DNSBL with "Whitelist Hosts/IP Addresses In Postfix" howto do this the zimbra way

[heinzg]

Hi all!

I have been looking... but have not yet found an obvious "how to" do this the zimbra way i.e. with zmprov or in the admin gui.

I have started using the dnsbl feature and am happy with the results i am getting with it... but as it is in the world of black lists I have noticed that from time to time one of the major German free mailer is being black listed, and today then one of the ip addresses of my mail service provider.

I have come across a howto on howtoforge.com in which it describes how to do this with Postfix.
But I am a bit reluctant to go and edit the zimbra ~/postfix/conf/main.cf file without asking in the forum.

In short here is what is suggested to do in the howtoforge.com "how-to-whitelist-hosts-ip-addresses-in-postfix":

1. Create a postfix/rbl_override file with one entry per line
   
   Code:

   1.2.3.4 OK
   1.2.3.5 OK
   mail.freemailer.tld OK

2. Then run:
   
   Code:

   postmap /etc/postfix/rbl_override

3. Next open postfix/main.cf and search for the smtpd_recipient_restrictions parameter. Add check_client_access hash: ..../postfix/rbl_override to that parameter, after reject_unauth_destination, but before the first blacklist.
   Like So:
   
   Code:

   [...]
   smtpd_recipient_restrictions = reject_invalid_hostname,
                                  reject_unauth_pipelining,
                                  permit_mynetworks,
                                  permit_sasl_authenticated,
                                  check_client_access hash: ..../postfix/rbl_override,
                                  reject_unauth_destination,
                                  reject_rbl_client dnsbl.sorbs.net,
                                  reject_rbl_client cbl.abuseat.org,
                                  permit
   [...]

4. Then restart Postfix

old question: So How Do You Do This The Zimbra Way?

Revised question: How do you add Whitelists / or excludes to supplement DNSD, so that you can still obtain mail from a site that has been blacklisted on a DNSDL service.
Above it is explained exactly how to do this with a stock Postfix install. Note the bold bits...

Cheers
Heinzg

[phoenix]

If you wish to add RBLs then go to the Admin UI/Global Settings/MTA and add the RBLs on that page.

[heinzg]

Quote:

Originally Posted by phoenix

If you wish to add RBLs then go to the Admin UI/Global Settings/MTA and add the RBLs on that page.

Cheers for the reply, but I think i might have asked my question the wrong way, thus I have revised it in my original post.

I know how to start using RBLs with zimbra in fact this is the way i normally would add the DNDBL services to my zimbra config...

create a list file with the dnsbl services i want to use, and then:

Code:

 
list=`cat list.file` 
for i in $list; do zmprov mcf +zimbraMtaRestriction "reject_rbl_client $i"; done

My Qestion: I am using RBLs at the moment, i would like to know if there is a normed method of adding "check_client_access hash:" ( which is the file containing an exclude or whitelist ) statement to zimbra's ~/postfix/conf/main.cf, i.e. with zmprov?

[uxbod]

You can try

Code:

su - zimbra
zmprov mcf  +zimbraMtaRestriction "check_client_access hash: /opt/zimbra/conf/rbl_override"
zmcontrol stop ; zmcontrol start

Don't forget to put the rbl_override file into the correct directory.

[heinzg]

Quote:

Originally Posted by uxbod

You can try

Code:

su - zimbra
zmprov mcf  +zimbraMtaRestriction "check_client_access hash: /opt/zimbra/conf/rbl_override"
zmcontrol stop ; zmcontrol start

Don't forget to put the rbl_override file into the correct directory.

Hi I did that and it is is in the config now, but the whitelist is not working as mails are still being blocked which are in the whitelist:

Code:

[zimbra@server ~]$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: check_client_access hash: /opt/zimbra/conf/rbl_override
zimbraMtaRestriction: reject_rbl_client drone.abuse.ch
zimbraMtaRestriction: reject_rbl_client spam.abuse.ch
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: reject_rbl_client httpBL.abuse.ch
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org

I also did the following advance:

Code:

postmap /opt/zimbra/conf/rbl_override

contents of /opt/zimbra/conf/rbl_override:

Code:

cat /opt/zimbra/conf/rbl_override
213.165.64.20	OK
mail.gmx.net	OK

Any Ideas ?

[uxbod]

Check /var/log/zimbra.log to see why it is being rejected; and also for any error messages about your configuration.

