<SOLVED> Unable to block an entire domain with Zimbra 8.7

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
davidkillingsworth
Advanced member
Advanced member
Posts: 156
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: Release 8.8.6.GA.1906.UBUNTU14.64

<SOLVED> Unable to block an entire domain with Zimbra 8.7

Postby davidkillingsworth » Wed Aug 09, 2017 3:19 pm

I'm trying to block an entire domain in Zimbra 8.7 Community Edition. This is a pretty fresh install, so I should have any defaults that come with a zimbra installation.

We are getting attacked by a Chinese domain called qq.com. The addresses are random each connection example 324125@qq.com, 351341@qq.com.

I tried editing

Code: Select all

/opt/zimbra/conf/postfix_blacklist
then
postmap /opt/zimbra/conf/postfix_blacklist

to block the addresses, but I think that only works for hosts, not senders.
I tried using qq.com, @qq.com, *@qq.com, but the messages still keep coming through.
I tried blocking the IP address of the servers that are connecting, but those are randomized also. Each 2 or 3 connections, the IP addresses are totally random, so blocking the IP address is pointless.

I found this https://wiki.zimbra.com/wiki/Domain_lev ... _and_later

The instructions are wrong because there is no /opt/zimbra/postfix/conf folder. It is /opt/zimbra/conf

I created and edited

Code: Select all

/opt/zibmra/conf/postfix_reject_sender
added the following lines
qq.com REJECT
@qq.com REJECT
*@qq.com REJECT
then
postmap /opt/zimbra/conf/postfix_reject_sender


I double checked that this file:

Code: Select all

/opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

had these lines:

Code: Select all

%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%


I restarted zimbra and I'm still getting loads of messages from 2341623@qq.com.

I then did

Code: Select all

postconf | grep smtpd_sender_restrictions


This is what I have:

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re


I don't see the following line as part of smtpd_sender_restrictions =

Code: Select all

check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender


I tried to manually edit the following:
/opt/zimbra/common/conf/main.cf
/opt/zimbra/postfix-2.11.1.2z/conf/main.cf

after, I edited it, I issued both postfix reload or restarted zimbra, but neither worked because then the setttings go back to this:

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re


which doesn't include the line that I added to the two main.cf files.


What am I doing wrong here?
1) Please somebody fix the Wiki so that it is correct.

2) How can I get the following line to stay in my postfix configuration?

Code: Select all

check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender


3) What is the correct format for REJECT? qq.com, @qq.com, or *@qq.com?

4) If this is not the correct method to block an entire domain, what is?
Last edited by davidkillingsworth on Mon Aug 14, 2017 8:29 am, edited 1 time in total.


davidkillingsworth
Advanced member
Advanced member
Posts: 156
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: Release 8.8.6.GA.1906.UBUNTU14.64

Re: Unable to block an entire domain with Zimbra 8.7

Postby davidkillingsworth » Fri Aug 11, 2017 6:03 am

So nobody is using /opt/zimbra/conf/postfix_reject_sender ??
davidkillingsworth
Advanced member
Advanced member
Posts: 156
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: Release 8.8.6.GA.1906.UBUNTU14.64

Re: Unable to block an entire domain with Zimbra 8.7

Postby davidkillingsworth » Mon Aug 14, 2017 8:26 am

I was able to solve this.

I had to add zimbraMtaSmtpdSenderRestrictions

Code: Select all

zmprov ms 'yourzimbraservername' +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender"


This will automatically update the postconf and that will not disappear after reboots or postfix reloads.
After the above command, I now have:

Code: Select all

smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re


After creating and /opt/zimbra/conf/postfix_reject_sender

Code: Select all

$ nano /opt/zimbra/conf/postfix_reject_sender


and adding domains or addresses to REJECT to that file

Code: Select all

@qq.com REJECT
baduser@baddomain.com REJECT


Postmap the file

Code: Select all

$ postmap  /opt/zimbra/conf/postfix_reject_sender


you should see the following types of entries in your zimbra log.

