Zimbra Collaboration Postscreen

Zimbra Collaboration Postscreen

   KB 22511        Last updated on 2016-03-1  




0.00
(0 votes)

Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Post-fix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.

Zimbra Collaboration Postscreen should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deployment, postscreen handles the MX service on TCP port 25, while MUA clients submit mail via the submission service on TCP port 587 which requires client authentication. Alternatively, a site could set up a dedicated, non-postscreen, "port 25" server that provides submission service and client authentication, but no MX service.

Zimbra Collaboration Postscreen maintains a temporary white-list for clients that have passed a number of tests. When an SMTP client IP address iswhitelisted, postscreen hands off the connection immediately to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.

In a typical production setting, postscreen is configured to reject mail from clients that fail one or more tests. Zimbra Collaboration Postscreen logs rejected mail with the client address, helo, sender and recipient information.

Zimbra Collaboration Postscreen is not an SMTP proxy; this is intentional. The purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic.

How it works

Scenario without Postscreen

A typical scenario without Postscreen, and without other Anti-SPAM security, will suffer of this common Problem, where bot and zombies talks with all the smtpd listeners that Zimbra is offering.

In this scenario, the good connections, or called other in this diagram, must wait until the bot or zombie finishes the communication, which sometimes can create a Timeout Error on Postfix for the good connections:

Mar 01 19:29:54 zimbrauk postfix/smtpd[24266]: timeout after RCPT from mail.example.com[60.60.60.70]

Postscreen-001.png

Scenario with Postscreen

A typical scenario with Postscreen, where bot and zombies talks with Postscreen, who do all the basic checks, and who can deny the connection if the message is clearly from a bot or zombie, if the connection is not in the temporary whitelist, Postscreen will pass the Email to the local Anti-SPAM and Anti-Virus engines, who can accept it or deny it as usual. You can see how is the Mail Flow in Postscreen on the diagram 003.

In this scenario, the good connections, or called other in this diagram, pass the Postscreen security and talks directly with the smtp daemon, who will scan the Email as usual with the AS/AV. All the bot or zombie are rejected by default.

Postscreen-002.png

Zimbra attributes for Postscreen

Here you can find all the new attributes for Postscreen, and the link to the original Postfix description help per attribute.

Name Description Type Optional in Default value Options
zimbraMtaPostscreenAccessList Value for postconf postscreen_access_list. Single valued, commas,separated list. string server,globalConfig permit_mynetworks
zimbraMtaPostscreenBareNewlineAction Value for postconf postscreen_bare_newline_action. enum server,globalConfig ignore ignore,enforce,drop
zimbraMtaPostscreenBareNewlineEnable Value for postconf postscreen_bare_newline_enable. enum server,globalConfig no yes,no
zimbraMtaPostscreenBareNewlineTTL Value for postconf postscreen_bare_newline_ttl. string server,globalConfig 30d
zimbraMtaPostscreenBlacklistAction Value for postconf postscreen_blacklist_action. enum server,globalConfig ignore ignore,enforce,drop
zimbraMtaPostscreenCacheCleanupInterval Value for postconf postscreen_cache_cleanup_interval. string server,globalConfig 12h
zimbraMtaPostscreenCacheRetentionTime Value for postconf postscreen_cache_retention_time. string server,globalConfig 7d
zimbraMtaPostscreenCommandCountLimit Value for postconf postscreen_command_count_limit. integer server,globalConfig 20
zimbraMtaPostscreenDnsblAction Value for postconf postscreen_dnsbl_action. enum server,globalConfig ignore ignore,enforce,drop
zimbraMtaPostscreenDnsblSites Value for postconf postscreen_dnsbl_sites. Multi valued, one DNSBL,value pair per attribute value. string server,globalConfig
zimbraMtaPostscreenDnsblThreshold Value for postconf postscreen_dnsbl_threshold. integer server,globalConfig 1
zimbraMtaPostscreenDnsblTTL Value for postconf postscreen_dnsbl_ttl. string server,globalConfig 1h
zimbraMtaPostscreenDnsblWhitelistThreshold Value for postconf postscreen_dnsbl_whitelist_threshold. integer server,globalConfig 0
zimbraMtaPostscreenGreetAction Value for postconf postscreen_greet_action. enum server,globalConfig ignore ignore,enforce,drop
zimbraMtaPostscreenGreetTTL Value for postconf postscreen_greet_ttl. string server,globalConfig 1d
zimbraMtaPostscreenNonSmtpCommandAction Value for postconf postscreen_non_smtp_command_action. enum server,globalConfig drop ignore,enforce,drop
zimbraMtaPostscreenNonSmtpCommandEnable Value for postconf postscreen_non_smtp_command_enable. enum server,globalConfig no yes,no
zimbraMtaPostscreenNonSmtpCommandTTL Value for postconf postscreen_non_smtp_command_ttl. string server,globalConfig 30d
zimbraMtaPostscreenPipeliningAction Value for postconf postscreen_pipelining_action. enum server,globalConfig enforce ignore,enforce,drop
zimbraMtaPostscreenPipeliningEnable Value for postconf postscreen_pipelining_enable. enum server,globalConfig no yes,no
zimbraMtaPostscreenPipeliningTTL Value for postconf postscreen_pipelining_ttl. string server,globalConfig 30d
zimbraMtaPostscreenWatchdogTimeout Value for postconf postscreen_watchdog_timeout. string server,globalConfig 10s
zimbraMtaPostscreenWhitelistInterfaces Value for postconf postscreen_whitelist_interfaces. Single valued,,comma separated list. string server,globalConfig static:all

How to enable it

Testing the Zimbra Collaboration Postscreen

Additonal Content

Identified Support Issues

  • No Support issues reported yet.
Verified Against: Zimbra Collaboration Suite 8.7 Date Created: 01/03/2016
Article ID: https://wiki.zimbra.com/index.php?title=Zimbra_Collaboration_Postscreen Date Modified: 2016-03-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 Copyeditor Last edit by Jorge de la Cruz
Jump to: navigation, search