Anti-spam

Zimbra Anti-SPAM

   KB 24470        Last updated on 2022-08-31  




0.00
(0 votes)
ZCS 9.0 Article ZCS 9.0

In this article you will find how to use RBL’s for blocking SPAM in Zimbra.

Setting up RBL’s

Create a free account for the DQS service at Spamhaus via https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/

The log-in to the Spamhaus portal via https://portal.spamhaus.com/dqs/ and get your DQS Query Key. Then configure Zimbra by running the following commands as user zimbra (don’t forget to replace your-query-key-here with your actual key): 

zmprov mcf zimbraMtaRestriction "reject_invalid_helo_hostname"
zmprov mcf +zimbraMtaRestriction "reject_non_fqdn_sender"
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override'
zmprov mcf +zimbraMtaRestriction "reject_rbl_client your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..11]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client psbl.surriel.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"

In some cases you will want to receive email from certain domains or IP’s regardless of them being in the RBL. This can be achieved by setting up an RBL overrride. Creating a file /opt/zimbra/conf/postfix_rbl_override with the following content: 

zimbra.com OK
example.com OK
1.1.1.1 OK

Then run the following command as user zimbra: 

postmap /opt/zimbra/conf/postfix_rbl_override

Next create a file /opt/zimbra/conf/dnsbl-reply-map with the following content (don’t forget to replace your-query-key-here with your actual key): 

your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..11] 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99] 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24] 554 $rbl_class $rbl_what blocked using ZRD - domain too young
your-query-key-here.zen.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
your-query-key-here.dbl.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
your-query-key-here.zrd.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using ZRD - domain too young

Since reject_rhsbl_helo is not supported in Zimbra yet you have to add it to /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf example result: 

%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unlisted_recipient
%%exact VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%exact VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_reverse_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%exact VAR:zimbraMtaRestriction reject_unverified_recipient%%
reject_rhsbl_helo your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_helo your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]
%%contains VAR:zimbraMtaRestriction check_recipient_access lmdb:/opt/zimbra/conf/postfix_recipient_access%%
%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%%
%%contains VAR:zimbraMtaRestriction check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%explode reject_rhsbl_client VAR:zimbraMtaRestrictionRHSBLCs%%
%%explode reject_rhsbl_reverse_client VAR:zimbraMtaRestrictionRHSBLRCs%%
%%explode reject_rhsbl_sender VAR:zimbraMtaRestrictionRHSBLSs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
%%contains VAR:zimbraMtaRestriction check_recipient_access ldap:/opt/zimbra/conf/ldap-splitdomain.cf%%
%%exact VAR:zimbraMtaRestriction reject%%
permit

Next run as user zimbra: 

postmap /opt/zimbra/conf/dnsbl-reply-map

Next we have to add the rbl_reply_maps to Postfix main.cf. Add the following line (as root) to /opt/zimbra/common/conf/main.cf 

rbl_reply_maps = lmdb:/opt/zimbra/conf/dnsbl-reply-map

Then run 

zmmtactl restart

Each time you make changes to rbl_reply_maps or postfix_rbl_override, you need to run the postmap command then zmmtactl restart. You also need to re-apply changes to main.cf, smtpd_recipient_restrictions.cf and dnsbl-reply-map after a Zimbra upgrade or patch installation.

Test configuration

In your browser go to https://blt.spamhaus.com/test fill out your email address and run the SMTP test:

File:Https://blog.zimbra.com/wp-content/uploads/2022/08/spamhaus-test.png File:Https://blog.zimbra.com/wp-content/uploads/2022/08/spamhaus-test-run.png File:Https://blog.zimbra.com/wp-content/uploads/2022/08/spamhaus-result.png?p

Further reading

Retrieved from "http://wiki.zimbra.com/index.php?title=Anti-spam&oldid=69189"
Jump to: navigation, search