commnad line work around for RBL's
sudo bash
su zimbra
verify RBL's and block settings in use
zmprov gacf | grep zimbraMtaRestriction
to verify in postfix use
su - zimbra -c 'postconf | grep smtpd_recipient_restrictions'
I Used this command to add Mine: just change rbl server name
zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
here is my list...
zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl-1.uceprotect.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client ix.dnsbl.manitu.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dyna.spamrats.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client noptr.spamrats.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client all.rbl.jp"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client safe.dnsbl.sorbs.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client psb.surriel.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.ahbl.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client bhnc.njabl.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.dronebl.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client rabl.nuclearelephant.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client multi.uribl.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client 0spam.fusionzero.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client 0spam-killlist.fusionzero.com"
then do
Restart services
zmmtactl restart
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
which ones in the list do you find reject the most? I have 7 in my list and it seems that 80% of them are rejected by cbl.abuseat.org
Bill
Bill
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client dnsbl.dronebl.orgSpamhuas rejects 100% of my spam. Don't forget, it doesn't make sense to have too many RBLs in the list and you should have the best performing ones as the first in the list.
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client dnsbl.dronebl.orgSpamhuas rejects 100% of my spam. Don't forget, it doesn't make sense to have too many RBLs in the list and you should have the best performing ones as the first in the list.
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
so, it does matter what position they are in the list?
here is the list I have.
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_client
zimbraMtaRestriction: reject_unknown_hostname
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org
any suggestions as to positive changes I should make?
thanks
Bill
here is the list I have.
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_client
zimbraMtaRestriction: reject_unknown_hostname
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org
any suggestions as to positive changes I should make?
thanks
Bill
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
Another RBL to add into the mix 
Spam Eating Monkey Realtime Blacklist
Spam Eating Monkey Realtime Blacklist
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
[quote user="bbarrons"]so, it does matter what position they are in the list?[/QUOTE]I believe so but I've never confirmed that 100%.
[quote user="bbarrons"]zimbraMtaRestriction: reject_invalid_hostname[/QUOTE]I only have that restriction set, I've found that in general you'll get far less problems receiving mail as there's a lot of legitimate servers that are mis-configured and will be rejected by the other restrictions. Of course, YMMV with any of those settings and it really depends on how much/what type of spam you receive.
[quote user="bbarrons"]zimbraMtaRestriction: reject_invalid_hostname[/QUOTE]I only have that restriction set, I've found that in general you'll get far less problems receiving mail as there's a lot of legitimate servers that are mis-configured and will be rejected by the other restrictions. Of course, YMMV with any of those settings and it really depends on how much/what type of spam you receive.
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
since cbl.abuseat.org was second on my list and did reject most of the spam I moved zen.spamhaus to first to see if it started to reject first. interesting to see if it works that way.
UXbod, I went to spam eating monkey and looked thru the site. It looks like they have several rbls and changes that can be made to spam assassin and postfix. Should those changes be made to both spam assassin and post fix or is it an either or situation?
Bill
UXbod, I went to spam eating monkey and looked thru the site. It looks like they have several rbls and changes that can be made to spam assassin and postfix. Should those changes be made to both spam assassin and post fix or is it an either or situation?
Bill
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
I would look at these sites... every environment is different..
I don't have spamhaus in my list here because my untangle F/W box runs it as an DNSRBL...
Black list compared... this should be helpful for you
Blacklist Monitor » Statistics of accuracy and failure rates
Blacklists Compared, 22-Aug-09
DNSBL Resource: Statistics Center
DNSBL Information - Spam Database Lookup
drbcheck: dr. Jrgen Mash's DNS database list checker
[quote user="bbarrons"]since cbl.abuseat.org was second on my list and did reject most of the spam I moved zen.spamhaus to first to see if it started to reject first. interesting to see if it works that way.
UXbod, I went to spam eating monkey and looked thru the site. It looks like they have several rbls and changes that can be made to spam assassin and postfix. Should those changes be made to both spam assassin and post fix or is it an either or situation?
Bill[/QUOTE]
I don't have spamhaus in my list here because my untangle F/W box runs it as an DNSRBL...
Black list compared... this should be helpful for you
Blacklist Monitor » Statistics of accuracy and failure rates
Blacklists Compared, 22-Aug-09
DNSBL Resource: Statistics Center
DNSBL Information - Spam Database Lookup
drbcheck: dr. Jrgen Mash's DNS database list checker
[quote user="bbarrons"]since cbl.abuseat.org was second on my list and did reject most of the spam I moved zen.spamhaus to first to see if it started to reject first. interesting to see if it works that way.
