View Poll Results: Are you interested into RBL whitelisting in ZCS?

Voters
3. You may not vote on this poll
  • Yes, I think it is very interesting, please add this feature!

    3 100.00%
  • No, I suppose this feature is really useless.

    0 0%
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: ZCS RBL whitelisting from web interface

  1. #1
    lovelord is offline Senior Member
    Join Date
    Apr 2009
    Posts
    61
    Rep Power
    6

    Lightbulb ZCS RBL whitelisting from web interface

    Hello all,

    I'm a sysadmin of an Italian ISP using ZCS (Release 8.0.5.GA.5839.UBUNTU10.64 UBUNTU10_64 FOSS edition).
    My system is a shared one, so I've tons of domains on it, sharing my resources with multiple customers, so I really can't enable any "system wide" mod on it. My question is the following (and I suppose many members are in my same shoes):

    There is any RBL's whitelisting method available, customer side?

    These are my restrictions:
    zimbra@mail:~$ zmprov gacf | grep zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_unknown_client
    zimbraMtaRestriction: reject_unknown_hostname
    zimbraMtaRestriction: reject_unknown_sender_domain
    zimbraMtaRestriction: reject_rbl_client dyna.spamrats.com
    zimbraMtaRestriction: reject_rbl_client noptr.spamrats.com
    zimbraMtaRestriction: reject_rbl_client spam.spamrats.com
    zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net


    obviously I've set a whitelist/blacklist hash file where I can (from console) PERMIT/FORCE REJECT email addresses, so even if an email address is blacklisted I can allow local delivery.

    My interest is to find a way that allow customers to add/remove users in RBL whitelisting/blacklisting to avoid false positive and to not take care of each one by telephone calls or email requests (this is quite frustrating, spamcop is a very good service, but sometime really too much filtering...)

    In user preferences is present whitelist/blacklist management, but that is only usefull for attachments from trusted senders, nothing to do with RBL, but probably, maybe scripting, something could be created to extract local added email addresses to build up an hash file to add above (or under) my hash whitelist/blacklist file. Is it a good idea, or not?

    Any advice is very appreciated.

    Thx,
    Andrea

  2. #2
    lovelord is offline Senior Member
    Join Date
    Apr 2009
    Posts
    61
    Rep Power
    6

    Default

    Just a simple add-on question: where is stored "zimbraPrefMailTrustedSenderList" per-account informations? LDAP / MYSQL?

  3. #3
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by lovelord View Post
    Just a simple add-on question: where is stored "zimbraPrefMailTrustedSenderList" per-account informations? LDAP / MYSQL?
    Hello, this attributte is stored in LDAP.

    ccelis

  4. #4
    lovelord is offline Senior Member
    Join Date
    Apr 2009
    Posts
    61
    Rep Power
    6

    Default

    Quote Originally Posted by ccelis5215 View Post
    Hello, this attributte is stored in LDAP.

    ccelis
    Found thanks, and working on a simple bash script to read from ldap preferences edit by users from "Trusted Senders" table into preference to compile my own personalized hash file to bypass RBLs, after some days of testing I'll post the how-to here if it could be usefull to someone (or maybe, to a new future release, who knows... )

  5. #5
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by lovelord View Post
    Found thanks, and working on a simple bash script to read from ldap preferences edit by users from "Trusted Senders" table into preference to compile my own personalized hash file to bypass RBLs, after some days of testing I'll post the how-to here if it could be usefull to someone (or maybe, to a new future release, who knows... )
    Good, keep us posted!

    ccelis

  6. #6
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,281
    Rep Power
    10

    Default

    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    lovelord is offline Senior Member
    Join Date
    Apr 2009
    Posts
    61
    Rep Power
    6

    Lightbulb MyScript: RBL per-user whitelisting - TESTING

    Yes , that is my follow up, but I'm a step over. Already created something useful (for me at least) that in a very dirty way do what I want (per-user customized RBL whitelisting using already existant "trusted senders" table into preferences).

    This is the script I've created to reach this goal. It is not so difficult to understand what it does, surely it could be improved, I'm not a developer, just an admin. I release this as an alpha, but I'm testing it , and it works. Let me know what you think about it, and feel free to use it and modify as you prefer, but keep in mind that I'm not responsable of any damage it could cause so beware, use it at your own risk.

    If you like it, just thanks me... is quiet enough


    NOTE: Updated to beta in date 11/22/2013 !

