Results 1 to 10 of 10

Thread: Solution: Whitelist for Postfix if using RBLs

Hybrid View

  1. #1
    Join Date
    Nov 2006
    Location
    Manchester, UK
    Posts
    59
    Rep Power
    9

    Default Solution: Whitelist for Postfix if using RBLs

    If you are using RBLs (such as zen.spamhaus.org) to block spam, the whitelist method in the Wiki does not work. This is because the wiki method is for spamassasin not postfix.

    Postfix will check incoming messages against the RBL first, and allow/reject accordingly. So if you have a sender listed on a RBL, you need to whitelist them in Postfix.

    Using this post: How To Whitelist Hosts/IP Addresses In Postfix | HowtoForge - Linux Howtos and Tutorials

    I came up with a method to do this in Zimbra. {commands in italics}

    Login and change to zimbra user

    vi /opt/zimbra/conf/postfix_rbl_override
    list all IP addresses or host names (one per line!) that you want to whitelist:
    Code:
    1.2.3.4 OK
    1.2.3.5 OK
    mail.freemailer.tld OK
    postmap /opt/zimbra/conf/postfix_rbl_override

    vi /opt/zimbra/conf/postfix_recipient_restrictions.cf

    under:
    reject_unauth_destination
    add:
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override

    e.g.:
    Code:
    reject_unauth_destination
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    reject_unlisted_recipient
    zmmtactl restart

    Each time you add a new one, you need to do the postmap command then zmmtactl restart

    Bertie

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Thanks for posting this, would you mind adding it to the wiki as that's a more appropriate place for this kind of article.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Thanks from me, too. This will come in handy. Also, I've inserted a cross-reference to this thread in Bug 43956 - RFE: MTA-level whitelisting.

  4. #4
    Join Date
    Nov 2006
    Location
    Manchester, UK
    Posts
    59
    Rep Power
    9

    Default Wiki Updated

    Updated to Wiki here: Improving Anti-spam system - Zimbra :: Wiki

    Bertie

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by bertie_uk View Post
    Thanks for doing that.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Jun 2007
    Location
    BC, Canada
    Posts
    281
    Rep Power
    8

    Default

    Quote Originally Posted by bertie_uk View Post
    under:
    reject_unauth_destination
    add:
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override

    e.g.:
    Code:
    reject_unauth_destination
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    reject_unlisted_recipient
    You should put the override right above the item you are overriding, and not just anywhere above.

    Each time you add a new one, you need to do the postmap command then zmmtactl restart
    Why the "zmmtactl restart"? Postfix doesn't need to be restarted to pick up changes in a hashed db. Running postmap on the file is enough to alert postfix that there are changes and to reload the db.
    Freddie

  7. #7
    Join Date
    May 2011
    Posts
    17
    Rep Power
    4

    Default

    Hello all....

    I use this method to solve some RBL spam problem. I have some trust domains that send mail to our MTA, but the message does not sent to recipent.
    So I do like this thread. And solved to some domains

    see /opt/zimbra/conf/postfix/rbl_override
    gov.br OK
    opet.com.br OK
    luzsp.com.br OK
    terra.com.br OK

    As you can see, this have worked fine to some domains, but I have a great great problem with this last domain (terra.com.br), when I send a test mail, the log shows:

    Jan 21 15:05:54 lukeskywalker postfix/smtpd[4212]: connect from if04-mail-sr10-mia.mta.terra.com[208.84.243.57]
    Jan 21 15:05:55 lukeskywalker postfix/smtpd[4212]: EDF844638007: client=if04-mail-sr10-mia.mta.terra.com[208.84.243.57]
    Jan 21 15:05:56 lukeskywalker postfix/cleanup[4213]: EDF844638007: message-id=<53824.1358787953@terra.com.br>
    Jan 21 15:05:56 lukeskywalker postfix/qmgr[3570]: EDF844638007: from=<cpdprefsfs@terra.com.br>, size=3519, nrcpt=1 (queue active)
    Jan 21 15:05:56 lukeskywalker postfix/smtpd[4212]: disconnect from if04-mail-sr10-mia.mta.terra.com[208.84.243.57]
    Jan 21 15:05:59 lukeskywalker postfix/smtpd[3986]: connect from if04-mail-sr10-mia.mta.terra.com[208.84.243.57]
    Jan 21 15:05:59 lukeskywalker postfix/smtpd[3986]: 709C1463800B: client=if04-mail-sr10-mia.mta.terra.com[208.84.243.57]
    Jan 21 15:05:59 lukeskywalker postfix/cleanup[4213]: 709C1463800B: message-id=<051f01cdf7f9$97f3d830$c7db8890$@terra.com.br>
    Jan 21 15:06:01 lukeskywalker postfix/qmgr[3570]: 709C1463800B: from=<gestao.paulista05@terra.com.br>, size=95035, nrcpt=1 (queue active)
    Jan 21 15:06:01 lukeskywalker postfix/smtpd[3986]: disconnect from if04-mail-sr10-mia.mta.terra.com[208.84.243.57]



    but unfortunately the test message (and any other) does not show in users mailboxes.

  8. #8
    Join Date
    Sep 2009
    Location
    Canberra, Australia
    Posts
    25
    Rep Power
    6

    Default

    How would someone do this in Zimbra 8?

    Is this method still recommended? Is there any changes that need to be made? Or does Zimbra 8 allow us to do this in other ways.

    An answer or pointing me in the right direction would be great.

  9. #9
    Join Date
    Nov 2006
    Location
    Manchester, UK
    Posts
    59
    Rep Power
    9

    Default

    In Zimbra 8 the file to add the check to is now /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf

  10. #10
    Join Date
    Nov 2013
    Posts
    2
    Rep Power
    1

    Default

    Hi

    You know if this procedure is valid for domain names?

    examples:
    test.com OK
    nova.mx.com OK
    bluehorse.net OK

    According to Postfix MAN page, is possible for: daomain, subdomain, address and IP: Postfix manual - access(5)

    But, I try this method and not working. I have Zimbra 7.2.0.

    Edit...

    I have debugged Zimbra and I see that Postfix only is verifying the mail server hostname. Only work if hostname is finished with a domain name whitelisted.

    I want exclude messages this way:

    "name@example.com" sent from "*.outlook.com"
    "othername@company.com" sent from "*.google.com"
    "peter@farawaytown.net" sent from "*.someprovider.net"

    Mi RBL provider is blocking Google and Microsoft IP address because this companies are hosting several spamers of my country. Other RBLs not work for me because almost all spam messages is sent from national servers.
    Last edited by evilside; 01-08-2014 at 09:48 AM. Reason: New info

Similar Threads

  1. whitelist & blacklist
    By Nox in forum Administrators
    Replies: 0
    Last Post: 08-07-2008, 12:07 PM
  2. Known "proxy" issue and solution?
    By fnollet in forum Administrators
    Replies: 0
    Last Post: 07-04-2008, 01:10 AM
  3. Spam handling with RBL's
    By Priyantha Bleeker in forum Administrators
    Replies: 2
    Last Post: 04-18-2008, 09:52 AM
  4. TRying to make sense of a Palm sync solution
    By fhouston in forum Administrators
    Replies: 8
    Last Post: 03-20-2008, 08:40 AM
  5. Replies: 2
    Last Post: 02-20-2007, 07:53 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •