Enable DNSBL or RBL on Zimbra Rumi, January 26, 2019 DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to fight spam emails. It is a blacklist of source IP addresses that have a reputation of sending spam emails. Most email systems can be configured to check these lists and block or flag emails that were sent from domains/IPs listed there. The ‘Blackhole List’ is sometimes called ‘blacklist’ by email admins. In this tutorial, we’ll see how we can configure RBL with Zimbra using both GUI and CLI. Method 1 – GUI: Login to the Zimbra admin console – https://mail.example.com:7071, and then go to Configure. Then, go to Global Settings. Next, go to MTA. I’ve enabled some parameters to harden the server, and added the RBLs that Zimbra supports. You could add the RBLs of your choice here. Save your settings. There no need to do any service restarts. Zimbra should detect (zmconfigd) the config changes and apply them. Method 2 – CLI: Login to the server, and switch to the user zimbra. # su – zimbra First, let us check if there are any existing policies in place. $ zmprov gacf | grep zimbraMtaRestriction Great! Now let’s add a couple of RBLs using zmprov. Zimbra uses the these RBLs. $ zmprov mcf \ zimbraMtaRestriction reject_invalid_helo_hostname \ zimbraMtaRestriction reject_non_fqdn_sender \ zimbraMtaRestriction “reject_rbl_client zen.spamhaus.org” \ zimbraMtaRestriction “reject_rbl_client psbl.surriel.com” \ zimbraMtaRestriction “reject_rbl_client b.barracudacentral.org” \ zimbraMtaRestriction “reject_rhsbl_client dbl.spamhaus.org” \ zimbraMtaRestriction “reject_rhsbl_client multi.uribl.com” \ zimbraMtaRestriction “reject_rhsbl_client multi.surbl.org” \ zimbraMtaRestriction “reject_rhsbl_reverse_client dbl.spamhaus.org” \ zimbraMtaRestriction “reject_rhsbl_sender multi.uribl.com” \ zimbraMtaRestriction “reject_rhsbl_sender multi.surbl.org” \ zimbraMtaRestriction “reject_rhsbl_sender rhsbl.sorbs.net” \ zimbraMtaRestriction “reject_rhsbl_sender dbl.spamhaus.org” That’s it. There is no need for any service restarts, zmconfigd should detect the changes and push the config to Zimbra and postfix. Troubleshooting and Verifying No matter whether you made the change using GUI or CLI, the troubleshooting and verification method is the same. The log file /var/log/zimbra.log is your friend. It should contain most of the information needed for any Zimbra troubleshooting. In this case, the logs should contain entries like this- # tail -f /var/log/zimbra.log May 3 22:36:02 mail zmconfigd[9417]: Fetching All configs May 3 22:36:02 mail zmconfigd[9417]: All configs fetched in 0.04 seconds May 3 22:36:05 mail zmconfigd[9417]: Watchdog: service antivirus status is OK. May 3 22:36:05 mail zmconfigd[9417]: Var zimbraMtaRestriction changed from ‘reject_invalid_helo_hostname reject_non_fqdn_sender reject_rbl_client cbl.abuseat.org’ -> ‘reject_invalid_helo_hostname reject_non_fqdn_sender reject_rhsbl_sender dbl.spamhaus.org’ May 3 22:36:05 mail zmconfigd[9417]: Var zmconfigd/smtpd_recipient_restrictions.cf changed from ‘#reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_recipient, #reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, #reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, #reject_rbl_client zen.spamhaus.org, #reject_rbl_client psbl.surriel.com, #reject_rbl_client b.barracudacentral.org, #reject_rhsbl_client dbl.spamhaus.org, #reject_rhsbl_client multi.uribl.com, #reject_rhsbl_client multi.surbl.org, #reject_rhsbl_reverse_client dbl.spamhaus.org, #reject_rhsbl_sender multi.uribl.com, #reject_rhsbl_sender multi.surbl.org, #reject_rhsbl_sender rhsbl.sorbs.net, #reject_rhsbl_sender dbl.spamhaus.org, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org, permit’ -> ‘#reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_… May 3 22:36:05 mail zmconfigd[9417]: …recipient, #reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, #reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, #reject_rbl_client zen.spamhaus.org, #reject_rbl_client psbl.surriel.com, #reject_rbl_client b.barracudacentral.org, #reject_rhsbl_client dbl.spamhaus.org, #reject_rhsbl_client multi.uribl.com, #reject_rhsbl_client multi.surbl.org, #reject_rhsbl_reverse_client dbl.spamhaus.org, #reject_rhsbl_sender multi.uribl.com, #reject_rhsbl_sender multi.surbl.org, #reject_rhsbl_sender rhsbl.sorbs.net, #reject_rhsbl_sender dbl.spamhaus.org, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client b.barracudacentral.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_client multi.uribl.com, reject_rhsbl_client multi.surbl.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sende… May 3 22:36:05 mail zmconfigd[9417]: …r multi.uribl.com, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, permit’ The changes also reflect in the output of zmprov command. $ zmprov gacf | grep zimbraMtaRestriction zimbraMtaRestriction: reject_invalid_helo_hostname zimbraMtaRestriction: reject_non_fqdn_sender zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org zimbraMtaRestriction: reject_rbl_client psbl.surriel.com zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_client multi.uribl.com zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_sender multi.uribl.com zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org Finally, postfix is the underlying service that would do the actual RBL checks. We can verify if the parameters have been injected to postfix using postconf. # su – zimbra $ postconf | grep smtpd_recipient_restrictions smtpd_recipient_restrictions = #reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_recipient, reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client b.barracudacentral.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_client multi.uribl.com, reject_rhsbl_client multi.surbl.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender multi.uribl.com, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, permit Hope this helps. Src: http://amar-linux.blogspot.com/2017/05/how-to-enable-dnsbl-or-rbl-on-zimbra-to.html https://wiki.zimbra.com/wiki/Anti-spam_Strategies Administrations Configurations (Linux) DNSBLRBLzimbra