Zimbra Collaboration Postscreen
Zimbra Collaboration Postscreen
Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.
Zimbra Collaboration Postscreen should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deployment, postscreen handles the MX service on TCP port 25, while MUA clients submit mail via the submission service on TCP port 587 which requires client authentication. Alternatively, a site could set up a dedicated, non-postscreen, "port 25" server that provides submission service and client authentication, but no MX service.
Zimbra Collaboration Postscreen maintains a temporary white-list for clients that have passed a number of tests. When an SMTP client IP address iswhitelisted, postscreen hands off the connection immediately to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.
In a typical production setting, postscreen is configured to reject mail from clients that fail one or more tests. Zimbra Collaboration Postscreen logs rejected mail with the client address, helo, sender and recipient information.
Zimbra Collaboration Postscreen is not an SMTP proxy; this is intentional. The purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic.
How it works
Scenario without Postscreen
A typical scenario without Postscreen, and without other Anti-SPAM security, will suffer of this common Problem, where bot and zombies talks with all the smtpd listeners that Zimbra is offering.
In this scenario, the good connections, or called other in this diagram, must wait until the bot or zombie finishes the communication, which sometimes can create a Timeout Error on Postfix for the good connections:
Mar 01 19:29:54 zimbrauk postfix/smtpd[24266]: timeout after RCPT from mail.example.com[60.60.60.70]
Scenario with Postscreen
A typical scenario with Postscreen, where bot and zombies talks with Postscreen, who do all the basic checks, and who can deny the connection if the message is clearly from a bot or zombie, if the connection is not in the temporary whitelist, Postscreen will pass the Email to the local Anti-SPAM and Anti-Virus engines, who can accept it or deny it as usual. You can see how is the Mail Flow in Postscreen on the section below.
In this scenario, the good connections, or called other in this diagram, pass the Postscreen security and talks directly with the smtp daemon, who will scan the Email as usual with the AS/AV. All the bot or zombie are rejected by default.
Postscreen workflow
See attached the workflow for Zimbra Collaboration Postscreen
Zimbra attributes for Postscreen
Here you can find all the new attributes for Postscreen, and the link to the original Postfix description help per attribute.
Name | Description | Type | Optional in | Default value | Options |
---|---|---|---|---|---|
zimbraMtaPostscreenAccessList | Value for postconf postscreen_access_list. Single valued, commas,separated list. | string | server,globalConfig | permit_mynetworks | |
zimbraMtaPostscreenBareNewlineAction | Value for postconf postscreen_bare_newline_action. | enum | server,globalConfig | ignore | ignore,enforce,drop |
zimbraMtaPostscreenBareNewlineEnable | Value for postconf postscreen_bare_newline_enable. | enum | server,globalConfig | no | yes,no |
zimbraMtaPostscreenBareNewlineTTL | Value for postconf postscreen_bare_newline_ttl. | string | server,globalConfig | 30d | |
zimbraMtaPostscreenBlacklistAction | Value for postconf postscreen_blacklist_action. | enum | server,globalConfig | ignore | ignore,enforce,drop |
zimbraMtaPostscreenCacheCleanupInterval | Value for postconf postscreen_cache_cleanup_interval. | string | server,globalConfig | 12h | |
zimbraMtaPostscreenCacheRetentionTime | Value for postconf postscreen_cache_retention_time. | string | server,globalConfig | 7d | |
zimbraMtaPostscreenCommandCountLimit | Value for postconf postscreen_command_count_limit. | integer | server,globalConfig | 20 | |
zimbraMtaPostscreenDnsblAction | Value for postconf postscreen_dnsbl_action. | enum | server,globalConfig | ignore | ignore,enforce,drop |
zimbraMtaPostscreenDnsblSites | Value for postconf postscreen_dnsbl_sites. Multi valued, one DNSBL,value pair per attribute value. | string | server,globalConfig | ||
