How to enable DNSBL or RBL on Zimbra to fight against spam
DNS-based
Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an
effort to fight spam emails. It is a blacklist of source IP addresses that have
a reputation of sending spam emails. Most email systems can be configured to
check these lists and block or flag emails that were sent from domains/IPs
listed there. The ‘Blackhole List’ is sometimes called ‘blacklist’ by email
admins.
In this tutorial, we’ll see how
we can configure RBL with Zimbra using both GUI and CLI.
Method 1 - GUI:
Login to the Zimbra admin console – https://mail.example.com:7071, and
then go to Configure.
 |
| Configure |
Then, go to Global Settings.
 |
| Global Settings |
Next, go to MTA. I’ve
enabled some parameters to harden the server, and added the RBLs that Zimbra
supports. You could add the RBLs of your choice here.
 | ||
| MTA Changes |
Save your settings.
There no need to do any service restarts. Zimbra should
detect (zmconfigd) the config
changes and apply them.
Method 2 - CLI:
Login to the server, and switch to the user zimbra.
# su - zimbra
First, let us check if there are any existing policies in
place.$ zmprov gacf | grep zimbraMtaRestriction
Great! Now let’s add a couple of RBLs using zmprov.
Zimbra uses the these RBLs.
$ zmprov mcf \
zimbraMtaRestriction reject_invalid_helo_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" \
zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" \
zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" \
zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org" \
zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" \
zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org" \
zimbraMtaRestriction "reject_rhsbl_reverse_client dbl.spamhaus.org" \
zimbraMtaRestriction "reject_rhsbl_sender multi.uribl.com" \
zimbraMtaRestriction "reject_rhsbl_sender multi.surbl.org" \
zimbraMtaRestriction "reject_rhsbl_sender rhsbl.sorbs.net" \
zimbraMtaRestriction "reject_rhsbl_sender dbl.spamhaus.org"
That’s it. There is no
need for any service restarts, zmconfigd should detect the changes and
push the config to Zimbra and postfix.
Troubleshooting and Verifying
No matter whether you made the change using GUI or CLI, the
troubleshooting and verification method is the same.
The log file /var/log/zimbra.log is your friend. It
should contain most of the information needed for any Zimbra troubleshooting.
In this case, the logs should contain entries like this-
# tailf /var/log/zimbra.log
May 3 22:36:02 mail zmconfigd[9417]: Fetching All configs
May 3 22:36:02 mail zmconfigd[9417]: All configs fetched in 0.04 seconds
May 3 22:36:05 mail zmconfigd[9417]: Watchdog: service antivirus status is OK.
May 3 22:36:05 mail zmconfigd[9417]: Var zimbraMtaRestriction changed from 'reject_invalid_helo_hostname reject_non_fqdn_sender reject_rbl_client cbl.abuseat.org' -> 'reject_invalid_helo_hostname reject_non_fqdn_sender reject_rhsbl_sender dbl.spamhaus.org'
May 3 22:36:05 mail zmconfigd[9417]: Var zmconfigd/smtpd_recipient_restrictions.cf changed from '#reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_recipient, #reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, #reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, #reject_rbl_client zen.spamhaus.org, #reject_rbl_client psbl.surriel.com, #reject_rbl_client b.barracudacentral.org, #reject_rhsbl_client dbl.spamhaus.org, #reject_rhsbl_client multi.uribl.com, #reject_rhsbl_client multi.surbl.org, #reject_rhsbl_reverse_client dbl.spamhaus.org, #reject_rhsbl_sender multi.uribl.com, #reject_rhsbl_sender multi.surbl.org, #reject_rhsbl_sender rhsbl.sorbs.net, #reject_rhsbl_sender dbl.spamhaus.org, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org, permit' -> '#reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_...
May 3 22:36:05 mail zmconfigd[9417]: ...recipient, #reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, #reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, #reject_rbl_client zen.spamhaus.org, #reject_rbl_client psbl.surriel.com, #reject_rbl_client b.barracudacentral.org, #reject_rhsbl_client dbl.spamhaus.org, #reject_rhsbl_client multi.uribl.com, #reject_rhsbl_client multi.surbl.org, #reject_rhsbl_reverse_client dbl.spamhaus.org, #reject_rhsbl_sender multi.uribl.com, #reject_rhsbl_sender multi.surbl.org, #reject_rhsbl_sender rhsbl.sorbs.net, #reject_rhsbl_sender dbl.spamhaus.org, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client b.barracudacentral.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_client multi.uribl.com, reject_rhsbl_client multi.surbl.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sende...
May 3 22:36:05 mail zmconfigd[9417]: ...r multi.uribl.com, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, permit'
The changes also reflect in the output of zmprov command.
$ zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_client multi.uribl.com
zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_sender multi.uribl.com
zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net
zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org
zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_client multi.uribl.com
zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_sender multi.uribl.com
zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net
zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org
Finally, postfix is the underlying service that would do the actual RBL checks. We can verify if the parameters have been injected
to postfix using postconf.
# su – zimbra
$ postconf | grep smtpd_recipient_restrictions
smtpd_recipient_restrictions = #reject_non_fqdn_recipient,
#permit_sasl_authenticated,
#permit_mynetworks,
#reject_unlisted_recipient,
reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
#reject_unknown_client_hostname,
#reject_unknown_reverse_client_hostname,
#reject_unknown_sender_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rbl_client b.barracudacentral.org,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_client multi.uribl.com,
reject_rhsbl_client multi.surbl.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender multi.uribl.com,
reject_rhsbl_sender multi.surbl.org,
reject_rhsbl_sender rhsbl.sorbs.net,
reject_rhsbl_sender dbl.spamhaus.org,
permit
$ postconf | grep smtpd_recipient_restrictions
smtpd_recipient_restrictions = #reject_non_fqdn_recipient,
#permit_sasl_authenticated,
#permit_mynetworks,
#reject_unlisted_recipient,
reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
#reject_unknown_client_hostname,
#reject_unknown_reverse_client_hostname,
#reject_unknown_sender_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rbl_client b.barracudacentral.org,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_client multi.uribl.com,
reject_rhsbl_client multi.surbl.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender multi.uribl.com,
reject_rhsbl_sender multi.surbl.org,
reject_rhsbl_sender rhsbl.sorbs.net,
reject_rhsbl_sender dbl.spamhaus.org,
permit
Hope this helps.
Comments
Post a Comment