[SOLVED] Question on RBL

[jet]

i'd like to know if it is still necessary to manually add rbl entries in globalsettings->mta of the admin console if i want zimbra to check incoming mails for blacklisted sender ip? i recall reading a post on this forum, saying that zimbra's spamassassin is already performing lookups on some predefined rbl list. i would appreciate if anyone could confirm this.

[uxbod]

Welcome to the forums

Yes SA will perform RBL lookups by default, if you add RBLs through the Admin then they will be used by Postfix and block at the MTA level without performing any SA checks.

[Jbrabander]

Just out of curiosity, is there any place to see if the RBL blocks are actually blocking anything?

[uxbod]

If you are using them in the MTA then check /var/log/zimbra.log and you should see the rejection message. If you are using them from within SA you will need to increase the logging on amavisd. To do this change the log level too 2 in /opt/zimbra/conf/amavisd.conf.in and then restart ZCS. The additional information will then also appear in /var/log/zimbra.log.

[Jbrabander]

Ah, sounds good. We did add zen.spamhaus.org to the RBL list under DNS Check in the global settings. I'll have to browse the zimbra.log sometime to see if it's catching anything.

If I understand you right, if I add an RBL (like spamhaus) to the list, Zimbra uses that and not the spamassassin checks. Would that maybe be why my server statistics graphs for AV/AS activity show nothing for activity?

[mtorres]

Check out Configuring and Monitoring Postfix DNSBL - Zimbra :: Wiki

I use it and it emails me everyday with the number of blocked emails using spamhaus RBL. But after a while, I kind of stopped paying attention to it . But it is interesting at the beginning to see how much stuff it blocks.

[jet]

hi uxbod, if i block mails at the mta level, i get the benefit of conserving on bandwidth because the actual junk mail does not get transmitted. do i get the same benefit if i do it on the level of SA? if so, then blocking at the mta level is totally unnecessary unless you want to include other rbl's not checked by SA or for some reason you want your zimbra installed without the sa/anti-spam feature but still wants to perform rbl lookups.

[LMStone]

Quote:

Originally Posted by Jbrabander

If I understand you right, if I add an RBL (like spamhaus) to the list, Zimbra uses that and not the spamassassin checks. Would that maybe be why my server statistics graphs for AV/AS activity show nothing for activity?

Not exactly...

If you list an RBL in the Zimbra Postfix and a sending server is on the RBL, Postfix will drop the connection.

Whether you do that or not, SpamAssassin will check a number of RBLs, and a positive response from one or more RBLs will add to the email's spam score. If the score is high enough, the email will be blocked or marked as spam.

Spamassassin has no clue as to whether you are doing RBL lookups in Postfix or not.

And even if you are doing RBL lookups in Postfix, it's still a good idea to keep those same RBL lookups in SpamAssassin IMHO.

Another trick is not to use the Postfix RBL lookups at all, but instead do the RBL lookups on a dedicated Postfix box or firewall in front of your Zimbra box. Since a conservative RBL like Spamhaus's Zen list will catch 85% or more of all spam, doing hard RBL blocking before the entire email stream hits your Zimbra server will reduce the load on your Zimbra server by 85% or more.

You are right that if you do the hard RBL blocking in Postfix your statistics will show a pretty clean email stream overall, because the statistics collect only what Amavis does (SpamAssassin and ClamAV), and not what Postfix blocked outright before passing the email stream off to Amavis.

Hope that helps,
Mark

[jet]

everything is clear to me now. thanks for everyone's help.

[GCamp]

I have added zen.spamhaus.org to the GlobalSettings MTA tab in the Administrator GUI. I have made the necessary checks as outlined in Configuring and Monitoring Postfix DNSBL - Zimbra :: Wiki but I have yet to see any evidence in the Zimbra.log that zen.spamhaus.org is even being used. What could I be doing wrong?