    Code:
    #!/bin/bash
    
    # Copyright : A.Biancalani - rev. beta - 11/22/2013
    # License: Free to use and modify - (just keep me informed : gda@conmet.it)
    #
    # Thanks to: ccelis5215 - for nice tips on ldap querying.
    #
    # Official Zimbra forum thread: http://www.zimbra.com/forums/administrators/66388-zcs-rbl-whitelisting-web-interface.html
    #
    #
    # DISCLAIMER: I'm not responsable of any malfunction, to or from inserting or using this script in any way.
    #
    # ---> USE IT AT YOUR OWN RISK!! SCRIPT IS OFFERED "AS IS" WITH NO WARRANTY!! <---
    #
    ##############################################################################################################################
    #
    # What this script is useful for:
    # - It "learns" trusted senders from user preferences into Zimbra Collaboration Suite and use that for auto-RBLs whitelisting.
    #   RBL MASTER blacklist/whitelist made by yourself could be still configured to overwrite users choices;
    # - It does a full ldap backup of system preferences (maybe usefull or not for you, but helpful for me) and you can keep these for X days (myretention);
    # - It logs all users "trusted senders" ordered by users into a log file (customizable) easy to read and trace;
    # - If scheduled into crontab (once or twice a day) it is completely automatic.
    #
    # What third party stuff is needed: NONE.
    #
    # What to do before starting using this script?
    #
    # modify this file: /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
    #
    # Add where you need these lines (beware what you're doing, it is important to know where to insert these lines into)
    #
    # %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
    # ...
    # ...
    # ...
    # check_sender_access hash:/opt/zimbra/conf/sender_blacklist <-- this name is customizable, just remember how you've named it
    # check_sender_access hash:/opt/zimbra/conf/sender_blacklist_from_users <-- this name is customizable, just remember how you've named it
    # ...
    #
    # Restart MTA by "zmmtactl restart" or just restart all services witch "zmcontrol restart"
    #
    # CRONJOB HAVE TO BE MANUALLY CREATED:
    #
    # Example:
    # 0 13 * * * /path/to/this/script/<YOUR_SCRIPT_NAME.SH>
    # 0 0 * * * /path/to/this/script/<YOUR_SCRIPT_NAME.SH>
    #
    #
    # Lest's customizing ...
    
    
    
    # CUSTOMIZAZION (ALL PATHS YOU DECLARE HAVE TO EXISTS, NOT CHECKED!!)
    #
    # LDAP BACKUP FOLDER
    
    mypath="/backup/ldap"
    
    # LDAP BACKUP FILE NAME
    
    myfile="/backup/ldap/ldap.bak"
    
    # WHITELIST FILE - THIS IS WHERE HASH FILE WILL BE CREATED - PAY ATTENTION
    
    white_file="/opt/zimbra/conf/sender_blacklist_from_users"
    
    # THIS IS DATE FORMAT (my is italian one, just customize it as you wish)
    
    mydata=$(date +%d/%m/%y" ore "%H:%M:%S)
    
    # RETENTION PERIOD, AFTER THESE DAYS OLD BACKUP WHERE CLEANED
    
    myretention="3"
    
    # MY LOG FILE
    
    mylogfile="/var/log/whitelist"
    
    # ENABLE OR DISABLE BACKUP (0=off / 1=on)
    
    debug="0"
    
    ##############################################################################################################################
    # DON'T MODIFY ANYTHING AFTER THIS LINE, MAY CORRUPT FUNCTIONALITY.
    ##############################################################################################################################
    
    clear
    
    # USER IDENTIFY
    if [ "$(which whoami)" == " " ];
    then
    myuser=$(grep $(id -u) /etc/passwd|cut -f1 -d":")
    else
    myuser=$(whoami)
    fi
    
    if [ "$myuser" != "zimbra" ];
    then
    echo "Cannot run with user $myuser! Run it as zimbra user."
    else
    
