Anti-spam
Zimbra Anti-SPAM
In this article you will find how to use RBL’s for blocking SPAM in Zimbra.
Setting up RBL’s
Create a free account for the DQS service at Spamhaus via https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/
The log-in to the Spamhaus portal via https://portal.spamhaus.com/dqs/ and get your DQS Query Key. Then configure Zimbra by running the following commands as user zimbra
(don’t forget to replace your-query-key-here
with your actual key):
zmprov mcf zimbraMtaRestriction "reject_invalid_helo_hostname" zmprov mcf +zimbraMtaRestriction "reject_non_fqdn_sender" zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override' zmprov mcf +zimbraMtaRestriction "reject_rbl_client your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..11]" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]" zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" zmprov mcf +zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
In some cases you will want to receive email from certain domains or IP’s regardless of them being in the RBL. This can be achieved by setting up an RBL overrride. Creating a file /opt/zimbra/conf/postfix_rbl_override
with the following content:
zimbra.com OK example.com OK 1.1.1.1 OK
Then run the following command as user zimbra
:
postmap /opt/zimbra/conf/postfix_rbl_override
Next create a file /opt/zimbra/conf/dnsbl-reply-map
with the following content (don’t forget to replace your-query-key-here
with your actual key):
your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..11] 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99] 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24] 554 $rbl_class $rbl_what blocked using ZRD - domain too young your-query-key-here.zen.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details your-query-key-here.dbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details your-query-key-here.zrd.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using ZRD - domain too young
Since reject_rhsbl_helo
is not supported in Zimbra yet you have to add it to /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
example result:
%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%% %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%% reject_non_fqdn_recipient permit_sasl_authenticated permit_mynetworks reject_unlisted_recipient %%exact VAR:zimbraMtaRestriction reject_invalid_helo_hostname%% %%exact VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%% %%exact VAR:zimbraMtaRestriction reject_non_fqdn_sender%% %%exact VAR:zimbraMtaRestriction reject_unknown_client_hostname%% %%exact VAR:zimbraMtaRestriction reject_unknown_reverse_client_hostname%% %%exact VAR:zimbraMtaRestriction reject_unknown_helo_hostname%% %%exact VAR:zimbraMtaRestriction reject_unknown_sender_domain%% %%exact VAR:zimbraMtaRestriction reject_unverified_recipient%% reject_rhsbl_helo your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24] reject_rhsbl_helo your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99] %%contains VAR:zimbraMtaRestriction check_recipient_access lmdb:/opt/zimbra/conf/postfix_recipient_access%% %%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%% %%contains VAR:zimbraMtaRestriction check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre%% %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%% %%explode reject_rhsbl_client VAR:zimbraMtaRestrictionRHSBLCs%% %%explode reject_rhsbl_reverse_client VAR:zimbraMtaRestrictionRHSBLRCs%% %%explode reject_rhsbl_sender VAR:zimbraMtaRestrictionRHSBLSs%% %%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%% %%contains VAR:zimbraMtaRestriction check_recipient_access ldap:/opt/zimbra/conf/ldap-splitdomain.cf%% %%exact VAR:zimbraMtaRestriction reject%% permit
Next run as user zimbra
:
postmap /opt/zimbra/conf/dnsbl-reply-map
Next we have to add the rbl_reply_maps
to Postfix main.cf
. Add the following line (as root) to /opt/zimbra/common/conf/main.cf
rbl_reply_maps = lmdb:/opt/zimbra/conf/dnsbl-reply-map
Then run
zmmtactl restart
Each time you make changes to rbl_reply_maps or postfix_rbl_override, you need to run the postmap
command then zmmtactl restart
. You also need to re-apply changes to main.cf
, smtpd_recipient_restrictions.cf
and dnsbl-reply-map
after a Zimbra upgrade or patch installation.
Test configuration
In your browser go to https://blt.spamhaus.com/test fill out your email address and run the SMTP test:
File:Https://blog.zimbra.com/wp-content/uploads/2022/08/spamhaus-test.png File:Https://blog.zimbra.com/wp-content/uploads/2022/08/spamhaus-test-run.png File:Https://blog.zimbra.com/wp-content/uploads/2022/08/spamhaus-result.png?p
Further reading
- https://www.spamhaus.com/resource-center/if-you-query-spamhaus-projects-dnsbls-via-cloudflares-dns-move-to-the-free-data-query-service/
- https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html#
- https://blt.spamhaus.com/test
- https://barracudacentral.org/account/register