zimbraMtaPostscreenDnsblThreshold | Value for postconf postscreen_dnsbl_threshold. | integer | server,globalConfig | 1 | |
zimbraMtaPostscreenDnsblTTL | Value for postconf postscreen_dnsbl_ttl. | string | server,globalConfig | 1h | |
zimbraMtaPostscreenDnsblWhitelistThreshold | Value for postconf postscreen_dnsbl_whitelist_threshold. | integer | server,globalConfig | 0 | |
zimbraMtaPostscreenGreetAction | Value for postconf postscreen_greet_action. | enum | server,globalConfig | ignore | ignore,enforce,drop |
zimbraMtaPostscreenGreetTTL | Value for postconf postscreen_greet_ttl. | string | server,globalConfig | 1d | |
zimbraMtaPostscreenNonSmtpCommandAction | Value for postconf postscreen_non_smtp_command_action. | enum | server,globalConfig | drop | ignore,enforce,drop |
zimbraMtaPostscreenNonSmtpCommandEnable | Value for postconf postscreen_non_smtp_command_enable. | enum | server,globalConfig | no | yes,no |
zimbraMtaPostscreenNonSmtpCommandTTL | Value for postconf postscreen_non_smtp_command_ttl. | string | server,globalConfig | 30d | |
zimbraMtaPostscreenPipeliningAction | Value for postconf postscreen_pipelining_action. | enum | server,globalConfig | enforce | ignore,enforce,drop |
zimbraMtaPostscreenPipeliningEnable | Value for postconf postscreen_pipelining_enable. | enum | server,globalConfig | no | yes,no |
zimbraMtaPostscreenPipeliningTTL | Value for postconf postscreen_pipelining_ttl. | string | server,globalConfig | 30d | |
zimbraMtaPostscreenWatchdogTimeout | Value for postconf postscreen_watchdog_timeout. | string | server,globalConfig | 10s | |
zimbraMtaPostscreenWhitelistInterfaces | Value for postconf postscreen_whitelist_interfaces. Single valued,,comma separated list. | string | server,globalConfig | static:all |
How to enable it
Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute.
Quick Example configuring Postscreen (medium security)
Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level: This configuration is medium level, enforcing a few attributes instead of drop, change them to drop for higher level of security
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks zmprov mcf zimbraMtaPostscreenBareNewlineAction enforce zmprov mcf zimbraMtaPostscreenBareNewlineEnable yes zmprov mcf zimbraMtaPostscreenBareNewlineTTL 20d zmprov mcf zimbraMtaPostscreenBlacklistAction enforce zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h zmprov mcf zimbraMtaPostscreenCacheRetentionTime 10d zmprov mcf zimbraMtaPostscreenCommandCountLimit 15 zmprov mcf zimbraMtaPostscreenDnsblAction enforce zmprov mcf zimbraMtaPostscreenDnsblSites "domaintoblock.com*5, domaintoblock.com*5" zmprov mcf zimbraMtaPostscreenDnsblThreshold 5 zmprov mcf zimbraMtaPostscreenDnsblTTL 2h zmprov mcf zimbraMtaPostscreenGreetAction enforce zmprov mcf zimbraMtaPostscreenGreetTTL 5d zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction enforce zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable yes zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 20d zmprov mcf zimbraMtaPostscreenPipeliningAction ignore zmprov mcf zimbraMtaPostscreenPipeliningEnable yes zmprov mcf zimbraMtaPostscreenPipeliningTTL 20d zmprov mcf zimbraMtaPostscreenWatchdogTimeout 30s zmprov mcf zimbraMtaPostscreenWhitelistInterfaces "1.2.3.4 static:all"
Quick Example configuring Postscreen (high security)
Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level: This configuration is medium level, enforcing a few attributes instead of drop, change them to drop for higher level of security
