8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 956
Joined: Sat Sep 13, 2014 12:47 am

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby liverpoolfcfan » Fri Jan 04, 2013 10:39 am

You forgot the -e for edit after the zmlocalconfig command. See quanah's last post.


User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby quanah » Fri Jan 04, 2013 11:01 am

zmconfigd will automatically restart amavis for you when it detects the value was changed (about 2 minutes or less)
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby 17126thunder04 » Fri Jan 04, 2013 11:32 am

Hmm. Well, even after a full "zmcontrol restart", sending a test email to myself via the Zimbra web interface is still passed through spam and antivirus checks.
However:


zimbra@cottontail:~/conf$ zmlocalconfig | grep amavis

amavis_originating_bypass_sa = true


Headers of my test message:


Return-Path: ahoppe@mpcsd.org

Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)

by cottontail.mpcsd.org with LMTP; Fri, 4 Jan 2013 09:20:35 -0800 (PST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by cottontail.mpcsd.org (Postfix) with ESMTP id CEB091300396

for ; Fri, 4 Jan 2013 09:20:32 -0800 (PST)

X-Virus-Scanned: amavisd-new at mpcsd.org

X-Spam-Flag: NO

X-Spam-Score: -2.49

X-Spam-Level:

X-Spam-Status: No, score=-2.49 tagged_above=-10 required=4

tests=[ALL_TRUSTED=-1, BAYES_05=-0.5, RP_MATCHES_RCVD=-1,

T_NOT_A_PERSON=-0.01, T_THREAD_INDEX_BAD=0.01, T_UNKNOWN_ORIGIN=0.01]

autolearn=ham

Received: from cottontail.mpcsd.org ([127.0.0.1])

by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id v0WF6r05xdRj for ;

Fri, 4 Jan 2013 09:20:25 -0800 (PST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by cottontail.mpcsd.org (Postfix) with ESMTP id 5A25713003EE

for ; Fri, 4 Jan 2013 09:20:24 -0800 (PST)

X-Virus-Scanned: amavisd-new at mpcsd.org

Received: from cottontail.mpcsd.org ([127.0.0.1])

by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10026)

with ESMTP id 295WO9QibYTS for ;

Fri, 4 Jan 2013 09:20:24 -0800 (PST)

Received: from cottontail.mpcsd.org (cottontail.mpcsd.org [10.1.1.37])

by cottontail.mpcsd.org (Postfix) with ESMTP id 69D6F13003D0

for ; Fri, 4 Jan 2013 09:20:23 -0800 (PST)

Date: Fri, 4 Jan 2013 09:20:23 -0800 (PST)

From: Anthony Hoppe

To: Anthony Hoppe

Message-ID:

Subject: Test

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: 7bit

X-Originating-IP: [10.10.45.9]

X-Mailer: Zimbra 8.0.2_GA_5569 (ZimbraWebClient - GC23 (Mac)/8.0.2_GA_5569)

Thread-Topic: Test

Thread-Index: hPkaTryx2vTYtLT8aaHEOfsWv3iOug==


I'm not sure why it's not working.
Labsy
Outstanding Member
Outstanding Member
Posts: 383
Joined: Sat Sep 13, 2014 12:52 am

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby Labsy » Sun Jan 06, 2013 12:58 pm

I've been coping this issue last days way too much, spent hours into resolving, but cannot find resolution.

In short:

- postfix main.cf has "permit_sasl_authenticated" parameter there, so postfix should only do RBL check on general mail, but not for authenticated senders

- amavis_originating_bypass_sa = true

- All users are required to use SSL or TLS SMTP port 465 or 587 and authenticate before sending
But most users on ADSL links still get refused.

This issue came along with upgrade to 8.0.2
WORKAROUND

What resolved my problem is quote from Spamhaus:

Caution: Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for anything other than checking IP addresses that hand off to your mailservers.
So I removed RBL "zen.spamhaus.org" and instead added "sbl.spamhaus.org" and "xbl.spamhaus.org".
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby 17126thunder04 » Mon Jan 07, 2013 1:20 pm

