zen.spamhaus.org RBL

[keffa]

I recently followed the wiki advice located here...

http://wiki.zimbra.com/index.php?tit...On_or_Off_RBLs

Except instead of the listed RBL's, I just listed one, the Spamhaus Zen RBL which combines all their lists into one and is located at zen.spamhaus.org as follows...

Code:

zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-
fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction 
 “reject_rbl_client zen.spamhaus.org”

It did not give me any error messages and I rebooted the server. I expected to be given some indication in the admin interface that this was now active but I can't see anything different. Is there anything else I need to do to activate this RBL or is it now just silently working away?

[phoenix]

There is no indication other than the fact that you've enabled it.

[keffa]

It doesn't appear to be working, I'm still getting connections from IP addresses listed in zen. I've followed the instructions to the letter, am I missing anything?

[scottnelson]

1. This ( WIKI you read ) is only meant to be used until DSPAM/SA got up to speed.
As soon as they do ( week or two ), need to remove them as these RBL's are also being checked within SA.
( /opt/zimbra/conf/spamassassin/20_dnsbl_tests.cf to be exact )

2. But to answer your question, for my server, I have to added/modified the following lines in /etc/syslog.conf ( make a copy first )

mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

Then, /etc/rc.d/init.d/syslog restart

This will give you the "Postfix" messages via the above files, so you can actually see what postfix is doing, since the WIKI referenced above tells Postfix to reject the message(s), not Zimbra MTA or SA or DSPAM.

Some background: I am running FC4, may need to adjust for your flavor of OS.

Hope this helps!

Scotty

[captainmish]

I have also had problems with adding zen.sa - sbl works fine though! Is there a specific set of rbls that zimbra will allow?
Running NE (4.5.6_GA_1044.UBUNTU6) on ubuntu 6.06

I become the zimbra user, then:

zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non_fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org"

(yes, zen and sbl should not both be in the list, but this is to prove a point.)
Now wait a few moments for zimbra to update the postfix config, just check that zimbra knows about it:

zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org

So zimbra has accepted the changes. Lets see what postfix thinks:
postconf | grep smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_rbl_client sbl.spamhaus.org, reject_unauth_destination, permit

Only sbl.spamhaus.org is added! Whats going on here?

Of course previously I added just zen.sa and wondered why nothing seemed to be happening, and postconf would not show any changes at all. It only seems to accept sbl.

Is this by design (only a predefined set of rbls are accepted), or is this some kind of wierd bug? Searching bugzilla for zen.spamhaus.org and spamhaus.org showed zarro bugs.

Any ideas?

[mmorse]

A few things,
-Be aware the sbl is already included in the zen
-You can also enter them one at a time with +/-:

Code:

zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"

-do a postfix reload - any change?

[captainmish]

I also did a postfix reload, and a zmmtactl reload (it gives syntax errors, but seems to reload postfix anyway) - I also restarted with zmmtactl restart, all of these failed to add zen.

Following the exact same steps to add the two, adding zen does not get added to the postconf, but sbl does (add zen, check postconf, no zen; add sbl, check postconf, sbl is there)

Checking the zimbra config with zmprov gacf | grep zimbraMtaRestriction shows that zen has been added, but it is not in the postfix conf, only sbl is. Re-adding zen using the +zimbraMtaRestriction method and then reloading postfix also does not add it.

The only thing I have not tried is a "full" restart, zmcontrol restart - maybe there is something else that needs reloading/restarting to inject the zen conf?

Nice info for adding things one at a time, instead of the whole lot though, thanks

[captainmish]

Looks like I hit this bug - Bug 11316 - postfix_recipient_restrictions.cf is missing some spamhaus entries.
Editing $ZIMBRA_HOME/conf/postfix_recipient_restrictions.cf and adding a line for zen.spamhaus.org solves the problem, and it is added correctly to the postfix conf.

[preem]

Nice find.

I tried it myself, was also affected by the mentioned bug so editing postfix_recipient_restrictions.cf solves this problem.

But another one arises in my example. Lots of false-negatives or what is it called, i am no spam expert, sorry for that. Anyways, lots of messages rejected, even from well known hosts like google's gmail. I can't get it whitelisted using zen.

I tried adding whole domain whitelisted in amavisd.conf.in with:
'gmail.com' => -5.0,

and according to wiki, to salocal.cf.in with lines:
whitelist_from *.google.com
whitelist_from *@gmail.com

and other variants with wildcards, none of them work.

Am i missing something or have i chosen the wrong path? How its done?

Thanks

[captainmish]

Are you sure its blocking the actual hosts, or just forged "from"? Ive had no problems with it since it went on, amazed at the amount its blocking.

You will not be able to whitelist using amavis, because mail blocked with rbls wont get that far - its blocked on the initial smtp conversation. My guess is you are getting "false false positives" (not really false positives) because of forged "from"s

Test it yourself by sending a message from your gmail, im pretty confident it will arrive. Spam sent from gmail will probably be blocked further down the process by sa.

If you are actually getting false positives, try just using sbl.spamhaus.org - it is a lot smaller, so you will get more spam, but false positives should drop to zero.

**EDIT**

try using this (as the zabbix user) to list all the HOSTS (as opposed to from addresses) you are blocking (this is for ubuntu 6.06 - you may have to change your log location):

grep spamhaus /var/log/mail.log | awk '{ print $10 }'
or use it with tail to give you a constantly updating list on your console