[heinzg]

Quote:

Originally Posted by uxbod

Check /var/log/zimbra.log to see why it is being rejected; and also for any error messages about your configuration.

Code:

Feb 25 11:05:10 server postfix/smtpd[8728]: NOQUEUE: reject: RCPT from mail.gmx.net[213.165.64.20]: 554 5.7.1 Service unavailable; Client host [213.165.64.20] blocked using spam.dnsbl.sorbs.net; Spam Received See: http://www.sorbs.net/lookup.shtml?213.165.64.20; from=<someperson@gmx.net> to=<heinzg@mymailserver.ltd> proto=SMTP helo=<mail.gmx.net>

this is the start log don't see any errors:

Code:

Feb 25 11:43:41 server zimbramon[13626]: 13626:info: Starting services initiated by zmcontrol 
Feb 25 11:43:42 server slapd[13725]: @(#) $OpenLDAP: slapd 2.3.43 (Aug 20 2008 11:59:27) $ 	build@build11.lab.zimbra.com:/home/build/p4/FRANKLIN/ThirdParty/openldap/openldap-2.3.43.5z/servers/slapd 
Feb 25 11:43:42 server slapd[13726]: slapd starting 
Feb 25 11:43:49 server zimbramon[13626]: 13626:info: Rewriting configs  antispam amavis antivirus amavis   webxml mailbox amavis antispam antivirus mta sasl    
Feb 25 11:44:03 server zimbramon[13626]: 13626:info: Starting logger via zmcontrol 
Feb 25 11:44:04 server zimbramon[13626]: 13626:info: Starting mailbox via zmcontrol 
Feb 25 11:44:04 server zimbramon[14654]: 14654:info: zmmtaconfig: zmmtaconfig started on server.mail.local with loglevel=3 pid=14654 
Feb 25 11:44:05 server zmmailboxdmgr[14676]: status requested
Feb 25 11:44:05 server zmmailboxdmgr[14676]: file /opt/zimbra/log/zmmailboxd_manager.pid does not exist
Feb 25 11:44:05 server zmmailboxdmgr[14676]: assuming no other instance is running
Feb 25 11:44:05 server zmmailboxdmgr[14676]: file /opt/zimbra/log/zmmailboxd.pid does not exist
Feb 25 11:44:05 server zmmailboxdmgr[14676]: assuming no other instance is running
Feb 25 11:44:05 server zmmailboxdmgr[14676]: no manager process is running
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: antispam: Stopped 
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: antivirus: Stopped 
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: ldap: Running 
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: logger: Running 
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: mailbox: Stopped 
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: mta: Stopped 
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: snmp: Stopped 
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: spell: Stopped 
Feb 25 11:44:08 server zimbramon[14135]: 14135:info: 2009-02-25 11:44:01, STATUS: server.mail.local: stats: Stopped 
Feb 25 11:44:40 server zmmailboxdmgr[15966]: status requested
Feb 25 11:44:40 server zmmailboxdmgr[15966]: file /opt/zimbra/log/zmmailboxd_manager.pid does not exist
Feb 25 11:44:40 server zmmailboxdmgr[15966]: assuming no other instance is running
Feb 25 11:44:40 server zmmailboxdmgr[15966]: file /opt/zimbra/log/zmmailboxd.pid does not exist
Feb 25 11:44:40 server zmmailboxdmgr[15966]: assuming no other instance is running
Feb 25 11:44:40 server zmmailboxdmgr[15966]: no manager process is running
Feb 25 11:44:41 server zmmailboxdmgr[15975]: start requested
Feb 25 11:44:41 server zmmailboxdmgr[15975]: checking if another instance of manager is already running
Feb 25 11:44:41 server zmmailboxdmgr[15975]: file /opt/zimbra/log/zmmailboxd_manager.pid does not exist
Feb 25 11:44:41 server zmmailboxdmgr[15975]: assuming no other instance is running
Feb 25 11:44:41 server zmmailboxdmgr[15975]: file /opt/zimbra/log/zmmailboxd.pid does not exist
Feb 25 11:44:41 server zmmailboxdmgr[15975]: assuming no other instance is running
Feb 25 11:44:41 server zmmailboxdmgr[15976]: wrote manager pid 15976 to /opt/zimbra/log/zmmailboxd_manager.pid
Feb 25 11:44:41 server zmmailboxdmgr[15977]: wrote java pid 15977 to /opt/zimbra/log/zmmailboxd_java.pid
Feb 25 11:44:41 server zmmailboxdmgr[15976]: manager started mailboxd/JVM with pid 15977
Feb 25 11:44:41 server zimbramon[13626]: 13626:info: Starting antispam via zmcontrol 
Feb 25 11:44:41 server amavis[16039]: starting.  /opt/zimbra/amavisd/sbin/amavisd at server.mail.local amavisd-new-2.5.4 (20080312), Unicode aware, LANG="en_US.UTF-8"
Feb 25 11:44:41 server amavis[16039]: user=1001, EUID: 1001 (1001);  group=, EGID: 1001 1001 89 5 4 (1001 1001 89 5 4)
