Results 1 to 9 of 9

Thread: whitelisting IPs with RBLs

  1. #1
    cirrhus9_JJ's Avatar
    cirrhus9_JJ is offline Member
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default whitelisting IPs with RBLs

    We've run into a problem with the t-mobile devices ('smart'phones)
    The bosses phone frequently gets a new IP (about once a week, I guess) and it usually hits one of the RBLs we have implemented.

    I followed the instructions at Improving Anti-spam system - Zimbra :: Wiki
    and edited /opt/zimbra/conf/allow_rbl

    The wiki article is presenting and using a /opt/zimbra/conf/postfix_rbl_override but a
    Code:
    postconf |grep smtpd_recipient_restrictions
    shows /opt/zimbra/conf/allow_rbl, so that's what I've been editing using the following format:
    206.29.182.195 OK
    208.54.5.134 OK

    Edit: I've noticed that neither /opt/zimbra/conf/postfix_rbl_override nor /opt/zimbra/conf/allow_rbl
    have any reject lines in them as per the wiki article. Could this be an/the issue?

    and then
    Code:
     postmap /opt/zimbra/conf/allow_rbl
    
    zmmtactl restart
    but he's still being caught with the log message:
    Code:
    blocked using cbl.abuseat.org;
    What I'd prefer to do is whitelist the entirety of *.tmodns.net
    I know it's pretty broad but it's a pain to have to edit this every damned Monday just to email from his smartphone.

    Code:
    postconf |grep smtpd_recipient_restrictions
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net, permit, check_client_access hash:/opt/zimbra/conf/allow_rbl
    Release 8.0.2.GA.5569.UBUNTU12.64 UBUNTU12_64 FOSS edition.

    I appreciate any help on this issue.

    Thank you for your time.

    Edit: Mon Sep 30, 2013 - 12:28:35 PM EDT
    I checked /opt/zimbra/conf/postfix_recipient_restrictions.cf
    and it has the reject lines I'm expecting but is referencing
    /opt/zimbra/conf/postfix_rbl_override
    so I have moved the whitelisted IPs in /opt/zimbra/conf/allow_rbl into it and bounced with zmmtactl restart.
    I'd still like to whitelist the entirety of *.tmodns.net
    so I'm thinking an entry of
    tmodns.net OK
    will be OK?

    Edit: Mon Sep 30, 2013 - 12:41:30 PM EDT
    /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
    check_client_access hash:/opt/zimbra/conf/allow_rbl

    Should I change this to /opt/zimbra/conf/postfix_rbl_override ???

    Sorry for the running dialog, I'm a bit confused on this subject.

    Thanks.
    Last edited by cirrhus9_JJ; 09-30-2013 at 09:44 AM.
    JJ_of_c9

  2. #2
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    Whatever file you reference with check_client_access must be what the IPs are in.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    Separately, I would suggest first that cbl.abuseat.org and spam cop are both very aggressive RBLs and are known to generate false positives.

    Second, smtpd_recipient_restrictions is processed in the order listed as I understand it, so you'd need to have "check_client_access hash:/opt/zimbra/conf/allow_rbl" appear before the reject_rbl_client statements to have the whitelist work.

    By way of example from a known good working system:

    Code:
    zimbra@viognier:~> postconf -n | grep smtpd_recipient_restrictions
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client b.barracudacentral.org, permit
    zimbra@viognier:~>
    Hope that helps,
    Mark

  4. #4
    cirrhus9_JJ's Avatar
    cirrhus9_JJ is offline Member
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default

    Quanah:

    They are, now

    Mark:
    Well, that makes sense...
    I just moved the line "up" in cp /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf, so we now have
    ...
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    ...

    I have also changed it to check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    in same, so now we have:
    Code:
    postconf -n | grep smtpd_recipient_restrictions
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, check_client_access hash:/opt/zimbra/conf/postfix_rbl_override, reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net, permit
    Here's to "I hope I did that right"!!!

    Thank you both.

    Edit: Mon Sep 30, 2013 - 4:03:28 PM EDT
    I now see these types of entries in zimbra.log:
    CLIENTWHITELIST [208.54.5.134]

    <fingers_crossed>
    Last edited by cirrhus9_JJ; 09-30-2013 at 01:07 PM.
    JJ_of_c9

  5. #5
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    Looks very promising! Glad we could help!

    All the best,
    Mark

  6. #6
    cirrhus9_JJ's Avatar
    cirrhus9_JJ is offline Member
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default

    Thank you.
    JJ_of_c9

  7. #7
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    Just to note, I've filed https://bugzilla.zimbra.com/show_bug.cgi?id=84275 to make this something that can be preserved across upgrades once 8.5 is out, so people don't have to reconfigure it after every upgrade.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  8. #8
    cirrhus9_JJ's Avatar
    cirrhus9_JJ is offline Member
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default

    Great news!

    Thank you.
    JJ_of_c9

  9. #9
    cirrhus9_JJ's Avatar
    cirrhus9_JJ is offline Member
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default

    Additionally I've further changed the order of directives in /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf file in the following manner:
    Code:
    ...
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    %%contains VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
    ...
    as many of the t-mobile IPs do not have any rDNS or reverse mapping set, per this document,
    my thinking is that they may be whitelisted for RBLs, but still receive "450" codes (get unknown_hostname_reject_code = 450)

    an on-going process...

    Thanks for "listening"...
    JJ_of_c9

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Whitelisting in V6
    By kej263 in forum Administrators
    Replies: 6
    Last Post: 01-20-2010, 12:32 PM
  2. IP Address Whitelisting
    By georgelazar in forum Administrators
    Replies: 11
    Last Post: 10-07-2009, 08:00 AM
  3. Whitelisting domain
    By GCamp in forum Administrators
    Replies: 8
    Last Post: 07-05-2009, 11:49 AM
  4. UI for whitelisting?
    By jameztcc in forum Installation
    Replies: 1
    Last Post: 05-09-2007, 09:06 PM
  5. Whitelisting
    By techdude550 in forum Administrators
    Replies: 9
    Last Post: 06-14-2006, 01:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •