Zen RBL disclaimer
I notice that with the zen.spamhaus.org RBL, there's the following disclaimer :
"Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for anything other than checking IP addresses that hand off to your mailservers."
Ok, I'm not a smarthost, and I assume Zimbra doesn't do deep parsing of the received headers.
However, I've got a standard Zimbra 6.0.5 server that is used by out-of-office users that make use of SMTP AUTH (from their homes, hotels, airports, etc.). In Zimbra, does that mean that authenticated SMTP users will get blocked by the zen.spamhaus.org RBL because the IP of the internet connection they're on may be blocked? Or is it smart enough to exempt authenticated users from the RBL lookup?
The answer is "it depends". :)
Originally Posted by bjquinn
If you are doing RBL filtering on a firewall device in front of Zimbra, you will indeed block those remote users whose IPs are on the list. zen doesn't block dynamic IP addresses as a matter of course like some RBLs do, so this shouldn't impact remote users doing Outlook auth, unless their IP is listed for other reasons.
If you are using RBLs in Zimbra's Postfix (i.e. you added RBLs via the Admin Console), then the order of the smtpd_recipient_restrictions filters matters. If you block via RBLs before allowing authenticated users, then these remote users will be unable to send mail if their IP is listed. But again, zen is not an aggressive list (zen has very, very few false positives), so the majority of your remote Outlook users shouldn't have an issue. You can look at main.cf to check the order to be absolutely sure.
If you aren't using RBLs in Zimbra's Postfix nor in a firewall in front of your Zimbra farm, then a zen listing just adds to the email's spam score via Zimbra's SpamAssassin. The email may or may not get blocked depending upon the results from all of the other SpamAssassin tests.
Worst case is if a remote Outlook user is on a dirty IP, they can just use the Zimbra web interface -- and when they get back to the office you can give their laptop a good scan before you let them plug in to the corporate LAN!
Remember also that zen is commercial, so before you use it I would recommend checking the Spamhaus terms of service to see if you are required to pay to use it.
Hope that helps,
Thanks for the response!
Here's the relevant information from /opt/zimbra/postfix-184.108.40.206z/conf/main.cf
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client dnsbl.njabl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.mail-abuse.org, permit
I do not run RBL filtering in front of my Zimbra server, and I see that permit_sasl_authenticated comes before reject_rbl_client *, so I should be safe to add zen, correct?
Also, I checked and I am within safe limits for free Zen usage.