Enable DNSBL or RBL on Zimbra Rumi, January 26, 2019 DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to fight spam emails. It is a blacklist of source IP addresses that have a reputation of sending spam emails. Most email systems can be configured to check these lists and block or flag emails that were sent from domains/IPs listed there. The ‘Blackhole List’ is sometimes called ‘blacklist’ by email admins. In this tutorial, we’ll see how we can configure RBL with Zimbra using both GUI and CLI. Method 1 – GUI: Login to the Zimbra admin console – https://mail.example.com:7071, and then go to Configure. Then, go to Global Settings. Next, go to MTA. I’ve enabled some parameters to harden the server, and added the RBLs that Zimbra supports. You could add the RBLs of your choice here. Save your settings. There no need to do any service restarts. Zimbra should detect (zmconfigd) the config changes and apply them. Method 2 – CLI: Login to the server, and switch to the user zimbra. # su – zimbra First, let us check if there are any existing policies in place. $ zmprov gacf | grep zimbraMtaRestriction Great! Now let’s add a couple of RBLs using zmprov. Zimbra uses the these RBLs. $ zmprov mcf \ zimbraMtaRestriction reject_invalid_helo_hostname \ zimbraMtaRestriction reject_non_fqdn_sender \ zimbraMtaRestriction “reject_rbl_client zen.spamhaus.org” \ zimbraMtaRestriction “reject_rbl_client psbl.surriel.com” \ zimbraMtaRestriction “reject_rbl_client b.barracudacentral.org” \ zimbraMtaRestriction “reject_rhsbl_client dbl.spamhaus.org” \ zimbraMtaRestriction “reject_rhsbl_client multi.uribl.com” \ zimbraMtaRestriction “reject_rhsbl_client multi.surbl.org” \ zimbraMtaRestriction “reject_rhsbl_reverse_client dbl.spamhaus.org” \ zimbraMtaRestriction “reject_rhsbl_sender multi.uribl.com” \ zimbraMtaRestriction “reject_rhsbl_sender multi.surbl.org” \ zimbraMtaRestriction “reject_rhsbl_sender rhsbl.sorbs.net” \ zimbraMtaRestriction “reject_rhsbl_sender dbl.spamhaus.org” That’s it. There is no need for any service restarts, zmconfigd should detect the changes and push the config to Zimbra and postfix. Troubleshooting and Verifying No matter whether you made the change using GUI or CLI, the troubleshooting and verification method is the same. The log file /var/log/zimbra.log is your friend. It should contain most of the information needed for any Zimbra troubleshooting. In this case, the logs should contain entries like this- # tail -f /var/log/zimbra.log May 3 22:36:02 mail zmconfigd[9417]: Fetching All configs May 3 22:36:02 mail zmconfigd[9417]: All configs fetched in 0.04 seconds May 3 22:36:05 mail zmconfigd[9417]: Watchdog: service antivirus status is OK. May 3 22:36:05 mail zmconfigd[9417]: Var zimbraMtaRestriction changed from ‘reject_invalid_helo_hostname reject_non_fqdn_sender reject_rbl_client cbl.abuseat.org’ -> ‘reject_invalid_helo_hostname reject_non_fqdn_sender reject_rhsbl_sender dbl.spamhaus.org’ May 3 22:36:05 mail zmconfigd[9417]: Var zmconfigd/smtpd_recipient_restrictions.cf changed from ‘#reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_recipient, #reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, #reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, #reject_rbl_client zen.spamhaus.org, #reject_rbl_client psbl.surriel.com, #reject_rbl_client b.barracudacentral.org, #reject_rhsbl_client dbl.spamhaus.org, #reject_rhsbl_client multi.uribl.com, #reject_rhsbl_client multi.surbl.org, #reject_rhsbl_reverse_client dbl.spamhaus.org, #reject_rhsbl_sender multi.uribl.com, #reject_rhsbl_sender multi.surbl.org, #reject_rhsbl_sender rhsbl.sorbs.net, #reject_rhsbl_sender dbl.spamhaus.org, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org, permit’ -> ‘#reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_… May 3 22:36:05 mail zmconfigd[9417]: …recipient, #reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, #reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, #reject_rbl_client zen.spamhaus.org, #reject_rbl_client psbl.surriel.com, #reject_rbl_client b.barracudacentral.org, #reject_rhsbl_client dbl.spamhaus.org, #reject_rhsbl_client multi.uribl.com, #reject_rhsbl_client multi.surbl.org, #reject_rhsbl_reverse_client dbl.spamhaus.org, #reject_rhsbl_sender multi.uribl.com, #reject_rhsbl_sender multi.surbl.org, #reject_rhsbl_sender rhsbl.sorbs.net, #reject_rhsbl_sender dbl.spamhaus.org, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client b.barracudacentral.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_client multi.uribl.com, reject_rhsbl_client multi.surbl.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sende… May 3 22:36:05 mail zmconfigd[9417]: …r multi.uribl.com, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, permit’ The changes also reflect in the output of zmprov command. $ zmprov gacf | grep zimbraMtaRestriction zimbraMtaRestriction: reject_invalid_helo_hostname zimbraMtaRestriction: reject_non_fqdn_sender zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org zimbraMtaRestriction: reject_rbl_client psbl.surriel.com zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_client multi.uribl.com zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_sender multi.uribl.com zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org Finally, postfix is the underlying service that would do the actual RBL checks. We can verify if the parameters have been injected to postfix using postconf. # su – zimbra $ postconf | grep smtpd_recipient_restrictions smtpd_recipient_restrictions = #reject_non_fqdn_recipient, #permit_sasl_authenticated, #permit_mynetworks, #reject_unlisted_recipient, reject_invalid_helo_hostname, #reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, #reject_unknown_client_hostname, #reject_unknown_reverse_client_hostname, #reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client b.barracudacentral.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_client multi.uribl.com, reject_rhsbl_client multi.surbl.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender multi.uribl.com, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, permit Hope this helps. Src: http://amar-linux.blogspot.com/2017/05/how-to-enable-dnsbl-or-rbl-on-zimbra-to.html https://wiki.zimbra.com/wiki/Anti-spam_Strategies Related Administrations Configurations (Linux) DNSBLRBLzimbra
413 Request Entity Too Large June 9, 2016 If you’re getting 413 Request Entity Too Large errors trying to upload with nginx.net/, you need to increase the size limit in nginx.conf . Add ‘client_max_body_size xxM’ inside the server section, where xx is the size (in megabytes) that you want to allow. http { include mime.types; default_type application/octet-stream; sendfile… Read More
Secure RDP connection through Vyatta using PuTTY December 6, 2015 Connecting to SSH Server as gateway instead of directly RDP to a PC is safer way and add another layer ofencryption.With this method,we can connect to any client that is behind the firewall provided that we have open the port 22 (or any other SSH port) to the SSH Server…. Read More
Fixing Yum Update on Centos 8 Stream Error: Failed to download metadata for repo ‘AppStream’: Cannot prepare internal mirrorlist: No URLs in mirrorlist July 24, 2023 I had installed a minimalist CentOS 8 on one of my servers. Installation went successful, however, when I tried to update the system using yum update I see this error message: Failed to download metadata for repo. Below is the complete error. [root@autocontroller ~]# yum update CentOS-8 – AppStream 70 B/s |… Read More