how to whitelist a domain no matter what?

[davidkillingsworth]

I am having this problem with 2 or 3 different servers. Each Are Zimbra 8.6 servers.

I need to whitelist a domain no matter what above all other checks.

I have these MTA restrictions:

Code: Select all

zimbra@mail:~/conf$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_client_hostname
zimbraMtaRestriction: reject_unknown_reverse_client_hostname
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_unknown_helo_hostname
zimbraMtaRestriction: check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist

I place domains in /opt/zimbra/conf/postfix_blacklist

somegooddomain.com OK

Unfortunately, emailuser@somegooddomain.com gets blocked by reject_unknown_client_hostname sometimes.

Any way to fix this?

[phoenix]

I don't use any of those restrictions (except for the ones listed below) and I've never used them for the very reason that you're experiencing - they give too many false positives. Your RBLs and postscreen should cope with most spam problems, they do on my server but it's obviously not a commercial installation.

My settings are below, in addition to postscreen as I mentioned above:

Code: Select all

[zimbra@mail01 ~]$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rbl_client bl.spameatingmonkey.net
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client dnsbl.dronebl.org
zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net

[davidkillingsworth]

I was actually able to resolve the particular issue I was having.

I first turned off: reject_unknown_client_hostname

I then added not only the domain name, but the IP address of the server that was trying to send to us in /opt/zimbra/conf/postfix_blacklist
We had previously added the domain name, but emails from that domain were still getting rejected.

Code: Select all

domaingood.com OK
xxx.xxx.xxx.xxx OK (the IP address of the server that was trying to send to us but getting blocked by reject_unknown_client_hostname)

One question, I don't see that you have the following in your config?

Code: Select all

zimbraMtaRestriction: check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist

How do you whitelist domains so that they don't get accidentally blocked by an RBL?

[davidkillingsworth]

I am having this problem where /opt/zimbra/conf/postfix_blacklist doesn't seem to be working.

I have verified that the domain that we want to whitelist is in the file.
somegooddomain.com OK

It's definitely getting moved to the junk folder for the end user's. This domain is a major partner and it doesn't make sense to go to each user's zimbra preferences and set it as allowed in the preferences \ mail tab.

Server version: Ubuntu 14.04.5 LTS \n \l
Zimbra version: Release 8.8.11.GA.3737.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.8.11_P1.

Any suggestions on how to whitelist a specific domain no matter what?

Thanks,
David

[JDunphy]

Use either amavis (amavisd.conf.in) or SA... I tend to do most of our stuff with SA. Either should prevent your domain from being classified as junk for your users.
https://wiki.apache.org/spamassassin/ManualWhitelist
Simple addition to: /opt/zimbra/data/spamassassin/localrules/sauser.cf and zmamavisdctl restart norewrite to pickup changes.

Hint: you can test this via the spamassassin -D option and an existing message which is why I like SA vs testing it in production with amavisd. It might be possible to do that with amavisd but I haven't looked very deep into it.

There are 3 places (postfix/amavis/SA) where to blacklist and whitelist but you need to think of where it is in the pipeline to understand their nuances. Makes more sense from the understanding perspective via the Blacklist perspective sometimes. Your use case also shows the differences with whitelisting.

[davidkillingsworth]

Thanks for replying.

I literally just got through creating a opt/zimbra/data/spamassassin/localrules/sauser.cf file with the following:

Code: Select all

whitelist_auth *@agooddomain.com

and then

Code: Select all

zmamavisdctl restart && zmmtactl restart

I suspect what is happening is that the /opt/zimbra/conf/postfix_blacklist file is working and it is allowing the delivery of mail from that domain, but Spamassassin is filing the messages from that domain in the junk folder of each user due to the x-spam score.

Here is what I see in the headers for messages from that domain.

Code: Select all

X-Virus-Scanned: amavisd-new at myzimbraserveremaildomain.com
X-Spam-Flag: YES
X-Spam-Score: 7.222
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.222 required=6.6 tests=[BAYES_00=-1.9,
	DKIM_SIGNED=0.1, DMARC_FAIL_REJECT=9, HTML_MESSAGE=0.001,
	T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01,
	T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001]
	autolearn=no autolearn_force=no

[JDunphy]

Amavis is responsible for managing SA, clamav, its own rules and also managing the DMARC checks. I view it as the judge/coordinator is how I conceptually think of it.

For example... this header you can not match with SA. Drove me crazy debugging this in production because during testing of my rules with spamassassin -D it would match because the header was present in my test message from my cut/paste of an actual email for my new rule.

Code: Select all

 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=L2VQAW+PBcSzvlv860JhDGv83Eg3dkOQwgH2TC4rx+I=;
        b=TqyU3UVmkiboHJT5IRCpz8bTi7gA4gdtoyUOsmXE/VbUnd3mPx30ftawBQgW/dEBc1
         B+jnLetSqgL0tynXQ1V4sGr+fNbtrP0Kesz/M4RRLg4fj/lIf75LSg7HGTqQKbhoxX5z
         98NI4GJHFlmpSOEn2UJsbI9pAiKpWWn2scTxCkhBanODm5Kuy1+kCUkntX803jOBaCuH
         3lsjPDTeVT4eO3Ry4lMY5oYJBMIG5dEk5ubojqPWeBa9sOZkw/xo37d5F25v5ISXFT65
         K3/20PsG9dLE2TzqShSS1dzZFodLeo08uMebIlf78dYO1192CAkCNyMW3VKrAC1RohmZ
         31Yw==
          

You have some choices... DMARC_FAIL_REJECT=9

1) You could match the domain in your own rule based on the from header or Return-Path (from envelope) with a big negative score compensating for +9... ie) -99
2) You could whitelist it in amavis.conf which is the judge at the end
3) Change the score of DMARC_FAIL_REJECT in your salocal.cf... I have ours at 1.5 because I think users should be able to forward email to their zimbra account from AOL for example. The irony is the majority of spam to our servers is perfectly signed these days but business email isn't necessarily perfect.

HTH,

Jim