Feb 25 11:44:41 server amavis[16039]: Perl version               5.008008
Feb 25 11:44:42 server amavis[16039]: SpamControl: init_pre_chroot done
Feb 25 11:44:42 server amavis[16043]: Net::Server: Process Backgrounded
Feb 25 11:44:42 server amavis[16043]: Net::Server: 2009/02/25-11:44:42 Amavis (type Net::Server::PreForkSimple) starting! pid(16043)
Feb 25 11:44:42 server amavis[16043]: Net::Server: Binding to UNIX socket file /opt/zimbra/data/amavisd/amavisd.sock using SOCK_STREAM
Feb 25 11:44:42 server amavis[16043]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Feb 25 11:44:42 server amavis[16043]: Net::Server: Group Not Defined.  Defaulting to EGID '1001 1001 89 5 4'
Feb 25 11:44:42 server amavis[16043]: Net::Server: User Not Defined.  Defaulting to EUID '1001'
Feb 25 11:44:42 server zimbramon[13626]: 13626:info: Starting antivirus via zmcontrol 
Feb 25 11:44:42 server amavis[16043]: Module Amavis::Conf        2.094
Feb 25 11:44:42 server amavis[16043]: Module Archive::Zip        1.23
Feb 25 11:44:42 server amavis[16043]: Module Compress::Zlib      1.42
Feb 25 11:44:42 server amavis[16043]: Module Convert::TNEF       0.17
Feb 25 11:44:42 server amavis[16043]: Module Convert::UUlib      1.11
Feb 25 11:44:42 server amavis[16043]: Module DBD::mysql          4.007
Feb 25 11:44:42 server amavis[16043]: Module DBI                 1.605
Feb 25 11:44:42 server amavis[16043]: Module DB_File             1.817
Feb 25 11:44:42 server amavis[16043]: Module Digest::MD5         2.36
Feb 25 11:44:42 server amavis[16043]: Module Digest::SHA1        2.11
Feb 25 11:44:42 server amavis[16043]: Module MIME::Entity        5.426
Feb 25 11:44:42 server amavis[16043]: Module MIME::Parser        5.426
Feb 25 11:44:42 server amavis[16043]: Module MIME::Tools         5.426
Feb 25 11:44:42 server amavis[16043]: Module Mail::Header        2.03
Feb 25 11:44:42 server amavis[16043]: Module Mail::Internet      2.03
Feb 25 11:44:42 server amavis[16043]: Module Mail::SpamAssassin  3.002005
Feb 25 11:44:42 server amavis[16043]: Module Net::DNS            0.63
Feb 25 11:44:42 server amavis[16043]: Module Net::LDAP           0.36
Feb 25 11:44:42 server amavis[16043]: Module Net::Server         0.97
Feb 25 11:44:42 server amavis[16043]: Module Time::HiRes         1.9715
Feb 25 11:44:42 server amavis[16043]: Module URI                 1.37
Feb 25 11:44:42 server amavis[16043]: Module Unix::Syslog        1.1
Feb 25 11:44:42 server amavis[16043]: Amavis::DB code      NOT loaded
Feb 25 11:44:42 server amavis[16043]: Amavis::Cache code   NOT loaded
Feb 25 11:44:42 server amavis[16043]: SQL base code        NOT loaded
Feb 25 11:44:42 server amavis[16043]: SQL::Log code        NOT loaded
Feb 25 11:44:42 server amavis[16043]: SQL::Quarantine      NOT loaded
Feb 25 11:44:42 server amavis[16043]: Lookup::SQL code     NOT loaded
Feb 25 11:44:42 server amavis[16043]: Lookup::LDAP code    loaded
Feb 25 11:44:42 server amavis[16043]: AM.PDP-in proto code loaded
Feb 25 11:44:42 server amavis[16043]: SMTP-in proto code   loaded
Feb 25 11:44:42 server amavis[16043]: Courier proto code   NOT loaded
Feb 25 11:44:42 server amavis[16043]: SMTP-out proto code  loaded
Feb 25 11:44:42 server amavis[16043]: Pipe-out proto code  NOT loaded
Feb 25 11:44:42 server amavis[16043]: BSMTP-out proto code NOT loaded
Feb 25 11:44:42 server amavis[16043]: Local-out proto code loaded
Feb 25 11:44:42 server amavis[16043]: OS_Fingerprint code  NOT loaded
Feb 25 11:44:42 server amavis[16043]: ANTI-VIRUS code      loaded
Feb 25 11:44:42 server amavis[16043]: ANTI-SPAM code       loaded
Feb 25 11:44:42 server amavis[16043]: ANTI-SPAM-SA code    loaded
Feb 25 11:44:42 server amavis[16043]: Unpackers code       loaded
Feb 25 11:44:42 server amavis[16043]: Found $file            at /usr/bin/file
Feb 25 11:44:42 server amavis[16043]: No $dspam,             not using it
Feb 25 11:44:42 server amavis[16043]: No $altermime,         not using it
Feb 25 11:44:42 server amavis[16043]: Internal decoder for .mail
Feb 25 11:44:42 server amavis[16043]: Internal decoder for .asc 
Feb 25 11:44:42 server amavis[16043]: Internal decoder for .uue 
Feb 25 11:44:42 server amavis[16043]: Internal decoder for .hqx 
Feb 25 11:44:42 server amavis[16043]: Internal decoder for .ync 
Feb 25 11:44:42 server amavis[16043]: No decoder for       .F    tried: unfreeze, freeze -d, melt, fcat
Feb 25 11:44:42 server amavis[16043]: Found decoder for    .Z    at /usr/bin/gzip -d
Feb 25 11:44:42 server amavis[16043]: Found decoder for    .gz   at /usr/bin/gzip -d
Feb 25 11:44:42 server amavis[16043]: Found decoder for    .bz2  at /usr/bin/bzip2 -d
Feb 25 11:44:42 server amavis[16043]: No decoder for       .lzo  tried: lzop -d
Feb 25 11:44:42 server amavis[16043]: Found decoder for    .rpm  at /usr/bin/rpm2cpio
Feb 25 11:44:42 server amavis[16043]: Found decoder for    .cpio at /usr/bin/pax
Feb 25 11:44:42 server amavis[16043]: Found decoder for    .tar  at /usr/bin/pax
Feb 25 11:44:42 server amavis[16043]: Found decoder for    .deb  at /usr/bin/ar
Feb 25 11:44:42 server amavis[16043]: Internal decoder for .zip 
Feb 25 11:44:42 server amavis[16043]: No decoder for       .7z   tried: 7zr, 7za, 7z
Feb 25 11:44:42 server amavis[16043]: No decoder for       .rar  tried: rar, unrar
Feb 25 11:44:42 server amavis[16043]: No decoder for       .arj  tried: arj, unarj
Feb 25 11:44:42 server amavis[16043]: No decoder for       .arc  tried: nomarch, arc
Feb 25 11:44:42 server amavis[16043]: No decoder for       .zoo  tried: zoo, unzoo
Feb 25 11:44:42 server amavis[16043]: No decoder for       .lha  tried: lha
Feb 25 11:44:42 server amavis[16043]: No decoder for       .cab  tried: cabextract
Feb 25 11:44:42 server amavis[16043]: No decoder for       .tnef tried: tnef
Feb 25 11:44:42 server amavis[16043]: Internal decoder for .tnef
Feb 25 11:44:42 server amavis[16043]: No decoder for       .exe  tried: rar, unrar; lha; arj, unarj
Feb 25 11:44:42 server amavis[16043]: Using primary internal av scanner code for ClamAV-clamd
Feb 25 11:44:42 server amavis[16043]: SpamControl: initializing Mail::SpamAssassin
Feb 25 11:44:42 server clamd[16118]: clamd daemon 0.93.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) 
Feb 25 11:44:42 server clamd[16118]: Log file size limited to 20971520 bytes. 
Feb 25 11:44:42 server clamd[16118]: Reading databases from /opt/zimbra/data/clamav/db 
Feb 25 11:44:42 server clamd[16118]: Not loading PUA signatures. 
Feb 25 11:44:43 server amavis[16043]: SpamControl: init_pre_fork done
Feb 25 11:44:45 server clamd[16118]: Loaded 513917 signatures. 
Feb 25 11:44:45 server clamd[16118]: TCP: Bound to port 3310 
Feb 25 11:44:45 server clamd[16118]: TCP: Setting connection queue length to 15 
Feb 25 11:44:45 server clamd[16131]: Limits: Global size limit set to 10240000 bytes. 
Feb 25 11:44:45 server clamd[16131]: Limits: File size limit set to 10240000 bytes. 
Feb 25 11:44:45 server clamd[16131]: Limits: Recursion level limit set to 16. 
Feb 25 11:44:45 server clamd[16131]: Limits: Files limit set to 10000. 
Feb 25 11:44:45 server clamd[16131]: Archive support enabled. 
Feb 25 11:44:45 server clamd[16131]: Archive: Blocking encrypted archives. 
Feb 25 11:44:45 server clamd[16131]: Algorithmic detection enabled. 
Feb 25 11:44:45 server clamd[16131]: Portable Executable support enabled. 
Feb 25 11:44:45 server clamd[16131]: ELF support enabled. 
Feb 25 11:44:45 server clamd[16131]: Mail files support enabled. 
Feb 25 11:44:45 server clamd[16131]: OLE2 support enabled. 
Feb 25 11:44:45 server clamd[16131]: PDF support disabled. 
Feb 25 11:44:45 server clamd[16131]: HTML support enabled. 
Feb 25 11:44:45 server clamd[16131]: Self checking every 1800 seconds. 
Feb 25 11:44:47 server zimbramon[13626]: 13626:info: Starting snmp via zmcontrol 
Feb 25 11:44:48 server zimbramon[13626]: 13626:info: Starting spell via zmcontrol 
Feb 25 11:44:48 server zimbramon[13626]: 13626:info: Starting mta via zmcontrol 
Feb 25 11:45:06 server postfix/postfix-script[16739]: warning: not owned by root: /opt/zimbra/postfix-2.4.7.5z/conf/main.cf
Feb 25 11:45:06 server postfix/postfix-script[16752]: starting the Postfix mail system
Feb 25 11:45:06 server postfix/master[16753]: daemon started -- version 2.4.7, configuration /opt/zimbra/postfix-2.4.7.5z/conf
Feb 25 11:45:06 server saslauthd[16761]: detach_tty      : master pid is: 16761
Feb 25 11:45:06 server saslauthd[16761]: ipc_init        : listening on socket: /opt/zimbra/cyrus-sasl-2.1.22.3z/state/mux
Feb 25 11:45:06 server zimbramon[13626]: 13626:info: Starting stats via zmcontrol

