Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mshanley
Advanced member
Advanced member
Posts: 80
Joined: Sat Sep 13, 2014 12:40 am

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby mshanley » Fri Oct 09, 2009 12:58 pm

commnad line work around for RBL's


sudo bash

su zimbra
verify RBL's and block settings in use

zmprov gacf | grep zimbraMtaRestriction
to verify in postfix use

su - zimbra -c 'postconf | grep smtpd_recipient_restrictions'


I Used this command to add Mine: just change rbl server name

zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
here is my list...
zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl-1.uceprotect.net"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client ix.dnsbl.manitu.net"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client dyna.spamrats.com"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client noptr.spamrats.com"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client all.rbl.jp"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client safe.dnsbl.sorbs.net"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client psb.surriel.com"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.ahbl.org"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client bhnc.njabl.org"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.dronebl.org"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client rabl.nuclearelephant.com"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client multi.uribl.com"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client 0spam.fusionzero.com"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client 0spam-killlist.fusionzero.com"


then do
Restart services

zmmtactl restart


bbarrons
Advanced member
Advanced member
Posts: 174
Joined: Fri Sep 12, 2014 11:18 pm

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby bbarrons » Sat Oct 10, 2009 8:28 am

which ones in the list do you find reject the most? I have 7 in my list and it seems that 80% of them are rejected by cbl.abuseat.org

Bill
phoenix
Ambassador
Ambassador
Posts: 26414
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby phoenix » Sat Oct 10, 2009 8:48 am

zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org

zimbraMtaRestriction: reject_rbl_client psbl.surriel.com

zimbraMtaRestriction: reject_rbl_client dnsbl.dronebl.org
Spamhuas rejects 100% of my spam. Don't forget, it doesn't make sense to have too many RBLs in the list and you should have the best performing ones as the first in the list.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
bbarrons
Advanced member
Advanced member
Posts: 174
Joined: Fri Sep 12, 2014 11:18 pm

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby bbarrons » Sat Oct 10, 2009 8:56 am

so, it does matter what position they are in the list?

here is the list I have.
zimbraMtaRestriction: reject_invalid_hostname

zimbraMtaRestriction: reject_non_fqdn_hostname

zimbraMtaRestriction: reject_non_fqdn_sender

zimbraMtaRestriction: reject_unknown_client

zimbraMtaRestriction: reject_unknown_hostname

zimbraMtaRestriction: reject_unknown_sender_domain

zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org

zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org

zimbraMtaRestriction: reject_rbl_client bl.spamcop.net

zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net

zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org

zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org
any suggestions as to positive changes I should make?

thanks

Bill
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby uxbod » Sat Oct 10, 2009 9:37 am

Another RBL to add into the mix ;)
Spam Eating Monkey Realtime Blacklist
phoenix
Ambassador
Ambassador
Posts: 26414
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby phoenix » Sat Oct 10, 2009 9:41 am

[quote user="bbarrons"]so, it does matter what position they are in the list?[/QUOTE]I believe so but I've never confirmed that 100%.
[quote user="bbarrons"]zimbraMtaRestriction: reject_invalid_hostname[/QUOTE]I only have that restriction set, I've found that in general you'll get far less problems receiving mail as there's a lot of legitimate servers that are mis-configured and will be rejected by the other restrictions. Of course, YMMV with any of those settings and it really depends on how much/what type of spam you receive.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
bbarrons
Advanced member
Advanced member
Posts: 174
Joined: Fri Sep 12, 2014 11:18 pm

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby bbarrons » Sat Oct 10, 2009 10:01 am

since cbl.abuseat.org was second on my list and did reject most of the spam I moved zen.spamhaus to first to see if it started to reject first. interesting to see if it works that way.

UXbod, I went to spam eating monkey and looked thru the site. It looks like they have several rbls and changes that can be made to spam assassin and postfix. Should those changes be made to both spam assassin and post fix or is it an either or situation?

Bill
mshanley
Advanced member
Advanced member
Posts: 80
Joined: Sat Sep 13, 2014 12:40 am

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby mshanley » Sat Oct 10, 2009 10:55 am

I would look at these sites... every environment is different..

I don't have spamhaus in my list here because my untangle F/W box runs it as an DNSRBL...
Black list compared... this should be helpful for you :)
Blacklist Monitor » Statistics of accuracy and failure rates
Blacklists Compared, 22-Aug-09
DNSBL Resource: Statistics Center
DNSBL Information - Spam Database Lookup
drbcheck: dr. Jrgen Mash's DNS database list checker
[quote user="bbarrons"]since cbl.abuseat.org was second on my list and did reject most of the spam I moved zen.spamhaus to first to see if it started to reject first. interesting to see if it works that way.

UXbod, I went to spam eating monkey and looked thru the site. It looks like they have several rbls and changes that can be made to spam assassin and postfix. Should those changes be made to both spam assassin and post fix or is it an either or situation?

Bill[/QUOTE]
mshanley
Advanced member
Advanced member
Posts: 80
Joined: Sat Sep 13, 2014 12:40 am

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby mshanley » Sat Oct 10, 2009 10:59 am

POSTFIX MTA Spam Settings
1st Section

Hostname in greeting violates RFC - Reject Invalid or Missing Hostnames – on by default

This setting allows you to reject email from senders that provide invalid information about the hostname from which they are being sent.

When a sending server connects our mail servers, the first thing we require it to do is identify itself. The sending server announces its hostname with a "HELO" or "EHLO" command. Most legitimate email servers include in this command their complete domain name. This domain name is in a very specific format. Spammers often use buggy or hastily written software that does not bother to send a proper EHLO. Often, they send a single name (e.g. "server1") or a random number. This setting allows you to block email sent from servers that do not announce their hostname properly when they identify themselves.

