Results 1 to 9 of 9

Thread: whitelisting IPs with RBLs

Hybrid View

  1. #1
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default whitelisting IPs with RBLs

    We've run into a problem with the t-mobile devices ('smart'phones)
    The bosses phone frequently gets a new IP (about once a week, I guess) and it usually hits one of the RBLs we have implemented.

    I followed the instructions at Improving Anti-spam system - Zimbra :: Wiki
    and edited /opt/zimbra/conf/allow_rbl

    The wiki article is presenting and using a /opt/zimbra/conf/postfix_rbl_override but a
    Code:
    postconf |grep smtpd_recipient_restrictions
    shows /opt/zimbra/conf/allow_rbl, so that's what I've been editing using the following format:
    206.29.182.195 OK
    208.54.5.134 OK

    Edit: I've noticed that neither /opt/zimbra/conf/postfix_rbl_override nor /opt/zimbra/conf/allow_rbl
    have any reject lines in them as per the wiki article. Could this be an/the issue?

    and then
    Code:
     postmap /opt/zimbra/conf/allow_rbl
    
    zmmtactl restart
    but he's still being caught with the log message:
    Code:
    blocked using cbl.abuseat.org;
    What I'd prefer to do is whitelist the entirety of *.tmodns.net
    I know it's pretty broad but it's a pain to have to edit this every damned Monday just to email from his smartphone.

    Code:
    postconf |grep smtpd_recipient_restrictions
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net, permit, check_client_access hash:/opt/zimbra/conf/allow_rbl
    Release 8.0.2.GA.5569.UBUNTU12.64 UBUNTU12_64 FOSS edition.

    I appreciate any help on this issue.

    Thank you for your time.

    Edit: Mon Sep 30, 2013 - 12:28:35 PM EDT
    I checked /opt/zimbra/conf/postfix_recipient_restrictions.cf
    and it has the reject lines I'm expecting but is referencing
    /opt/zimbra/conf/postfix_rbl_override
    so I have moved the whitelisted IPs in /opt/zimbra/conf/allow_rbl into it and bounced with zmmtactl restart.
    I'd still like to whitelist the entirety of *.tmodns.net
    so I'm thinking an entry of
    tmodns.net OK
    will be OK?

    Edit: Mon Sep 30, 2013 - 12:41:30 PM EDT
    /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
    check_client_access hash:/opt/zimbra/conf/allow_rbl

    Should I change this to /opt/zimbra/conf/postfix_rbl_override ???

    Sorry for the running dialog, I'm a bit confused on this subject.

    Thanks.
    Last edited by cirrhus9_JJ; 09-30-2013 at 10:44 AM.
    JJ_of_c9

  2. #2
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Whatever file you reference with check_client_access must be what the IPs are in.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Separately, I would suggest first that cbl.abuseat.org and spam cop are both very aggressive RBLs and are known to generate false positives.

    Second, smtpd_recipient_restrictions is processed in the order listed as I understand it, so you'd need to have "check_client_access hash:/opt/zimbra/conf/allow_rbl" appear before the reject_rbl_client statements to have the whitelist work.

    By way of example from a known good working system:

    Code:
    zimbra@viognier:~> postconf -n | grep smtpd_recipient_restrictions
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client b.barracudacentral.org, permit
    zimbra@viognier:~>
    Hope that helps,
    Mark

  4. #4
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default

    Quanah:

    They are, now

    Mark:
    Well, that makes sense...
    I just moved the line "up" in cp /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf, so we now have
    ...
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    ...

    I have also changed it to check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    in same, so now we have:
    Code:
    postconf -n | grep smtpd_recipient_restrictions
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, check_client_access hash:/opt/zimbra/conf/postfix_rbl_override, reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net, permit
    Here's to "I hope I did that right"!!!

    Thank you both.

    Edit: Mon Sep 30, 2013 - 4:03:28 PM EDT
    I now see these types of entries in zimbra.log:
    CLIENTWHITELIST [208.54.5.134]

    <fingers_crossed>
    Last edited by cirrhus9_JJ; 09-30-2013 at 02:07 PM.
    JJ_of_c9

  5. #5
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Looks very promising! Glad we could help!

    All the best,
    Mark

  6. #6
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default

    Thank you.
    JJ_of_c9

  7. #7
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Just to note, I've filed https://bugzilla.zimbra.com/show_bug.cgi?id=84275 to make this something that can be preserved across upgrades once 8.5 is out, so people don't have to reconfigure it after every upgrade.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Similar Threads

  1. [SOLVED] Whitelisting in V6
    By kej263 in forum Administrators
    Replies: 6
    Last Post: 01-20-2010, 12:32 PM
  2. IP Address Whitelisting
    By georgelazar in forum Administrators
    Replies: 11
    Last Post: 10-07-2009, 09:00 AM
  3. Whitelisting domain
    By GCamp in forum Administrators
    Replies: 8
    Last Post: 07-05-2009, 12:49 PM
  4. UI for whitelisting?
    By jameztcc in forum Installation
    Replies: 1
    Last Post: 05-09-2007, 10:06 PM
  5. Whitelisting
    By techdude550 in forum Administrators
    Replies: 9
    Last Post: 06-14-2006, 02:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •