We use the built-in RBL feature on our SonicWall PRO 2040 to block connection attempts before they even get to the Zimbra server.
On the Zimbra server we then implement:
reject_non_fqdn_sender
reject_unknown_client
reject_unknown_sender_domain
The latter two checks do block some email from legitimate senders with horribly configured email servers, but once we show the end users and the senders the domain reports from dnsreport.com, they "get it" and the sender's email domain administrator then gets the "motivation" to fix their broken configs.
We also implemented Rules du Jour on our Zimbra server, using mostly just the 0 and 1 rulesets (the 2 sets generate too many false positives for us).
The SonicWall has really reduced the workload on our server as you might imagine, and the remaining checks have most users getting only a few spams per week, with only one documented false positive in the past few years we have been using this technique, even before switching our mail system to Zimbra.
Hope that helps,
Mark
__________________
___________________________________ L. Mark Stone, CIO  "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
|