How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
davidkillingsworth
Advanced member
Advanced member
Posts: 196
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3829.UBUNTU14.64 -Patch 1

How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Postby davidkillingsworth » Mon May 23, 2016 11:53 am

I would like to suggest an edit to this WIKI page.
https://wiki.zimbra.com/wiki/Specific_W ... ist_per_IP

The use case is: You have reject_unknown_helo_hostname or reject_invalid_helo_hostname or reject_non_fqdn_helo_hostname enabled, but you need to white list some domains because your customer or someone your company does business with does not have a proper DNS entry for the server or the HELO server name on their server is set incorrectly or to a host name that is not Internet DNS resolvable.

This is listed at the top of /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf, so no need to change anything. Changing files in /opt/zimbra/conf/zmconfigd doesn't seem to be supported anyways, as those changes will be lost on upgrade.

Code: Select all

%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%


/opt/zimbra/conf/postfix_blacklist does not exist by default. You have to create it yourself and add entries to it. It can be used for blocking or accepting domains.

Code: Select all

$ nano /opt/zimbra/conf/postfix_blacklist
$ Add domains like so:
agooddomain.com OK
abadspammingdomain.com REJECT
yourclientsdomainthatisgettingblockedbecausetheirHELOisnotresolvable.com OK


save the file

Then postmap the file, add the restriction to zimbra with zmprov, and restart postfix

Code: Select all

$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_blacklist
$ zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'
$ zmmtactl stop && zmmtactl start


It should be noted in https://wiki.zimbra.com/wiki/Specific_W ... ist_per_IP that this can be done with a domain, email address, or IP, not just IP.

==
THE OLD METHOD LISTED IN THE WIKI DOES NOT WORK FOR 8.7

Also to note. I have found that this method does not work for whitelisting:
https://wiki.zimbra.com/wiki/Domain_lev ... g_of_users

Even if you put domain.com OK in /opt/zimbra/postfix/conf/postfix_reject_sender because /opt/zimbra/postfix/conf/postfix_reject_sender is not by default listed in /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf. Even when you add it manually, which is no longer supported in 8.6, it doesn't work anyway.
Last edited by davidkillingsworth on Tue Jun 27, 2017 2:31 am, edited 1 time in total.


supportterabox
Posts: 4
Joined: Tue Apr 18, 2017 9:52 am

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Postby supportterabox » Tue Jun 27, 2017 2:16 am

Hi,
i ran into same problem.
have you solved this problem yet ?
davidkillingsworth
Advanced member
Advanced member
Posts: 196
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3829.UBUNTU14.64 -Patch 1

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Postby davidkillingsworth » Tue Jun 27, 2017 2:42 am

I have updated my original post so that it is clear. The WIKI is wrong.

You can follow the instructions in the upper part of the post get whitelisting working. Verified that it works with 8.7.
sangamc
Advanced member
Advanced member
Posts: 148
Joined: Sat Sep 13, 2014 12:39 am

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Postby sangamc » Tue Jul 31, 2018 11:31 pm

For years I have struggled with this and never knew why it did not work.

Finally after nearly a decade:

Jul 31 23:26:53 smjmail amavis[15726]: (15726-01) Passed CLEAN {RelayedInbound}

:D :D :D

THANKS!!!
davidkillingsworth
Advanced member
Advanced member
Posts: 196
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3829.UBUNTU14.64 -Patch 1

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Postby davidkillingsworth » Thu Aug 02, 2018 7:08 am

sangamc wrote:For years I have struggled with this and never knew why it did not work.

Finally after nearly a decade:

Jul 31 23:26:53 smjmail amavis[15726]: (15726-01) Passed CLEAN {RelayedInbound}

:D :D :D

THANKS!!!


Awesome. Glad to help.
phoenix
Ambassador
Ambassador
Posts: 26243
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Postby phoenix » Thu Aug 02, 2018 8:35 am

davidkillingsworth wrote:I have updated my original post so that it is clear. The WIKI is wrong.
David

If your of a mind to do it you could always create a wiki account and add your article there and a reference to the other (non-working) wiki article.

It's an ongoing struggle at the moment to get any response from Zimbra on any Community additions/updates on the wiki, bug reports etc., etc. - but you know this already. :)
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
davidkillingsworth
Advanced member
Advanced member
Posts: 196
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3829.UBUNTU14.64 -Patch 1

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Postby davidkillingsworth » Thu Aug 02, 2018 8:51 am

Yes, I'm very happy to do this. I didn't know it was possible.

Is it possible to edit the original WIKI posts and update the information for Zimbra 8.7 and 8.8?

Thanks,
David
teds-it
Posts: 4
Joined: Fri Dec 16, 2016 7:24 am

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Postby teds-it » Sat Nov 10, 2018 12:03 pm

Thank you for this! Works like a charm!

Regards,

Ted
davidkillingsworth wrote:
/opt/zimbra/conf/postfix_blacklist does not exist by default. You have to create it yourself and add entries to it. It can be used for blocking or accepting domains.

Code: Select all

$ nano /opt/zimbra/conf/postfix_blacklist
$ Add domains like so:
agooddomain.com OK
abadspammingdomain.com REJECT
yourclientsdomainthatisgettingblockedbecausetheirHELOisnotresolvable.com OK


save the file

Then postmap the file, add the restriction to zimbra with zmprov, and restart postfix

Code: Select all

$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_blacklist
$ zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'
$ zmmtactl stop && zmmtactl start


Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 19 guests