<SOLVED> Unable to block an entire domain with Zimbra 8.7

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

<SOLVED> Unable to block an entire domain with Zimbra 8.7

Post by davidkillingsworth »

I'm trying to block an entire domain in Zimbra 8.7 Community Edition. This is a pretty fresh install, so I should have any defaults that come with a zimbra installation.

We are getting attacked by a Chinese domain called qq.com. The addresses are random each connection example 324125@qq.com, 351341@qq.com.

I tried editing

Code: Select all

/opt/zimbra/conf/postfix_blacklist
then
postmap /opt/zimbra/conf/postfix_blacklist

to block the addresses, but I think that only works for hosts, not senders.
I tried using qq.com, @qq.com, *@qq.com, but the messages still keep coming through.
I tried blocking the IP address of the servers that are connecting, but those are randomized also. Each 2 or 3 connections, the IP addresses are totally random, so blocking the IP address is pointless.

I found this https://wiki.zimbra.com/wiki/Domain_lev ... _and_later

The instructions are wrong because there is no /opt/zimbra/postfix/conf folder. It is /opt/zimbra/conf

I created and edited

Code: Select all

/opt/zibmra/conf/postfix_reject_sender
added the following lines
qq.com REJECT
@qq.com REJECT
*@qq.com REJECT
then
postmap /opt/zimbra/conf/postfix_reject_sender
I double checked that this file:

Code: Select all

/opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
had these lines:

Code: Select all

%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%
I restarted zimbra and I'm still getting loads of messages from 2341623@qq.com.

I then did

Code: Select all

postconf | grep smtpd_sender_restrictions
This is what I have:

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re
I don't see the following line as part of smtpd_sender_restrictions =

Code: Select all

check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender
I tried to manually edit the following:
/opt/zimbra/common/conf/main.cf
/opt/zimbra/postfix-2.11.1.2z/conf/main.cf

after, I edited it, I issued both postfix reload or restarted zimbra, but neither worked because then the setttings go back to this:

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re
which doesn't include the line that I added to the two main.cf files.


What am I doing wrong here?
1) Please somebody fix the Wiki so that it is correct.

2) How can I get the following line to stay in my postfix configuration?

Code: Select all

check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender
3) What is the correct format for REJECT? qq.com, @qq.com, or *@qq.com?

4) If this is not the correct method to block an entire domain, what is?
Last edited by davidkillingsworth on Mon Aug 14, 2017 8:29 am, edited 1 time in total.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: Unable to block an entire domain with Zimbra 8.7

Post by davidkillingsworth »

So nobody is using /opt/zimbra/conf/postfix_reject_sender ??
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: Unable to block an entire domain with Zimbra 8.7

Post by davidkillingsworth »

I was able to solve this.

I had to add zimbraMtaSmtpdSenderRestrictions

Code: Select all

zmprov ms 'yourzimbraservername' +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender"
This will automatically update the postconf and that will not disappear after reboots or postfix reloads.
After the above command, I now have:

Code: Select all

smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re
After creating and /opt/zimbra/conf/postfix_reject_sender

Code: Select all

$ nano /opt/zimbra/conf/postfix_reject_sender
and adding domains or addresses to REJECT to that file

Code: Select all

@qq.com REJECT
baduser@baddomain.com REJECT
Postmap the file

Code: Select all

$ postmap  /opt/zimbra/conf/postfix_reject_sender
you should see the following types of entries in your zimbra log.

Code: Select all

Aug 14 16:22:52 zimbra postfix/smtpd[31454]: NOQUEUE: reject: RCPT from unknown[183.158.102.146]: 554 5.7.1 <1330450528@qq.com>: Sender address rejected: Access denied; from=<1330450528@qq.com> to=<gooduser@ourdomain.com> proto=SMTP helo=<czshiji.com>
madapaka
Posts: 13
Joined: Sat Sep 13, 2014 12:32 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Post by madapaka »

Hi,

I've the same issue, followed yours but still can't see "check_sender_access lmdb:/opt/zimbra/conf/postfix/postfix_reject_senderr" in smtpd_sender_restrictions.

I did the following as suggested.

$ zmprov ms mail.example.com +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender"

Created the /opt/zimbra/conf/postfix_reject_sender file and ran 'postmap /opt/zimbra/conf/postfix_reject_sender' afterwards.

But when I executed 'postconf | grep smtpd_sender_restrictions', I still have the below.

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re

Hope someone could help out.

Thanks!
madapaka
Posts: 13
Joined: Sat Sep 13, 2014 12:32 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Post by madapaka »

Something weird just happened, suddenly it started to work as expected.

mail postfix/smtpd[1882]: NOQUEUE: reject: RCPT from unknown[192.168.1.2]: 554 5.7.1 <abc8126@163.com>: Sender address rejected: Access denied; from=<abc8126@163.com> to=<me@example.com> proto=ESMTP helo=<mail>
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Post by jorgedlcruz »

I've updated the wiki with the instructions, thank you guys!
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Post by davidkillingsworth »

jorgedlcruz wrote:I've updated the wiki with the instructions, thank you guys!

Thank You Jorge.

May I suggest another Wiki update?
Please see this thread - viewtopic.php?f=15&t=59562
mishomvp
Posts: 5
Joined: Fri Nov 24, 2017 12:25 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Post by mishomvp »

Hello,

I have same problem on few zimbra servers. I use official zimbra instruction - blocking domain, but nothing.
In main.cf nothing. In smtpd_sender_restrictions.cf exists %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%

Thanks in advance.
locean
Posts: 1
Joined: Mon Dec 04, 2017 10:44 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Post by locean »

Does anyone could help?

We have done several times the official instruction : https://wiki.zimbra.com/wiki/Domain_lev ... g_of_users
but it does not work.

In postconf :

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re
Still no traces of

Code: Select all

lmdb:/opt/zimbra/common/conf/postfix_reject_sender
even if we did

Code: Select all

zmprov ms our_proxy_server +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/common/conf/postfix_reject_sender"
and then restarting zmmtactl.

And the mails from rejected domains still passing.
przef
Posts: 2
Joined: Wed May 16, 2018 7:08 am

Re: <SOLVED> Unable to block an entire domain with Zimbra 8.7

Post by przef »

Hello guys, have you managed this?
I have the same problem, done all configs from this: https://wiki.zimbra.com/wiki/Domain_lev ... g_of_users,
and gets this:

Code: Select all

postconf | grep smtpd_sender_restrictions
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_sender_login_mismatch, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re

settings not change, email from blocked domains still comes.

My zimbra version: Release 8.8.6.GA.1906.UBUNTU16.64 UBUNTU16_64 FOSS edition.

after all, I have made some another configs and after this i get:

Code: Select all

zmprov gcf zimbraMtaSmtpdSenderRestrictions
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmbd:/opt/zimbra/common/conf/postfix_reject_sender
maybe its wrong
Someone help, please.
Post Reply