Code: Select all

Aug 14 16:22:52 zimbra postfix/smtpd[31454]: NOQUEUE: reject: RCPT from unknown[183.158.102.146]: 554 5.7.1 <1330450528@qq.com>: Sender address rejected: Access denied; from=<1330450528@qq.com> to=<gooduser@ourdomain.com> proto=SMTP helo=<czshiji.com>
madapaka
Posts: 13
Joined: Sat Sep 13, 2014 12:32 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Postby madapaka » Mon Sep 04, 2017 9:09 am

Hi,

I've the same issue, followed yours but still can't see "check_sender_access lmdb:/opt/zimbra/conf/postfix/postfix_reject_senderr" in smtpd_sender_restrictions.

I did the following as suggested.

$ zmprov ms mail.example.com +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender"

Created the /opt/zimbra/conf/postfix_reject_sender file and ran 'postmap /opt/zimbra/conf/postfix_reject_sender' afterwards.

But when I executed 'postconf | grep smtpd_sender_restrictions', I still have the below.

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re

Hope someone could help out.

Thanks!
madapaka
Posts: 13
Joined: Sat Sep 13, 2014 12:32 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Postby madapaka » Mon Sep 04, 2017 9:14 am

Something weird just happened, suddenly it started to work as expected.

mail postfix/smtpd[1882]: NOQUEUE: reject: RCPT from unknown[192.168.1.2]: 554 5.7.1 <abc8126@163.com>: Sender address rejected: Access denied; from=<abc8126@163.com> to=<me@example.com> proto=ESMTP helo=<mail>
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Postby jorgedlcruz » Mon Sep 04, 2017 4:26 pm

I've updated the wiki with the instructions, thank you guys!
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
davidkillingsworth
Advanced member
Advanced member
Posts: 156
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: Release 8.8.6.GA.1906.UBUNTU14.64

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Postby davidkillingsworth » Mon Sep 11, 2017 8:15 am

jorgedlcruz wrote:I've updated the wiki with the instructions, thank you guys!


Thank You Jorge.

May I suggest another Wiki update?
Please see this thread - viewtopic.php?f=15&t=59562
mishomvp
Posts: 3
Joined: Fri Nov 24, 2017 12:25 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Postby mishomvp » Fri Nov 24, 2017 12:34 am

Hello,

I have same problem on few zimbra servers. I use official zimbra instruction - blocking domain, but nothing.
In main.cf nothing. In smtpd_sender_restrictions.cf exists %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%

Thanks in advance.
locean
Posts: 1
Joined: Mon Dec 04, 2017 10:44 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Postby locean » Mon Dec 04, 2017 10:51 am

Does anyone could help?

We have done several times the official instruction : https://wiki.zimbra.com/wiki/Domain_lev ... g_of_users
but it does not work.

In postconf :

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re


Still no traces of

Code: Select all

lmdb:/opt/zimbra/common/conf/postfix_reject_sender
even if we did

Code: Select all

zmprov ms our_proxy_server +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/common/conf/postfix_reject_sender"


and then restarting zmmtactl.

And the mails from rejected domains still passing.
przef
Posts: 2
Joined: Wed May 16, 2018 7:08 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Postby przef » Wed May 16, 2018 7:27 am

Hello guys, have you managed this?
I have the same problem, done all configs from this: https://wiki.zimbra.com/wiki/Domain_level_blocking_of_users,
and gets this:

Code: Select all

postconf | grep smtpd_sender_restrictions
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_sender_login_mismatch, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re

settings not change, email from blocked domains still comes.

My zimbra version: Release 8.8.6.GA.1906.UBUNTU16.64 UBUNTU16_64 FOSS edition.

after all, I have made some another configs and after this i get:

Code: Select all

zmprov gcf zimbraMtaSmtpdSenderRestrictions
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmbd:/opt/zimbra/common/conf/postfix_reject_sender
maybe its wrong
Someone help, please.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 33 guests