Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Zen RBL disclaimer

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 04-14-2010, 03:21 PM
Special Member
  
Posts: 170
Default Zen RBL disclaimer
I notice that with the zen.spamhaus.org RBL, there's the following disclaimer :

"Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for anything other than checking IP addresses that hand off to your mailservers."

Ok, I'm not a smarthost, and I assume Zimbra doesn't do deep parsing of the received headers.

However, I've got a standard Zimbra 6.0.5 server that is used by out-of-office users that make use of SMTP AUTH (from their homes, hotels, airports, etc.). In Zimbra, does that mean that authenticated SMTP users will get blocked by the zen.spamhaus.org RBL because the IP of the internet connection they're on may be blocked? Or is it smart enough to exempt authenticated users from the RBL lookup?
Reply With Quote
  #2 (permalink)  
Old 04-15-2010, 05:03 AM
Moderator
  
Posts: 1,209
Default
Quote:
Originally Posted by bjquinn View Post
I notice that with the zen.spamhaus.org RBL, there's the following disclaimer :

"Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for anything other than checking IP addresses that hand off to your mailservers."

Ok, I'm not a smarthost, and I assume Zimbra doesn't do deep parsing of the received headers.

However, I've got a standard Zimbra 6.0.5 server that is used by out-of-office users that make use of SMTP AUTH (from their homes, hotels, airports, etc.). In Zimbra, does that mean that authenticated SMTP users will get blocked by the zen.spamhaus.org RBL because the IP of the internet connection they're on may be blocked? Or is it smart enough to exempt authenticated users from the RBL lookup?
The answer is "it depends".

If you are doing RBL filtering on a firewall device in front of Zimbra, you will indeed block those remote users whose IPs are on the list. zen doesn't block dynamic IP addresses as a matter of course like some RBLs do, so this shouldn't impact remote users doing Outlook auth, unless their IP is listed for other reasons.

If you are using RBLs in Zimbra's Postfix (i.e. you added RBLs via the Admin Console), then the order of the smtpd_recipient_restrictions filters matters. If you block via RBLs before allowing authenticated users, then these remote users will be unable to send mail if their IP is listed. But again, zen is not an aggressive list (zen has very, very few false positives), so the majority of your remote Outlook users shouldn't have an issue. You can look at main.cf to check the order to be absolutely sure.

If you aren't using RBLs in Zimbra's Postfix nor in a firewall in front of your Zimbra farm, then a zen listing just adds to the email's spam score via Zimbra's SpamAssassin. The email may or may not get blocked depending upon the results from all of the other SpamAssassin tests.

Worst case is if a remote Outlook user is on a dirty IP, they can just use the Zimbra web interface -- and when they get back to the office you can give their laptop a good scan before you let them plug in to the corporate LAN!

Remember also that zen is commercial, so before you use it I would recommend checking the Spamhaus terms of service to see if you are required to pay to use it.

Hope that helps,
Mark
__________________
___________________________________
L. Mark Stone, CIO


"Uptime. All the time."

477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678

proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
Reply With Quote
  #3 (permalink)  
Old 04-26-2010, 08:21 AM
Special Member
  
Posts: 170
Default
Thanks for the response!

Here's the relevant information from /opt/zimbra/postfix-2.6.5.2z/conf/main.cf

smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client dnsbl.njabl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.mail-abuse.org, permit

I do not run RBL filtering in front of my Zimbra server, and I see that permit_sasl_authenticated comes before reject_rbl_client *, so I should be safe to add zen, correct?

Also, I checked and I am within safe limits for free Zen usage.
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.