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks zmprov mcf zimbraMtaPostscreenBareNewlineAction drop zmprov mcf zimbraMtaPostscreenBareNewlineEnable yes zmprov mcf zimbraMtaPostscreenBareNewlineTTL 20d zmprov mcf zimbraMtaPostscreenBlacklistAction drop zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h zmprov mcf zimbraMtaPostscreenCacheRetentionTime 10d zmprov mcf zimbraMtaPostscreenCommandCountLimit 15 zmprov mcf zimbraMtaPostscreenDnsblAction drop zmprov mcf zimbraMtaPostscreenDnsblSites "domaintoblock.com*2, domaintoblock.com*2" zmprov mcf zimbraMtaPostscreenDnsblThreshold 2 zmprov mcf zimbraMtaPostscreenDnsblTTL 2h zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 5 zmprov mcf zimbraMtaPostscreenGreetAction drop zmprov mcf zimbraMtaPostscreenGreetTTL 5d zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable yes zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 20d zmprov mcf zimbraMtaPostscreenPipeliningAction ignore zmprov mcf zimbraMtaPostscreenPipeliningEnable yes zmprov mcf zimbraMtaPostscreenPipeliningTTL 20d zmprov mcf zimbraMtaPostscreenWatchdogTimeout 30s zmprov mcf zimbraMtaPostscreenWhitelistInterfaces "1.2.3.4 static:all"
Testing the Zimbra Collaboration Postscreen
Here is an example coming from GMail to Zimbra with a Postscreen set to medium (enforce), see the new postfix/postscreen checks
Mar 1 17:22:57 zimbra86 postfix/postscreen[12538]: CONNECT from [209.85.213.181]:33183 to [46.101.92.202]:25 Mar 1 17:23:03 zimbra86 postfix/tlsproxy[12682]: CONNECT from [209.85.213.181]:33183 Mar 1 17:23:03 zimbra86 postfix/tlsproxy[12682]: Anonymous TLS connection established from [209.85.213.181]:33183: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Mar 1 17:23:03 zimbra86 postfix/postscreen[12538]: NOQUEUE: reject: RCPT from [209.85.213.181]:33183: 450 4.3.2 Service currently unavailable; from=<testzimbra@gmail.com>, to=<admin@example.com>, proto=ESMTP, helo=<mail-ig0-f181.google.com> Mar 1 17:23:03 zimbra86 postfix/tlsproxy[12682]: DISCONNECT [209.85.213.181]:33183 Mar 1 17:23:03 zimbra86 postfix/postscreen[12538]: HANGUP after 0.82 from [209.85.213.181]:33183 in tests after SMTP handshake Mar 1 17:23:03 zimbra86 postfix/postscreen[12538]: PASS NEW [209.85.213.181]:33183 Mar 1 17:23:03 zimbra86 postfix/postscreen[12538]: DISCONNECT [209.85.213.181]:33183
Domain white/blacklist
Postscreen is really easy to configure, you can white or blacklist domains easily.
First you need to configure the DnsblThreshold to the score you want your Customers needs to reach before being rejected, for example we can set it to two:
zimbra@zimbra86:~$ zmprov mcf zimbraMtaPostscreenDnsblThreshold 2
Now that the DnsblThreshold is set up to two, we will add the domain we want to block, giving score 2 which means Postscreen will reject it, even before talk to our Zimbra MTA SMTP
zimbra@zimbra86:~$ zmprov mcf zimbraMtaPostscreenDnsblSites "gmail.com*2"
Restart the MTA services
zimbra@zimbra86:~$ zmmtactl restart Rewriting configuration files...done. Stopping saslauthd...done. Starting saslauthd...done. /postfix-script: refreshing the Postfix mail system
And then test to send an email from GMail to our Zimbra with Postscreen:
Mar 1 18:03:26 zimbra86 postfix/postscreen[6364]: CONNECT from [209.85.213.177]:34931 to [46.101.92.202]:25 Mar 1 18:03:33 zimbra86 postfix/tlsproxy[6374]: CONNECT from [209.85.213.177]:34931 Mar 1 18:03:33 zimbra86 postfix/tlsproxy[6374]: Anonymous TLS connection established from [209.85.213.177]:34931: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Mar 1 18:03:33 zimbra86 postfix/postscreen[6364]: NOQUEUE: reject: RCPT from [209.85.213.177]:34931: 450 4.3.2 Service currently unavailable; from=<testzimbra@gmail.com>, to=<admin@example.com>, proto=ESMTP, helo=<mail-ig0-f177.google.com> Mar 1 18:03:33 zimbra86 postfix/postscreen[6364]: HANGUP after 0.82 from [209.85.213.177]:34931 in tests after SMTP handshake Mar 1 18:03:33 zimbra86 postfix/postscreen[6364]: PASS NEW [209.85.213.177]:34931 Mar 1 18:03:33 zimbra86 postfix/tlsproxy[6374]: DISCONNECT [209.85.213.177]:34931 Mar 1 18:03:33 zimbra86 postfix/postscreen[6364]: DISCONNECT [209.85.213.177]:34931
To whitelist a domain just use a negative number, for example to block gmail.com but allow example.net:
zimbra@zimbra86:~$ zmprov mcf zimbraMtaPostscreenDnsblSites "gmail.com*2, example.net*-1"
Restart the MTA services
zimbra@zimbra86:~$ zmmtactl restart Rewriting configuration files...done. Stopping saslauthd...done. Starting saslauthd...done. /postfix-script: refreshing the Postfix mail system
Additonal Content
- See the Official Postfix Postscreen page
Identified Support Issues
- No Support issues reported yet.