How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by davidkillingsworth »

I would like to suggest an edit to this WIKI page.
https://wiki.zimbra.com/wiki/Specific_W ... ist_per_IP

The use case is: You have reject_unknown_helo_hostname or reject_invalid_helo_hostname or reject_non_fqdn_helo_hostname enabled, but you need to white list some domains because your customer or someone your company does business with does not have a proper DNS entry for the server or the HELO server name on their server is set incorrectly or to a host name that is not Internet DNS resolvable.

This is listed at the top of /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf, so no need to change anything. Changing files in /opt/zimbra/conf/zmconfigd doesn't seem to be supported anyways, as those changes will be lost on upgrade.

Code: Select all

%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%
/opt/zimbra/conf/postfix_blacklist does not exist by default. You have to create it yourself and add entries to it. It can be used for blocking or accepting domains.

Code: Select all

$ nano /opt/zimbra/conf/postfix_blacklist
$ Add domains like so:
agooddomain.com OK
abadspammingdomain.com REJECT
yourclientsdomainthatisgettingblockedbecausetheirHELOisnotresolvable.com OK
save the file

Then postmap the file, add the restriction to zimbra with zmprov, and restart postfix

Code: Select all

$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_blacklist
$ zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'
$ zmmtactl stop && zmmtactl start
It should be noted in https://wiki.zimbra.com/wiki/Specific_W ... ist_per_IP that this can be done with a domain, email address, or IP, not just IP.

==
THE OLD METHOD LISTED IN THE WIKI DOES NOT WORK FOR 8.7

Also to note. I have found that this method does not work for whitelisting:
https://wiki.zimbra.com/wiki/Domain_lev ... g_of_users

Even if you put domain.com OK in /opt/zimbra/postfix/conf/postfix_reject_sender because /opt/zimbra/postfix/conf/postfix_reject_sender is not by default listed in /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf. Even when you add it manually, which is no longer supported in 8.6, it doesn't work anyway.
Last edited by davidkillingsworth on Tue Jun 27, 2017 2:31 am, edited 1 time in total.
supportterabox
Posts: 4
Joined: Tue Apr 18, 2017 9:52 am

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by supportterabox »

Hi,
i ran into same problem.
have you solved this problem yet ?
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by davidkillingsworth »

I have updated my original post so that it is clear. The WIKI is wrong.

You can follow the instructions in the upper part of the post get whitelisting working. Verified that it works with 8.7.
sangamc
Advanced member
Advanced member
Posts: 150
Joined: Sat Sep 13, 2014 12:39 am

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by sangamc »

For years I have struggled with this and never knew why it did not work.

Finally after nearly a decade:

Jul 31 23:26:53 smjmail amavis[15726]: (15726-01) Passed CLEAN {RelayedInbound}

:D :D :D

THANKS!!!
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by davidkillingsworth »

sangamc wrote:For years I have struggled with this and never knew why it did not work.

Finally after nearly a decade:

Jul 31 23:26:53 smjmail amavis[15726]: (15726-01) Passed CLEAN {RelayedInbound}

:D :D :D

THANKS!!!
Awesome. Glad to help.
phoenix
Ambassador
Ambassador
Posts: 27262
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by phoenix »

davidkillingsworth wrote:I have updated my original post so that it is clear. The WIKI is wrong.
David

If your of a mind to do it you could always create a wiki account and add your article there and a reference to the other (non-working) wiki article.

It's an ongoing struggle at the moment to get any response from Zimbra on any Community additions/updates on the wiki, bug reports etc., etc. - but you know this already. :)
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by davidkillingsworth »

Yes, I'm very happy to do this. I didn't know it was possible.

Is it possible to edit the original WIKI posts and update the information for Zimbra 8.7 and 8.8?

Thanks,
David
teds-it
Posts: 6
Joined: Fri Dec 16, 2016 7:24 am

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by teds-it »

Thank you for this! Works like a charm!

Regards,

Ted
davidkillingsworth wrote:
/opt/zimbra/conf/postfix_blacklist does not exist by default. You have to create it yourself and add entries to it. It can be used for blocking or accepting domains.

Code: Select all

$ nano /opt/zimbra/conf/postfix_blacklist
$ Add domains like so:
agooddomain.com OK
abadspammingdomain.com REJECT
yourclientsdomainthatisgettingblockedbecausetheirHELOisnotresolvable.com OK
save the file

Then postmap the file, add the restriction to zimbra with zmprov, and restart postfix

Code: Select all

$ /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_blacklist
$ zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'
$ zmmtactl stop && zmmtactl start
gui
Posts: 1
Joined: Tue Oct 08, 2019 4:48 am

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by gui »

Need help!
Is there anyone working these instructions on 8.7.11?
Here is my version. Whitelisting does not work.
zmcontrol -v
Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition, Patch 8.7.11_P11.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: How to white list domains when reject_unknown_helo_hostname or reject_invalid_helo_hostname is enabled

Post by davidkillingsworth »

gui wrote:Need help!
Is there anyone working these instructions on 8.7.11?
Here is my version. Whitelisting does not work.
zmcontrol -v
Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition, Patch 8.7.11_P11.
Please read my instructions above. This works with 8.7.
Post Reply