    FS=\,
    
    :> $white_file
    
    # BACKING UP ldap.bak (myfile)
    
    if [ $debug == 0 ]; then
    /opt/zimbra/libexec/zmslapcat $mypath
    fi
    
    
    # EXTRACTING INFO FROM LDAP SERVER: LOGGING AND CREATING LIST
    
    /opt/zimbra/bin/ldapsearch -x -D `zmlocalconfig -m nokey -s zimbra_ldap_userdn` -w `zmlocalconfig -m nokey -s zimbra_ldap_password` -h `hostname -f` '(&(mail=*)(zimbraPrefMailTrustedSenderList=*))' mail zimbraPrefMailTrustedSenderList|grep -v ^"#"|grep -v ^"dn:"|grep -v ^"search"|grep -v ^"result" > $mylogfile
    
    trusted_senders=$(/opt/zimbra/bin/ldapsearch -x -D `zmlocalconfig -m nokey -s zimbra_ldap_userdn` -w `zmlocalconfig -m nokey -s zimbra_ldap_password` -h `hostname -f` '(&(mail=*)(zimbraPrefMailTrustedSenderList=*))' zimbraPrefMailTrustedSenderList|grep -v ^"#"|grep -v ^"dn:"|grep -v ^"search"|grep -v ^"result"|awk NF|sort|uniq|grep "@"|cut -f2 -d" ")
    
    # COMPILING
    
    function is_valid {
    is_not_domain=$(echo $i|grep "@"|cut -f1 -d "@")
    
    if [ "${#is_not_domain}" -gt "1" ]; then
    
    if [ "${#is_not_domain}" -gt "1" -a $debug == 1 ]; then
    echo "$i,PERMIT"|awk '{ printf "%-50s%-10s\n",$1,$2}' FS=\,
    else
    echo "$i,PERMIT"|awk '{ printf "%-50s%-10s\n",$1,$2}' FS=\, >> $white_file
    fi
    
    fi
    
    }
    
    if [ $debug == 1 ]; then
    echo -e "Extracted list: \n\n"
            for i in $(echo $trusted_senders);
            do
            is_valid
            done
    else
    echo -e "\n\n# Last run : $mydata\n\n" > $white_file
            for i in $(echo $trusted_senders);
            do
            is_valid
            done
    fi
    
    
    # HASH FILE CREATING...
    if [ $debug == 0 ]; then
    /opt/zimbra/postfix/sbin/postmap $white_file
    fi
    
    # RETENTIONS CLEANING, FOR BACKUP PURPOSES...
    
    if [ $debug == 0 ]; then
    find $mypath -name *.bak* -ctime $myretention -exec /bin/rm {} \;
    fi
    
    # MTA RESTARTING TO APPLY CHANGES...
    if [ $debug == 0 ]; then
    echo "Restarting MTA..."
    /opt/zimbra/bin/zmmtactl restart
    fi
    
    fi
    # END
    I'm here to test it with you if you need my help, hope it could help someone else in same interests.

    Andrea
    Last edited by lovelord; 11-22-2013 at 08:17 AM.

  8. #8
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,281
    Rep Power
    10

    Default

    I would suggest just querying ldap directly, rather than processing a backup file
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  9. #9
    lovelord is offline Senior Member
    Join Date
    Apr 2009
    Posts
    61
    Rep Power
    6

    Default

    Quote Originally Posted by quanah View Post
    I would suggest just querying ldap directly, rather than processing a backup file

    Indeed faster, but as wrote i use this for backup and logging too. Build up a simple LDAP query is 10x faster but don't know how to concatenate single user prefs with username using just one query.

  10. #10
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by lovelord View Post
    Indeed faster, but as wrote i use this for backup and logging too. Build up a simple LDAP query is 10x faster but don't know how to concatenate single user prefs with username using just one query.
    Hi, something like:
    Code:
    ldapsearch -x -D `zmlocalconfig -m nokey -s zimbra_ldap_userdn` -w `zmlocalconfig -m nokey -s zimbra_ldap_password` -h `hostname -f` '(&(mail=*)(zimbraPrefMailTrustedSenderList=*))' mail zimbraPrefMailTrustedSenderList
    Found in ShanxT-LDAP-CheatSheet - Zimbra :: Wiki

    ccelis

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. whitelisting IPs with RBLs
    By cirrhus9_JJ in forum Administrators
    Replies: 8
    Last Post: 10-01-2013, 12:16 PM
  2. Whitelisting domain
    By GCamp in forum Administrators
    Replies: 8
    Last Post: 07-05-2009, 11:49 AM
  3. Domain Whitelisting
    By thunder04 in forum Administrators
    Replies: 1
    Last Post: 05-29-2009, 06:28 PM
  4. UI for whitelisting?
    By jameztcc in forum Installation
    Replies: 1
    Last Post: 05-09-2007, 09:06 PM
  5. Whitelisting
    By techdude550 in forum Administrators
    Replies: 9
    Last Post: 06-14-2006, 01:42 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •