases. | |||
A real-world log example where you can see the error '''550''' from postscreen: | |||
<pre>Mar 1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438 | |||
Mar 1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25 | |||
Mar 1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010 | |||
Mar 1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=<hfxdgdsggfvfg@gmail.com>, to=<support@zimbra.com>, proto=ESMTP, helo=<gmail.com> | |||
Mar 1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438 </pre> | |||
===IP Whitelist and Blacklist using Postscreen=== | |||
You can use now Postfix to whitelist or Blacklist IPs in an easier way by following the next steps: | |||
* Create '''/opt/zimbra/common/conf/postscreen_wblist''' | |||
* Add entries to it. I've only used it as a blacklist. The IP range should be on [https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation CIDR] format: | |||
# Rules are evaluated in the order as specified. | |||
# Blacklist 60.70.80.* except 60.70.80.91. | |||
60.70.80.91/32 permit | |||
60.70.80.0/24 reject | |||
70.70.70.0/24 reject | |||
* Set postscreen to use it: | |||
zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist" | |||
zmprov mcf zimbraMtaPostscreenBlacklistAction enforce | |||
* Wait for zmconfigd to pick up the change (60 seconds top) | |||
* After the 60 seconds, or a manual restart of the MTA services, you will see something like this on the Log: | |||
Jun 29 05:16:22 edge04e postfix/postscreen[7546]: BLACKLISTED [70.70.70.100]:55699 | |||
==Quick note on for MTA on Cloud Environments== | |||
If you are using Amazon’s Elastic Load Balancer for handling SMTP traffic include simple load-based autoscaling, load distribution that’s aware of distribution across availability zones, you will need to configure the | |||
zmprov mcf zimbraMtaPostscreenUpstreamProxyProtocol haproxy | |||
And then, verify the change it's in progress: | |||
<pre>tail -f /var/log/zimbra.log | |||
Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: Fetching All configs | |||
Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: All configs fetched in 0.08 seconds | |||
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Watchdog: service antivirus status is OK. | |||
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Var zimbraMtaPostscreenUpstreamProxyProtocol changed from 'None' -> 'haproxy' | |||
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_originating.re with mode 440 (0.01 sec) | |||
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/postfix_header_checks with mode 440 (0.00 sec) | |||
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_foreign.re with mode 440 (0.01 sec) | |||
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/master.cf with mode 440 (0.01 sec) | |||
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/mta_milter_options with mode 440 (0.00 sec) | |||
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: All rewrite threads completed in 2.93 sec | |||
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: controlProcess mta restart (-1) | |||
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: CONTROL mta: bin/zmmtactl reload norewrite | |||
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: mta reload initiated from zmconfigd | |||
Jun 24 17:24:36 zre-ldap004 saslauthd[20153]: server_exit : master exited: 20153 | |||
Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: detach_tty : master pid is: 2925 | |||
Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: ipc_init : listening on socket: /opt/zimbra/data/sasl2/state/mux | |||
Jun 24 17:24:38 zre-ldap004 /postfix-script[2959]: refreshing the Postfix mail system | |||
Jun 24 17:24:38 zre-ldap004 postfix/master[20304]: reload -- version 3.1.1, configuration /opt/zimbra/common/conf | |||
Jun 24 17:24:38 zre-ldap004 zmconfigd[17944]: All restarts completed in 1.82 sec</pre> | |||
And verify by running this command: | |||
postconf postscreen_upstream_proxy_protocol | |||
postscreen_upstream_proxy_protocol = haproxy | |||
[https://www.agari.com/scaling-postfix-on-aws-with-elastic-load-balancing/ '''More information here'''] | |||
==Additonal Content== | ==Additonal Content== | ||
Line 290: | Line 333: | ||
{{Article Footer|Zimbra Collaboration Suite 8.7|01/03/2016}} | {{Article Footer|Zimbra Collaboration Suite 8.7|01/03/2016}} | ||
{{NeedSME|SME1|SME2|Copyeditor}} | {{NeedSME|SME1|SME2|Copyeditor}} | ||
[[Category:ZCS 8.7]] | |||
[[Category: Postscreen]] |
Revision as of 02:43, 11 July 2019
Zimbra Collaboration Postscreen
Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.
Zimbra Collaboration Postscreen should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deployment, postscreen handles the MX service on TCP port 25, while MUA clients submit mail via the submission service on TCP port 587 which requires client authentication. Alternatively, a site could set up a dedicated, non-postscreen, "port 25" server that provides submission service and client authentication, but no MX service.
Zimbra Collaboration Postscreen maintains a temporary white-list for clients that have passed a number of tests. When an SMTP client IP address iswhitelisted, postscreen hands off the connection immediately to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.
In a typical production setting, postscreen is configured to reject mail from clients that fail one or more tests. Zimbra Collaboration Postscreen logs rejected mail with the client address, helo, sender and recipient information.
Zimbra Collaboration Postscreen is not an SMTP proxy; this is intentional. The purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic.
How it works
Scenario without Postscreen
A typical scenario without Postscreen, and without other Anti-SPAM security, will suffer of this common Problem, where bot and zombies talks with all the smtpd listeners that Zimbra is offering.
In this scenario, the good connections, or called other in this diagram, must wait until the bot or zombie finishes the communication, which sometimes can create a Timeout Error on Postfix for the good connections:
Mar 01 19:29:54 zimbrauk postfix/smtpd[24266]: timeout after RCPT from mail.example.com[60.60.60.70]
Scenario with Postscreen
A typical scenario with Postscreen, where bot and zombies talks with Postscreen, who do all the basic checks, and who can deny the connection if the message is clearly from a bot or zombie, if the connection is not in the temporary whitelist, Postscreen will pass the Email to the local Anti-SPAM and Anti-Virus engines, who can accept it or deny it as usual. You can see how is the Mail Flow in Postscreen on the section below.
In this scenario, the good connections, or called other in this diagram, pass the Postscreen security and talks directly with the smtp daemon, who will scan the Email as usual with the AS/AV. All the bot or zombie are rejected by default.
Postscreen workflow
See attached the workflow for Zimbra Collaboration Postscreen
Zimbra attributes for Postscreen
Here you can find all the new attributes for Postscreen, and the link to the original Postfix description help per attribute.
Please note the difference between the ignore, enforce and drop for certain attributes:
- ignore (default) - Ignore this result. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce - Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop - Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
Name | Description | Type | Optional in | Default value | Options |
---|---|---|---|---|---|
zimbraMtaPostscreenAccessList | Value for postconf postscreen_access_list. Single valued, commas,separated list. | string | server,globalConfig | permit_mynetworks | |
zimbraMtaPostscreenBareNewlineAction | Value for postconf postscreen_bare_newline_action. | enum | server,globalConfig | ignore | ignore,enforce,drop |
zimbraMtaPostscreenBareNewlineEnable | Value for postconf postscreen_bare_newline_enable. | enum | server,globalConfig | no | yes,no |
zimbraMtaPostscreenBareNewlineTTL | Value for postconf postscreen_bare_newline_ttl. | string | server,globalConfig | 30d | |
zimbraMtaPostscreenBlacklistAction | Value for postconf postscreen_blacklist_action. | enum | server,globalConfig | ignore | ignore,enforce,drop |
zimbraMtaPostscreenCacheCleanupInterval | Value for postconf postscreen_cache_cleanup_interval. | string | server,globalConfig | 12h | |
zimbraMtaPostscreenCacheRetentionTime | Value for postconf postscreen_cache_retention_time. | string | server,globalConfig | 7d | |
zimbraMtaPostscreenCommandCountLimit | Value for postconf postscreen_command_count_limit. | integer | server,globalConfig | 20 | |
zimbraMtaPostscreenDnsblAction | Value for postconf postscreen_dnsbl_action. | enum | server,globalConfig | ignore | ignore,enforce,drop |
zimbraMtaPostscreenDnsblSites | Value for postconf postscreen_dnsbl_sites. Multi valued, one DNSBL,value pair per attribute value. | string | server,globalConfig | ||
zimbraMtaPostscreenDnsblThreshold | Value for postconf postscreen_dnsbl_threshold. | integer | server,globalConfig | 1 | |
zimbraMtaPostscreenDnsblTTL | Value for postconf postscreen_dnsbl_ttl. | string | server,globalConfig | 1h | |
zimbraMtaPostscreenDnsblWhitelistThreshold | Value for postconf postscreen_dnsbl_whitelist_threshold. | integer | server,globalConfig | 0 | |
zimbraMtaPostscreenGreetAction | Value for postconf postscreen_greet_action. | enum | server,globalConfig | ignore | ignore,enforce,drop |
zimbraMtaPostscreenGreetTTL | Value for postconf postscreen_greet_ttl. | string | server,globalConfig | 1d | |
zimbraMtaPostscreenNonSmtpCommandAction | Value for postconf postscreen_non_smtp_command_action. | enum | server,globalConfig | drop | ignore,enforce,drop |
zimbraMtaPostscreenNonSmtpCommandEnable | Value for postconf postscreen_non_smtp_command_enable. | enum | server,globalConfig | no | yes,no |
zimbraMtaPostscreenNonSmtpCommandTTL | Value for postconf postscreen_non_smtp_command_ttl. | string | server,globalConfig | 30d | |
zimbraMtaPostscreenPipeliningAction | Value for postconf postscreen_pipelining_action. | enum | server,globalConfig | enforce | ignore,enforce,drop |
zimbraMtaPostscreenPipeliningEnable | Value for postconf postscreen_pipelining_enable. | enum | server,globalConfig | no | yes,no |
zimbraMtaPostscreenPipeliningTTL | Value for postconf postscreen_pipelining_ttl. | string | server,globalConfig | 30d | |
zimbraMtaPostscreenWatchdogTimeout | Value for postconf postscreen_watchdog_timeout. | string | server,globalConfig | 10s | |
zimbraMtaPostscreenWhitelistInterfaces | Value for postconf postscreen_whitelist_interfaces. Single valued,,comma separated list. | string | server,globalConfig | static:all | |
zimbraMtaPostscreenDnsblMinTTL | Value for postconf postscreen_dnsbl_min_ttl. | tbd | server,globalConfig | tbd | 60s |
zimbraMtaPostscreenDnsblMaxTTL | Value for postconf postscreen_dnsbl_max_ttl. | tbd | server,globalConfig | tbd | tbd |
zimbraMtaPostscreenUpstreamProxyProtocol | Value for postconf postscreen_upstream_proxy_protocol. Single valued, commas,separated list. | enum | server,globalConfig |
How to enable it
Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute.
Quick Example configuring Postscreen
Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level: This configuration is medium/high level, enforcing a few attributes instead of ignore, change them to drop for higher level of security
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore zmprov mcf zimbraMtaPostscreenBareNewlineEnable no zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d zmprov mcf zimbraMtaPostscreenBlacklistAction ignore zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d zmprov mcf zimbraMtaPostscreenCommandCountLimit 20 zmprov mcf zimbraMtaPostscreenDnsblAction enforce zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2' zmprov mcf zimbraMtaPostscreenDnsblTTL 5m zmprov mcf zimbraMtaPostscreenDnsblThreshold 8 zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0 zmprov mcf zimbraMtaPostscreenGreetAction enforce zmprov mcf zimbraMtaPostscreenGreetTTL 1d zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d zmprov mcf zimbraMtaPostscreenPipeliningAction enforce zmprov mcf zimbraMtaPostscreenPipeliningEnable no zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all
Testing the Zimbra Collaboration Postscreen
Customers might want to set up the DNSBLs first, for example, but leave it on ignore. Postscreen will log what it would have done, but not do anything. Once you are satisfied it looks correct, then you can set values to enforce or drop in certain cases.
A real-world log example where you can see the error 550 from postscreen:
Mar 1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438 Mar 1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25 Mar 1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010 Mar 1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=<hfxdgdsggfvfg@gmail.com>, to=<support@zimbra.com>, proto=ESMTP, helo=<gmail.com> Mar 1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438
IP Whitelist and Blacklist using Postscreen
You can use now Postfix to whitelist or Blacklist IPs in an easier way by following the next steps:
- Create /opt/zimbra/common/conf/postscreen_wblist
- Add entries to it. I've only used it as a blacklist. The IP range should be on CIDR format:
# Rules are evaluated in the order as specified. # Blacklist 60.70.80.* except 60.70.80.91. 60.70.80.91/32 permit 60.70.80.0/24 reject 70.70.70.0/24 reject
- Set postscreen to use it:
zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist" zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
- Wait for zmconfigd to pick up the change (60 seconds top)
- After the 60 seconds, or a manual restart of the MTA services, you will see something like this on the Log:
Jun 29 05:16:22 edge04e postfix/postscreen[7546]: BLACKLISTED [70.70.70.100]:55699
Quick note on for MTA on Cloud Environments
If you are using Amazon’s Elastic Load Balancer for handling SMTP traffic include simple load-based autoscaling, load distribution that’s aware of distribution across availability zones, you will need to configure the
zmprov mcf zimbraMtaPostscreenUpstreamProxyProtocol haproxy
And then, verify the change it's in progress:
tail -f /var/log/zimbra.log Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: Fetching All configs Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: All configs fetched in 0.08 seconds Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Watchdog: service antivirus status is OK. Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Var zimbraMtaPostscreenUpstreamProxyProtocol changed from 'None' -> 'haproxy' Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_originating.re with mode 440 (0.01 sec) Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/postfix_header_checks with mode 440 (0.00 sec) Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_foreign.re with mode 440 (0.01 sec) Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/master.cf with mode 440 (0.01 sec) Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/mta_milter_options with mode 440 (0.00 sec) Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: All rewrite threads completed in 2.93 sec Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: controlProcess mta restart (-1) Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: CONTROL mta: bin/zmmtactl reload norewrite Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: mta reload initiated from zmconfigd Jun 24 17:24:36 zre-ldap004 saslauthd[20153]: server_exit : master exited: 20153 Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: detach_tty : master pid is: 2925 Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: ipc_init : listening on socket: /opt/zimbra/data/sasl2/state/mux Jun 24 17:24:38 zre-ldap004 /postfix-script[2959]: refreshing the Postfix mail system Jun 24 17:24:38 zre-ldap004 postfix/master[20304]: reload -- version 3.1.1, configuration /opt/zimbra/common/conf Jun 24 17:24:38 zre-ldap004 zmconfigd[17944]: All restarts completed in 1.82 sec
And verify by running this command:
postconf postscreen_upstream_proxy_protocol postscreen_upstream_proxy_protocol = haproxy
Additonal Content
- See the Official Postfix Postscreen page
- Rob0's Postscreen Configuration A non-official but real-world example
Identified Support Issues
- No Support issues reported yet.