Zimbra

r8escjohn · #1 (**permalink**) 03-10-2009, 09:56 AM

I think I may be missing something basic here on getting the RBL I put in to work.
Yesterday put in:

Code:

zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracuracentral.org"

Verified input by doing:

Code:

zimbra:~ # su zimbra
zimbra@zimbra:/root> zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbra@zimbra:/root>

Then did

Code:

postfix reload
zmcontrol stop
zmcontrol start

However after 24 hours when I check to see if anything was blocked by the RBL I get:

Code:

zimbra:~ # /usr/local/sbin/dnsblcount /var/log/zimbra.log
=================================
Total DNSBL rejections:
zimbra:~ #

and in /opt/zimbra/postfix/conf/main.cf nor when I do a 'postconf -n' I do not see my RBL listing:

Code:

zimbra:~ # postconf -n
alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = 127.0.0.1
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain
myhostname = zimbra.r8esc.k12.in.us
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

My main.cf file:

Code:

sender_canonical_maps = ldap:/opt/zimbra/conf/ldap-scm.cf
virtual_alias_domains = ldap:/opt/zimbra/conf/ldap-vad.cf
lmtp_connection_cache_time_limit = 4s
recipient_delimiter = 
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_auth_only = yes
myhostname = zimbra.r8esc.k12.in.us
virtual_mailbox_domains = ldap:/opt/zimbra/conf/ldap-vmd.cf
mydestination = localhost
mailbox_size_limit = 0
setgid_group = postdrop
smtpd_client_restrictions = reject_unauth_pipelining
queue_run_delay = 300s
minimal_backoff_time = 300s
virtual_alias_maps = ldap:/opt/zimbra/conf/ldap-vam.cf
transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf
message_size_limit = 51200000
sendmail_path = /opt/zimbra/postfix/sbin/sendmail
broken_sasl_auth_clients = yes
lmtp_connection_cache_destinations = 
alias_maps = hash:/etc/aliases
manpage_directory = /opt/zimbra/postfix/man
smtpd_helo_required = yes
in_flow_delay = 1s
daemon_directory = /opt/zimbra/postfix/libexec
maximal_backoff_time = 4000s
virtual_transport = error
mynetworks = 127.0.0.0/8 192.168.1.0/24 
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, permit
smtpd_tls_loglevel = 1
relayhost = 
disable_dns_lookups = no
mail_owner = postfix
virtual_mailbox_maps = ldap:/opt/zimbra/conf/ldap-vmm.cf
content_filter = smtp-amavis:[127.0.0.1]:10024
version = 2.4.7.5z
mailq_path = /opt/zimbra/postfix/sbin/mailq
header_checks = pcre:/opt/zimbra/conf/postfix_header_checks
smtpd_use_tls = yes
queue_directory = /opt/zimbra/data/postfix/spool
newaliases_path = /opt/zimbra/postfix/sbin/newaliases
smtpd_reject_unlisted_recipient = no
smtpd_data_restrictions = reject_unauth_pipelining
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
command_directory = /opt/zimbra/postfix/sbin
smtpd_sasl_auth_enable = yes

Am I missing some very basic to get this RBL to work or do i just need to wait to see any RBL hits?

uxbod · #2 (**permalink**) 03-10-2009, 02:14 PM

Check /var/log/zimbra.log after you restart for any error messages. Have just checked my server and I get

Code:

[zimbra@office conf]$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org

and for main.cf

Code:

smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit

r8escjohn · #3 (**permalink**) 03-10-2009, 05:53 PM

Hmm....This is intresting...

Quote:

Mar 10 12:01:41 zimbra postfix/postfix-script[26559]: warning: not owned by root: /opt/zimbra/postfix-2.4.7.5z/conf/main.cf
Mar 10 12:01:42 zimbra postfix/postfix-script[26583]: starting the Postfix mail system

Other that that I find this that stands out...

