Incorrect MtaRestrictions

[scottd]

About a month ago we started receiving lots of spam emails so I followed the instructions here:
Configuring and Monitoring Postfix DNSBL - Zimbra :: Wiki
to have our mail server use DNS Blacklists to reject spam and added all possible RBLs, including dnsbl.sorbs.net.

Dnsblcount (setup as per the instructions listed on the above website) is showing that our server is rejecting around 1000 emails per day, and we are receiving markedly less spam.

The issue is that several customers of ours are receiving bounce emails that indicate that the sorbs.net blacklist is causing our mail server to reject their emails. These false positives seem to be isolated to the sorbs.net RBL, so I re-did our DNSBL configuration to include all possible RBLs except sorbs.net and restarted the mail server.

Here is the current output of "zmprov gacf | grep zimbraMtaRestriction"

Code:

zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org
zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org

This indicates to me that dnsbl.sorbs.net is no longer being used, however, we are still having sender's email rejected as a result of their being blacklisted on sorbs.net and dnsblcount is still showing sorbs.net as one of the rejectors

Even though I removed sorbs.net from the MtaRestrictions list as of 06/02/11, today's (06/07/11) dnsblcount report shows:

Quote:

cbl.abuseat.org 904
dnsbl.sorbs.net 376
sbl.spamhaus.org 136
bl.spamcop.net 86
dnsbl.njabl.org 34
=================================
Total DNSBL rejections: 1536

We need our server to stop rejecting email based on the sorbs.net RBL. Any followup on this is greatly appreciated.

As an aside, is it possible to have postfix do other things with these emails rather than reject them (mark as spam, for example)?

Thank you,
Scott

[phoenix]

Despite what the dnsblcount report shows, are there actually any entries in the log files showing a rejection by "dnsbl.sorbs.net"? You will also see these entries in the Zimbra daily mail report, are there any for this RBL? I'd also suggest you use "zen.spamhaus.org" instead of the one you have listed, it's a more comprehensive list. You might want to consider changing the order or the RBLs so the one that catches the most spam is listed first otherwise you waste DNS lookups checking the RBLs.

When you changed the RBLs did you actually reload postfix after making the changes? Do you also have Zimbra "smtpd_reject_unlisted_recipient" set to yes? What are your spam Kill/Tag percentages set to?

[scottd]

Bill,
Thanks for your quick and thoughtful reply. There are indeed entries in the daily mail report showing that the sorbs.net blacklist is being used. The number of entries there closely matches the number in the dnsblcount report.

As per your suggestions I have replaced the old sbl.spamhaus.org RBL with zen.spamhaus.org and attemted to re-order my RBLs from most to least catches (the number of catches vary a bit on a daily basis, so I made a best guess).

I did not reload postfix after changing the RBLs, I assumed that restarting Zimbra would load the changes, however as per your suggestion I have reloaded it now, and will await tomorrows dnsblcount and mail report to see if that has solved the problem.

"smtpd_reject_unlisted_recipient" was set to no, however after reading about it a bit more I edited the zmmta.cf file to set it to yes and reloaded postfix.

Span Kill/Tag percentages as per Zimbra admin > global settings:
Kill percent: 75
Tag percent: 33

Im still not sure how the percentages tie in to the information returned from the RBLs.

Thanks again,
Scott

[phoenix]

Quote:

Originally Posted by scottd

I did not reload postfix after changing the RBLs, I assumed that restarting Zimbra would load the changes, however as per your suggestion I have reloaded it now, and will await tomorrows dnsblcount and mail report to see if that has solved the problem.

I should have clarified that comment, a restart of Zimbra also reloads postfix - for this type of change you just need to restart postfix to get any new RBLS to be used.

Quote:

Originally Posted by scottd

"smtpd_reject_unlisted_recipient" was set to no, however after reading about it a bit more I edited the zmmta.cf file to set it to yes and reloaded postfix.

You might find that this setting reduces a lot a spam, you'll see details in your daily report.

Quote:

Originally Posted by scottd

Span Kill/Tag percentages as per Zimbra admin > global settings:
Kill percent: 75
Tag percent: 33

You might want to consider tweaking those settings a bit, I have mine set to kill=66 and tag=25 - if you make any changes to those settings then monitor your Junk folders for any false positives. If there's no increase in false positives then leave the settings at their new percentages.

Quote:

Originally Posted by scottd

Im still not sure how the percentages tie in to the information returned from the RBLs.

There's a description of what the percentages are for in this post: Spam Tag / Kill Options

[scottd]

Bill,
Unfortunately, our server still appears to be using sorbs.net to block email.

For the spam tag/kill:
Is your server using RBLs? And if so, do your tag/kill percentages let some or all of the mail from senders listed on the RBLs through to your users (as spam or otherwise)?

Any other ideas on how I might eliminate sorbs.net from my server? Dnsblcount and the daily mail report do not show any indication of any of the changes I made to the MTA Restrictions yesterday (zen is not present and sorbs is still there). Even though "zmprov gacf | grep zimbraMtaRestriction" now shows:

Code:

zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org

Thanks again,
Scott

[scottd]

Turns out, I had to go in and edit /opt/zimbra/postfix-version/conf/main.cf by hand. The old RBLS were still in there so I made changes to that file and now it works.

[mickier]

I am having the same issue - sorbs was enabled, but has been turned off - 2 weeks ago - but I am still having email blocked because of sorbs

my settings;
postconf |grep smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_hostname, reject_unknown_sender_domain, reject_rbl_client dnsbl.njabl.org reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org, permit


But last night again:
Jan 23 18:12:48 mail postfix/smtpd[19253]: NOQUEUE: reject: RCPT from mail.keystops.com[68.156.173.226]: 554 5.7.1 Service unavailable; Client host [68.156.173.226] blocked using dnsbl.sorbs.net; Currently Sending Spam See: SORBS Database Lookup from=<nxxxxxx@yahoo.com> to=<ldoxxx@sxxx.com> proto=ESMTP helo=<keymailsvr2.KEYSTOPS.COM>

I have done zmcontrol restart manually (plus zimbra restarts as part of my nightly backup)

Also Tried this, but no instance of sorbs in this file either...

Quote:

Originally Posted by scottd

Turns out, I had to go in and edit /opt/zimbra/postfix-version/conf/main.cf by hand. The old RBLS were still in there so I made changes to that file and now it works.

Any ideas/help greatly appreciated!

For now I am trying to avoid this by adding an invalid ip address to dnsbl.sorbs.net in my hosts file (!) probably a bad idea.