[uxbod]

Sorry I was wrong in the command I gave you so you will need to do the following

Code:

su - zimbra
zmprov mcf  -zimbraMtaRestriction "check_client_access hash: /opt/zimbra/conf/rbl_override"

Then update /opt/zimbra/conf/postfix_recipient_restrictions.cf and add check_client_access hash: /opt/zimbra/conf/rbl_override to that file instead. Then restart ZCS.

[heinzg]

Quote:

Originally Posted by uxbod

Sorry I was wrong in the command I gave you so you will need to do the following

Code:

su - zimbra
zmprov mcf  -zimbraMtaRestriction "check_client_access hash: /opt/zimbra/conf/rbl_override"

Then update /opt/zimbra/conf/postfix_recipient_restrictions.cf and add check_client_access hash: /opt/zimbra/conf/rbl_override to that file instead. Then restart ZCS.

Maybe we are getting closer but at the moment after the edit i am getting the following:

Code:

==> zimbra.log <==
Feb 25 12:28:50 server postfix/master[29586]: warning: process /opt/zimbra/postfix/libexec/smtpd pid 31578 exit status 1
Feb 25 12:28:50 server postfix/master[29586]: warning: /opt/zimbra/postfix/libexec/smtpd: bad command startup -- throttling

here is the edit of "~/conf/postfix_recipient_restrictions.cf

Code:

reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
check_client_access name: /opt/zimbra/conf/rbl_override
%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%contains VAR:zimbraMtaRestriction reject_unknown_client%%
%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
permit

NOTE i changed "check_client_access Hash -> toname:"
because if the following error:

Code:

==> maillog <==
Feb 25 12:24:16 server postfix/smtpd[26059]: fatal: open dictionary: expecting "type:name" form instead of "hash:"

Cheers for all the help.

[uxbod]

It should be

Code:

check_client_access hash:/opt/zimbra/conf/rbl_override

Basically make sure no space is between hash: and the file name.