Quote:

Mar 10 12:01:00 zimbra zmmailboxdmgr[25857]: file /opt/zimbra/log/zmmailboxd_manager.pid does not exist

Are these what I need to be looking at more closely, or some other direction?
Thanks!

uxbod · #4 (**permalink**) 03-11-2009, 01:03 AM

Can you check your config again using zmprov and then perform a stop/start of ZCS. As soon as it has started check /var/log/zimbra.log for any error messages. What are the permissions on /opt/zimbra/conf/main.cf* ?

r8escjohn · #5 (**permalink**) 03-11-2009, 12:08 PM

Thought I had a fix by changing my main.cf rights from zimbra/zimbra (which it was/is and I am assuming that is incorrect) to root/postfix. No go as on restart of Zimbra (zmcontrol stop/start) the rights of /opt/zimbra/postfix/main.cf changed back to zimbra/zimbra....:-<

Current zmprov:

Quote:

zimbra@zimbra:/root> zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org

Set ownership of main.cf

Quote:

-rw-r--r-- 1 root postfix 2112 Mar 11 14:34 main.cf

Current ownership of the main.cf-after Zimbra start/stop.....

Quote:

-rw-r--r-- 1 zimbra zimbra 2112 Mar 11 14:41 main.cf

I am thinking this is my issue that main.cf is owned by zimbra and not root as in my zimbra.log I still show this error:

Quote:

Mar 11 14:41:15 zimbra postfix/postfix-script[14665]: warning: not owned by root: /opt/zimbra/postfix-2.4.7.5z/conf/main.cf

And in my main.cf it does not list my RBL in the 'smtpd_recipient_restrictions'

tonster · #6 (**permalink**) 03-11-2009, 12:15 PM

Quote:

Originally Posted by r8escjohn

Thought I had a fix by changing my main.cf rights from zimbra/zimbra (which it was/is and I am assuming that is incorrect) to root/postfix. No go as on restart of Zimbra (zmcontrol stop/start) the rights of /opt/zimbra/postfix/main.cf changed back to zimbra/zimbra....:-<

Current zmprov:

Set ownership of main.cf

Current ownership of the main.cf-after Zimbra start/stop.....

I am thinking this is my issue that main.cf is owned by zimbra and not root as in my zimbra.log I still show this error:

And in my main.cf it does not list my RBL in the 'smtpd_recipient_restrictions'

That "error" is normal and can be ignored. It's certainly not the cause of your problems. What does your /opt/zimbra/conf/postfix_recipient_restrictions.cf look like?

You could also try the following:

Code:

zimbra@mail:~> zmprov mcf zimbraMtaRestrictionRBLs b.barracudacentral.org
zimbra@mail:~> zmmtactl stop
zimbra@mail:~> zmmtactl start

r8escjohn · #7 (**permalink**) 03-11-2009, 01:28 PM

Brillant!
While running the

Quote:

zimbra@mail:~> zmprov mcf zimbraMtaRestrictionRBLs b.barracudacentral.org

gave me an

Quote:

zimbra@zimbra:~/postfix/conf> zmprov mcf zimbraMtaRestrictionRBLs b.barracudacentral.org
ERROR: account.INVALID_ATTR_NAME (invalid attr name: [LDAP: error code 17 - zimbraMtaRestrictionRBLs: attribute type undefined])

I was able to manually edit the /opt/zimbra/conf/postfix_recipient_restrictions.cf file and add 'reject_rbl_client b.barracudacentral.org' listing, do a quick 'zmmtactl stop'/'start' and we are golden! After only about 5 minutes I have:

Quote:

zimbra:/opt/zimbra/postfix/conf # /usr/local/sbin/dnsblcount /var/log/zimbra.log
b.barracudacentral.org 40
=================================
Total DNSBL rejections: 40

Woo Hoo!
Now manualy editing that 'postfix_recipient_restrictions.cf' file was probally a no-no, but at this point it woked for me.
I will continue to monitor but so far so good!

tonster · #8 (**permalink**) 03-11-2009, 01:49 PM

Quote:

Originally Posted by r8escjohn

Brillant!
While running the

gave me an

I was able to manually edit the /opt/zimbra/conf/postfix_recipient_restrictions.cf file and add 'reject_rbl_client b.barracudacentral.org' listing, do a quick 'zmmtactl stop'/'start' and we are golden! After only about 5 minutes I have:

Woo Hoo!
Now manualy editing that 'postfix_recipient_restrictions.cf' file was probally a no-no, but at this point it woked for me.
I will continue to monitor but so far so good!

The addition of zimbraMtaRestrictionRBLs must have been more recent than the 5.0.6 version of ZCS you're using. Seeing as that is now working for you, I wouldn't worry about it being in the postfix_recipient_restrictions.cf file. But if you ever want to remove it, you'll have to remember to remove it from that file since removing it from zimbraMtaRetrictions won't have any affect. In any event, I'm glad this got you going!