Impact

Enabling this option is very effective at catching spam generated by computer viruses. It is not particularly effective at blocking spam overall, and can block a fair amount of legitimate email.

reject_invalid_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname syntax is invalid.


Client must greet with fully qualified hostname - Reject Non-FQDN Hostnames – In Use

This setting allows you to block email that does not appear to be coming from a specific server at a particular hostname.

When a sending server announces its hostname, it is supposed to send the entire address of the email server, not just the domain name (e.g. mail.example.com rather than just example.com). RFC compliant email servers will send this information in a specific format. This is called a "Fully Qualified Domain Name" (FQDN). Many spammers do not provide complete or correct information; they just use the top level domain name. This setting allows you to block email from a sender that does not provide an FQDN.

Impact

This option can block a fair amount of legitimate email, but it also blocks a fair amount of spam that would otherwise get through.

reject_non_fqdn_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname is not in fully-qualified domain form, as required by the RFC.

The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504).
Sender Address must be fully qualified – Reject non fqdn sender – on by default
reject_non_fqdn_sender

Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC.


2nd Section
ClientÂ’s Ip address - Reject Unknown Clients

This setting allows you to reject email from senders that do not have a proper name tied to the IP address of their outgoing email server.

Every computer on the Internet has a unique address known as its IP address. Any server that is sending legitimate email should have its IP address tied to a domain name. This is done via a service called DNS, or Domain Name Service. Many spammers do not have any DNS information attached to their IP address, or the information is misleading.

When a server sends mail to you, we perform a reverse lookup of its IP address to see if it has valid DNS information. You can use this setting to block email sent from servers that either do not have DNS information available or have misleading DNS entries.

More information on reverse DNS checks can be found at Wikipedia.

Impact

We estimate that enabling this option may block around 1% of legitimate email but could also be effective in blocking more spam from reaching your email INBOX. This can add up to a lot of legitimate email, especially from mail servers using unreliable DNS servers or that refuse to put their reverse DNS in place correctly.

reject_unknown_client_hostname (with Postfix
Reject the request when 1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address.

This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above.

The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem.
Hostname in greeting - Reject Unknown Hostnames – Don’t Use

This setting allows you to reject email from servers that use hostnames that don't exist.

When a sending server announces its hostname, our server checks to see if that hostname has DNS information. Many spammers know that servers will block mail from people that do not use a proper EHLO (discussed above). They try to trick those servers by sending a hostname that's formatted correctly, but doesn't actually exist (e.g. "thisisafakehostname.com"). You can use this setting to block email from servers that use fake or incorrect hostnames when they identify themselves.

Impact

This option can block a lot of legitimate email, and is not particularly effective at blocking spam. It's not recommended.

reject_unknown_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname has no DNS A or MX record.

The unknown_hostname_reject_code parameter specifies the numerical response code for rejected requests (default: 450).

The unknown_helo_hostname_tempfail_action parameter specifies the action after a temporary DNS error (default: defer_if_permit).


Senders Domain - Reject Unknown Sender Domains – In USE

This setting allows you to reject email from email addresses that aren't properly set up to receive email.

Anyone can send email from a legitimate server using any email address as their FROM address. Spam can come from a legitimate email server and from a valid user of that server, but it can have a deceptive or fake FROM address. This spam would bypass any of the above checks although it would be traceable back to a specific user at an Internet Service Provider (ISP). We check the domain name after the @ sign given in the FROM email address to see if that domain has proper DNS information.

First, our email server checks the DNS "root name servers" to see if the domain in question exists.

If the Domain does, then our server asks that domain's DNS server for its information.

If the root name servers return an error that the domain does not exist, the email will be rejected as the domain is not known.

If the root name servers state that the domain exists, and there is a problem with the server that handles DNS for that domain, our mail server will ask the sending server to resend the message at a later date. The email will not be rejected, it will only be delayed until that DNS server starts working. This is to keep legitimate mail from being stopped due to a malfunctioning DNS server.

You can enable this option to reject email from domains that do not actually exist.

Impact

This can cause a small number of false positives because someone may send an email out using a new email address before their domain has been set up properly in DNS. It is, however, very effective at blocking spam. Because we are an ISP, and are constantly adding new domains, we do not turn it on by default.
reject_unknown_sender_domain

Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM address has no DNS A or MX record, or when it has a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).


Installed yes via command line

reject_unverified_sender

Reject the request when mail to the MAIL FROM address is known to bounce, or when the sender address destination is not reachable. Address verification information is managed by the verify(8) server; see the ADDRESS_VERIFICATION_README file for details.
bbarrons
Advanced member
Advanced member
Posts: 174
Joined: Fri Sep 12, 2014 11:18 pm

Ubuntu 804lts - Admin GUI Error for RBL's - Workaround

Postby bbarrons » Sat Oct 10, 2009 1:48 pm

mshanley, thanks for the links. One of the first things I noticed was this comment when I looked up cbl.abuseat.org

"The Composite Blocking List (CBL) is a free list meant to block "IPs exhibiting characteristics which are specific to open proxies of various sorts." It should block very little non-spam.
It is incorporated into Spamhaus ZEN. If you are already using Spamhaus ZEN, you do not need to utilize the CBL separately. (Spamhaus ZEN is highly recommended.) "
so, by me having both listed it is a waste of time and space.

I moved zen to the top of my list and now it has the highest reject count so far today. Prior to that it was listed about 5 I think in my list and had no rejections. I guess that means that the first on the list works first and the nwhat is leftover moves down the list.

Bill

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 8 guests