How to enable DNSBL or RBL on Zimbra to fight against spam

DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to fight spam emails. It is a blacklist of source IP addresses that have a reputation of sending spam emails. Most email systems can be configured to check these lists and block or flag emails that were sent from domains/IPs listed there. The ‘Blackhole List’ is sometimes called ‘blacklist’ by email admins.


In this tutorial, we’ll see how we can configure RBL with Zimbra using both GUI and CLI.

Method 1 - GUI:

Login to the Zimbra admin console – https://mail.example.com:7071, and then go to Configure.


Configure

Then, go to Global Settings.

Global Settings



Next, go to MTA. I’ve enabled some parameters to harden the server, and added the RBLs that Zimbra supports. You could add the RBLs of your choice here.

MTA Changes


 
Save your settings.



There no need to do any service restarts. Zimbra should detect (zmconfigd) the config changes and apply them.

 

Method 2 - CLI:


Login to the server, and switch to the user zimbra.
# su - zimbra
First, let us check if there are any existing policies in place.

$ zmprov gacf | grep zimbraMtaRestriction
Great! Now let’s add a couple of RBLs using zmprov. Zimbra uses the these RBLs.

$ zmprov mcf \
zimbraMtaRestriction reject_invalid_helo_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" \
zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" \
zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" \
zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org" \
zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" \
zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org" \
zimbraMtaRestriction "reject_rhsbl_reverse_client dbl.spamhaus.org" \
zimbraMtaRestriction "reject_rhsbl_sender multi.uribl.com" \
zimbraMtaRestriction "reject_rhsbl_sender multi.surbl.org" \
zimbraMtaRestriction "reject_rhsbl_sender rhsbl.sorbs.net" \
zimbraMtaRestriction "reject_rhsbl_sender dbl.spamhaus.org"

That’s it. There is no need for any service restarts, zmconfigd should detect the changes and push the config to Zimbra and postfix.

Troubleshooting and Verifying


No matter whether you made the change using GUI or CLI, the troubleshooting and verification method is the same.



The log file /var/log/zimbra.log is your friend. It should contain most of the information needed for any Zimbra troubleshooting. In this case, the logs should contain entries like this-

# tailf /var/log/zimbra.log

May  3 22:36:02 mail zmconfigd[9417]: Fetching All configs
May  3 22:36:02 mail zmconfigd[9417]: All configs fetched in 0.04 seconds
May  3 22:36:05 mail zmconfigd[9417]: Watchdog: service antivirus status is OK.
May  3 22:36:05 mail zmconfigd[9417]: Var zimbraMtaRestriction changed from 'reject_invalid_helo_hostname reject_non_fqdn_sender reject_rbl_client cbl.abuseat.org' -> 'reject_invalid_helo_hostname reject_non_fqdn_sender reject_rhsbl_sender dbl.spamhaus.org'
May  3 22:36:05 mail zmconfigd[9417]: Var zmconfigd/smtpd_recipient_restrictions.cf changed from '#reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_recipient, #reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, #reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, #reject_rbl_client zen.spamhaus.org, #reject_rbl_client psbl.surriel.com, #reject_rbl_client b.barracudacentral.org, #reject_rhsbl_client dbl.spamhaus.org, #reject_rhsbl_client multi.uribl.com, #reject_rhsbl_client multi.surbl.org, #reject_rhsbl_reverse_client dbl.spamhaus.org, #reject_rhsbl_sender multi.uribl.com, #reject_rhsbl_sender multi.surbl.org, #reject_rhsbl_sender rhsbl.sorbs.net, #reject_rhsbl_sender dbl.spamhaus.org, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org, permit' -> '#reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_...
May  3 22:36:05 mail zmconfigd[9417]: ...recipient, #reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, #reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, #reject_rbl_client zen.spamhaus.org, #reject_rbl_client psbl.surriel.com, #reject_rbl_client b.barracudacentral.org, #reject_rhsbl_client dbl.spamhaus.org, #reject_rhsbl_client multi.uribl.com, #reject_rhsbl_client multi.surbl.org, #reject_rhsbl_reverse_client dbl.spamhaus.org, #reject_rhsbl_sender multi.uribl.com, #reject_rhsbl_sender multi.surbl.org, #reject_rhsbl_sender rhsbl.sorbs.net, #reject_rhsbl_sender dbl.spamhaus.org, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client b.barracudacentral.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_client multi.uribl.com, reject_rhsbl_client multi.surbl.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sende...
May  3 22:36:05 mail zmconfigd[9417]: ...r multi.uribl.com, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, permit'


The changes also reflect in the output of zmprov command.


$ zmprov gacf | grep zimbraMtaRestriction

zimbraMtaRestriction: reject_invalid_helo_hostname

zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org 
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com 
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org 
zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org 
zimbraMtaRestriction: reject_rhsbl_client multi.uribl.com 
zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org 
zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_sender multi.uribl.com 
zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org 
zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net 
zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org

Finally, postfix is the underlying service that would do the actual RBL checks. We can verify if the parameters have been injected to postfix using postconf.


# su – zimbra 

$ postconf | grep smtpd_recipient_restrictions

smtpd_recipient_restrictions = #reject_non_fqdn_recipient,
#permit_sasl_authenticated,
#permit_mynetworks,
#reject_unlisted_recipient,
reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
#reject_unknown_client_hostname,
#reject_unknown_reverse_client_hostname,
#reject_unknown_sender_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rbl_client b.barracudacentral.org,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_client multi.uribl.com,
reject_rhsbl_client multi.surbl.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender multi.uribl.com,
reject_rhsbl_sender multi.surbl.org,
reject_rhsbl_sender rhsbl.sorbs.net,
reject_rhsbl_sender dbl.spamhaus.org,
permit
Hope this helps.




Comments