E-Mail whitelisting

[volandkey]

Hi! I'm using Zimbra OSE 8.6.0_GA1153, and have some problem with dns blacklisting.
I read https://wiki.zimbra.com/wiki/Improving_Anti-spam_system manual, using several servers to block spam via postfix.
The problem is that there is an email box our chief from google.com, which must never been blocked via dns bl.
First, I'm trying to create access recipients in postfix:
=======
zimbra@mail:~/conf$ cat postfix_rbl_override
* 193.109.254.* OK
nwcgroup.ru OK
92.53.117.* OK
mega.chief@gmail.com OK
my_own_email@gmail.com REJECT
=======

After this I'm use postmap to create db
=======
zimbra@mail:~/conf$ postmap postfix_rbl_override
=======

And add generated lmdb file in /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
=======
zimbra@mail:~/conf$ cat /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override
reject_unlisted_recipient
%%exact VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%exact VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_reverse_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%exact VAR:zimbraMtaRestriction reject_unverified_recipient%%
%%contains VAR:zimbraMtaRestriction check_recipient_access lmdb:/opt/zimbra/conf/postfix_recipient_access%%
%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%explode reject_rhsbl_client VAR:zimbraMtaRestrictionRHSBLCs%%
%%explode reject_rhsbl_reverse_client VAR:zimbraMtaRestrictionRHSBLRCs%%
%%explode reject_rhsbl_sender VAR:zimbraMtaRestrictionRHSBLSs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
%%contains VAR:zimbraMtaRestriction check_recipient_access ldap:/opt/zimbra/conf/ldap-splitdomain.cf%%
%%exact VAR:zimbraMtaRestriction reject%%
permit
========

cause zimbra 8.6.0 - check_client_access hash not working, but lmdb give no errors

========
Also I try to add command from nearest topic: zmprov mcf +zimbraMtaRestriction "check_recipient_access lmdb:/opt/zimbra/conf/postfix_rbl_override"
and result:
========
zimbra@mail:~/conf$ zmprov mcf +zimbraMtaRestriction "check_recipient_access lmdb:/opt/zimbra/conf/postfix_rbl_override"
zimbra@mail:~/conf$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org
zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: check_recipient_access lmdb:/opt/zimbra/conf/postfix_rbl_override
========
Via manuals i have done all actions to whitelist content of "postfix_rbl_override" file, but can I use directly emails in it such as "mega.chief@gmail.com OK "? Or only IP/DNS name?
And why, if I trying to block my_own_email@gmail.com in "postfix_rbl_override" such as:
======
my_own_email@gmail.com REJECT
or
my_own_email@gmail.com 550 User Unknown
my_own_email@gmail.com 530 Go Away
=====
i still can send e-mail to my server from my_own_email@@gmail.com ?

[quanah]

Hi! I'm using Zimbra OSE 8.6.0_GA1153, and have some problem with dns blacklisting.
And add generated lmdb file in /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf

Don't modify that file.

%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%%
Also I try to add command from nearest topic: zmprov mcf +zimbraMtaRestriction "check_recipient_access lmdb:/opt/zimbra/conf/postfix_rbl_override"

Obviously, the command you ran was incorrect. You put check_recipient_access when it is check_client_access

[quanah]

You are also clearly using a wiki that the very first message on the top is to not use it, and it directs you instead to use the correct one: https://wiki.zimbra.com/wiki/Anti-spam_Strategies

[volandkey]

Thanks for help, but still no luck .
I removed custom string (check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override) from smtpd_recipient_restrictions.cf.
I execute zmprov mcf -zimbraMtaRestriction "check_recipient_access lmdb:/opt/zimbra/conf/postfix_rbl_override" , and after result was:
=====
zimbra@mail:~/conf$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org
zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
=====

And I execute correct command:
=====
zimbra@mail:~/conf$ zmprov mcf +zimbraMtaRestriction "check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override"
zimbra@mail:~/conf$ postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_sender, check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.mail-abuse.org, reject_rbl_client dnsbl.sorbs.net, permit
zimbra@mail:~/conf$ zmmtactl restart
=====
Still no result. If I sending e-mail from blacklisted my_own_email@gmail.com with REJECT flag in postfix_rbl_override - email not rejected by server. So I cant check is "OK" flag will work for whitelisted emails.

[quanah]

If you are attempting to send the email from your own server that is in "my networks", it'll get passed through, because of the permit mynetworks coming before the RBL check.

[quanah]

If you're trying to blacklist a sender, you're modifying the wrong file and doing the wrong thing. Full support for this is not until ZCS 8.7, but you can configure it now in a manner that will be preserved on upgrade to 8.7.

See https://wiki.zimbra.com/wiki/Domain_lev ... .5_and_8.6

The RBL override option is purely for overriding RBLs.

[volandkey]

If you're trying to blacklist a sender, you're modifying the wrong file and doing the wrong thing. Full support for this is not until ZCS 8.7, but you can configure it now in a manner that will be preserved on upgrade to 8.7.

See https://wiki.zimbra.com/wiki/Domain_lev ... .5_and_8.6

The RBL override option is purely for overriding RBLs.

Thanks for help

[stillnick]

If you're trying to blacklist a sender, you're modifying the wrong file and doing the wrong thing. Full support for this is not until ZCS 8.7, but you can configure it now in a manner that will be preserved on upgrade to 8.7.

See https://wiki.zimbra.com/wiki/Domain_lev ... .5_and_8.6

The RBL override option is purely for overriding RBLs.

Thanks for help

Hi,

How did u whotelist your chief e-mail address? The how to is for blacklisting.

Thanks.

Enviado de meu D6643 usando Tapatalk

[quanah]

If you're trying to blacklist a sender, you're modifying the wrong file and doing the wrong thing. Full support for this is not until ZCS 8.7, but you can configure it now in a manner that will be preserved on upgrade to 8.7.

See https://wiki.zimbra.com/wiki/Domain_lev ... .5_and_8.6

The RBL override option is purely for overriding RBLs.

Thanks for help

Hi,

How did u whotelist your chief e-mail address? The how to is for blacklisting.

Thanks.

Enviado de meu D6643 usando Tapatalk

Whitelist at what level? Postfix? Amavis/SpamAssassin?

[stillnick]

The first level, so my clients domain always passthrough any spam filter.

Enviado de meu D6643 usando Tapatalk