In an attempt to try a variation of your workaround, I added all of the individual Spamhaus blacklists and decided to weed down until I was left with the lists that were not blocking our users from sending mail. I got down to sbl, xbl, and dbl, and it seems that dbl is a very BAD one to add (it's blocking what seems like everything).
You'd think it's as simple as removing it from the list, right? Wrong. I CANNOT get it to remove. Removing it through the admin web interface doesn't work, and doing


zmprov mcf -reject_rbl_client dbl.spamhaus.org


As user zimbra returns no error but does not work.
I am stuck with:


zimbra@cottontail:~/conf$ zmprov gacf | grep MtaRestriction

zimbraMtaRestriction: reject_non_fqdn_sender

zimbraMtaRestriction: reject_unknown_sender_domain

zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org

zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org

zimbraMtaRestriction: reject_rbl_client xbl.spamhaus.org

zimbraMtaRestriction: reject_rbl_client dbl.spamhaus.org

zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org

zimbraMtaRestriction: reject_rbl_client psbl.surriel.com


Any suggestions?! I'm going to pull my hair out!
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby 17126thunder04 » Mon Jan 07, 2013 1:27 pm

I was being a n00b again and not typing the command correctly.


zmprov mcf -zimbraMtaRestriction "reject_rbl_client dbl.spamhaus.org"


Seems to have done the trick.
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby 17126thunder04 » Mon Jan 07, 2013 1:39 pm

This seems to be a decent temporary fix, but I am still interested in configuring Zimbra so that


permit_sasl_authenticated


and


amavis_originating_bypass_sa = true


Do what they are supposed to do!
Labsy
Outstanding Member
Outstanding Member
Posts: 383
Joined: Sat Sep 13, 2014 12:52 am

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby Labsy » Mon Jan 07, 2013 4:45 pm

@thunder04: My vote for that!
rouven
Posts: 5
Joined: Fri Sep 12, 2014 11:24 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby rouven » Tue Jan 08, 2013 5:07 am

Hi,

same for me here. But i cannot even use the other spamhaus lists, most of my vodafone users beeing blocked. I had to turn off rbl checks for everyone, resulting in a mass wave of spam... Any solution? even temporarly without turning all rbls off?
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Postby 17126thunder04 » Tue Jan 08, 2013 12:38 pm

Ok, I haven't a CLUE what changed, but suddenly


amavis_originating_bypass_sa = true


Seems to be working!
Test message via the Zimbra web interface:


Return-Path: test@mpcsd.org

Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)

by cottontail.mpcsd.org with LMTP; Tue, 8 Jan 2013 10:27:16 -0800 (PST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by cottontail.mpcsd.org (Postfix) with ESMTP id BAAFF13002F8

for ; Tue, 8 Jan 2013 10:27:16 -0800 (PST)

X-Virus-Scanned: amavisd-new at mpcsd.org

Received: from cottontail.mpcsd.org ([127.0.0.1])

by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id DNxkfSXSUx0T for ;

Tue, 8 Jan 2013 10:27:16 -0800 (PST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by cottontail.mpcsd.org (Postfix) with ESMTP id 2B0A21300303

for ; Tue, 8 Jan 2013 10:27:16 -0800 (PST)

X-Virus-Scanned: amavisd-new at mpcsd.org

Received: from cottontail.mpcsd.org ([127.0.0.1])

by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10026)

with ESMTP id SIaSa0NTFCEo for ;

Tue, 8 Jan 2013 10:27:15 -0800 (PST)

Received: from [10.12.72.233] (unknown [149.20.84.128])

(Authenticated sender: test)

by cottontail.mpcsd.org (Postfix) with ESMTPSA id CD89713002F8

for ; Tue, 8 Jan 2013 10:27:15 -0800 (PST)

Subject: Test Email

From: Test

Content-Type: text/plain;

charset=us-ascii

X-Mailer: iPhone Mail (10A525)

Message-Id:

Date: Tue, 8 Jan 2013 10:27:15 -0800

To: Anthony Hoppe

Content-Transfer-Encoding: 7bit

Mime-Version: 1.0 (1.0)


Test message from my iPhone using the Mail app:


Return-Path: ahoppe@mpcsd.org

Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)

by cottontail.mpcsd.org with LMTP; Tue, 8 Jan 2013 10:35:58 -0800 (PST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by cottontail.mpcsd.org (Postfix) with ESMTP id 217D31300363

for ; Tue, 8 Jan 2013 10:35:58 -0800 (PST)

X-Virus-Scanned: amavisd-new at mpcsd.org

Received: from cottontail.mpcsd.org ([127.0.0.1])

by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id K7gCIE_-g0PT for ;

Tue, 8 Jan 2013 10:35:57 -0800 (PST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by cottontail.mpcsd.org (Postfix) with ESMTP id D5E3E130035D

for ; Tue, 8 Jan 2013 10:35:56 -0800 (PST)

X-Virus-Scanned: amavisd-new at mpcsd.org

Received: from cottontail.mpcsd.org ([127.0.0.1])

by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10026)

with ESMTP id X5IyI3diYJb0 for ;

Tue, 8 Jan 2013 10:35:56 -0800 (PST)

Received: from [10.79.106.43] (mobile-166-137-185-144.mycingular.net [166.137.185.144])

(Authenticated sender: ahoppe)

by cottontail.mpcsd.org (Postfix) with ESMTPSA id 7581613002F8

for ; Tue, 8 Jan 2013 10:35:50 -0800 (PST)

Subject: Test from iPhone /w Wi-Fi off.

From: Anthony Hoppe

Content-Type: text/plain;

charset=us-ascii

X-Mailer: iPhone Mail (10A523)

Message-Id:

Date: Tue, 8 Jan 2013 10:35:35 -0800

To: ahoppe

Content-Transfer-Encoding: 7bit

Mime-Version: 1.0 (1.0)


Test message from my GMail account to my Zimbra account:


Return-Path: anthony.hoppe@gmail.com

Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)

by cottontail.mpcsd.org with LMTP; Tue, 8 Jan 2013 10:07:36 -0800 (PST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by cottontail.mpcsd.org (Postfix) with ESMTP id 4C82E130000E

for ; Tue, 8 Jan 2013 10:07:36 -0800 (PST)

X-Virus-Scanned: amavisd-new at mpcsd.org

X-Spam-Flag: NO

X-Spam-Score: -2.009

X-Spam-Level:

X-Spam-Status: No, score=-2.009 tagged_above=-10 required=4

tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,

DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,

RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,

T_FSL_HELO_NON_FQDN_2=0.01, T_LONG_HEADER_LINE_80=0.01,

T_RCD_RDNS_SERVER=-0.01, T_RCD_RDNS_SERVER_MESSY=-0.01,

T_SMF_FROM_GMAIL=0.01] autolearn=ham

Authentication-Results: cottontail.mpcsd.org (amavisd-new);

dkim=pass (2048-bit key) header.d=gmail.com

Received: from cottontail.mpcsd.org ([127.0.0.1])

by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id fN8DkOEwR_6m for ;

Tue, 8 Jan 2013 10:07:35 -0800 (PST)

Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com [209.85.217.179])

by cottontail.mpcsd.org (Postfix) with ESMTPS id D5B8413001A4

for ; Tue, 8 Jan 2013 10:07:34 -0800 (PST)

Received: by mail-lb0-f179.google.com with SMTP id gm13so605431lbb.10

for ; Tue, 08 Jan 2013 10:07:33 -0800 (PST)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20120113;

h=mime-version:date:message-id:subject:from:to:content-type;

bh=jSBByqofAWw2BofkfKgTWfEtQqdE1zHTfFexXlrrWdM=;

b=HdN680NVAElBP/MagoE7sYRXCsbydpfE30cnMyDFndfr6/u94yUPra7F9pn/qRfHRy

U/MUpgtrxt6NzmsSWLzMuhCU6n2cVfUa/D9OdthE9TZQBP7xFSNTfedSAkt27wdrc5J7

26AW+zTE43wM35oYIBWoo8cmJu4ppDE1ktSpFlSWBiAboglp2ZTfoT3Q7pAhExnIvXyM

lZkUqqsoV+0B9FmMYSqWn4IWSb+yn3OPZ01pv1mQR0UPf6Eyz08qeY7DRxN+QP2Wa9uY

UcfOssLwPtkBTI3l12YCqHkW9yHsc1+ihCOnibiYyxshLwZCxbn48ntrLjzL3Uhpkwj2

gEUQ==

MIME-Version: 1.0

Received: by 10.152.125.136 with SMTP id mq8mr62763440lab.41.1357668453051;

Tue, 08 Jan 2013 10:07:33 -0800 (PST)

Received: by 10.112.127.230 with HTTP; Tue, 8 Jan 2013 10:07:32 -0800 (PST)

Date: Tue, 8 Jan 2013 10:07:32 -0800

Message-ID:

Subject: Hi!

From: Anthony Hoppe

To: Me

Content-Type: multipart/alternative; boundary=f46d042f9756ddec8f04d2cad1fa


I didn't change anything configuration wise since my last post! I added more RAM to our Zimbra server this morning...could a power cycle simply been the trick?!
If the Amavis configuration setting is working, does that mean this RBL problem is gone?!

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 21 guests