UXbod, I went to spam eating monkey and looked thru the site. It looks like they have several rbls and changes that can be made to spam assassin and postfix. Should those changes be made to both spam assassin and post fix or is it an either or situation?
Bill[/QUOTE]
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
POSTFIX MTA Spam Settings
1st Section
Hostname in greeting violates RFC - Reject Invalid or Missing Hostnames – on by default
This setting allows you to reject email from senders that provide invalid information about the hostname from which they are being sent.
When a sending server connects our mail servers, the first thing we require it to do is identify itself. The sending server announces its hostname with a "HELO" or "EHLO" command. Most legitimate email servers include in this command their complete domain name. This domain name is in a very specific format. Spammers often use buggy or hastily written software that does not bother to send a proper EHLO. Often, they send a single name (e.g. "server1") or a random number. This setting allows you to block email sent from servers that do not announce their hostname properly when they identify themselves.
Impact
Enabling this option is very effective at catching spam generated by computer viruses. It is not particularly effective at blocking spam overall, and can block a fair amount of legitimate email.
reject_invalid_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname syntax is invalid.
Client must greet with fully qualified hostname - Reject Non-FQDN Hostnames – In Use
This setting allows you to block email that does not appear to be coming from a specific server at a particular hostname.
When a sending server announces its hostname, it is supposed to send the entire address of the email server, not just the domain name (e.g. mail.example.com rather than just example.com). RFC compliant email servers will send this information in a specific format. This is called a "Fully Qualified Domain Name" (FQDN). Many spammers do not provide complete or correct information; they just use the top level domain name. This setting allows you to block email from a sender that does not provide an FQDN.
Impact
This option can block a fair amount of legitimate email, but it also blocks a fair amount of spam that would otherwise get through.
reject_non_fqdn_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname is not in fully-qualified domain form, as required by the RFC.
The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504).
Sender Address must be fully qualified – Reject non fqdn sender – on by default
reject_non_fqdn_sender
Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC.
2nd Section
ClientÂ’s Ip address - Reject Unknown Clients
This setting allows you to reject email from senders that do not have a proper name tied to the IP address of their outgoing email server.
Every computer on the Internet has a unique address known as its IP address. Any server that is sending legitimate email should have its IP address tied to a domain name. This is done via a service called DNS, or Domain Name Service. Many spammers do not have any DNS information attached to their IP address, or the information is misleading.
When a server sends mail to you, we perform a reverse lookup of its IP address to see if it has valid DNS information. You can use this setting to block email sent from servers that either do not have DNS information available or have misleading DNS entries.
More information on reverse DNS checks can be found at Wikipedia.
Impact
We estimate that enabling this option may block around 1% of legitimate email but could also be effective in blocking more spam from reaching your email INBOX. This can add up to a lot of legitimate email, especially from mail servers using unreliable DNS servers or that refuse to put their reverse DNS in place correctly.
reject_unknown_client_hostname (with Postfix
Reject the request when 1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address.
This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above.
The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem.
Hostname in greeting - Reject Unknown Hostnames – Don’t Use
This setting allows you to reject email from servers that use hostnames that don't exist.
When a sending server announces its hostname, our server checks to see if that hostname has DNS information. Many spammers know that servers will block mail from people that do not use a proper EHLO (discussed above). They try to trick those servers by sending a hostname that's formatted correctly, but doesn't actually exist (e.g. "thisisafakehostname.com"). You can use this setting to block email from servers that use fake or incorrect hostnames when they identify themselves.
Impact
This option can block a lot of legitimate email, and is not particularly effective at blocking spam. It's not recommended.
reject_unknown_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname has no DNS A or MX record.
The unknown_hostname_reject_code parameter specifies the numerical response code for rejected requests (default: 450).
The unknown_helo_hostname_tempfail_action parameter specifies the action after a temporary DNS error (default: defer_if_permit).
Senders Domain - Reject Unknown Sender Domains – In USE
This setting allows you to reject email from email addresses that aren't properly set up to receive email.
Anyone can send email from a legitimate server using any email address as their FROM address. Spam can come from a legitimate email server and from a valid user of that server, but it can have a deceptive or fake FROM address. This spam would bypass any of the above checks although it would be traceable back to a specific user at an Internet Service Provider (ISP). We check the domain name after the @ sign given in the FROM email address to see if that domain has proper DNS information.
First, our email server checks the DNS "root name servers" to see if the domain in question exists.
If the Domain does, then our server asks that domain's DNS server for its information.
If the root name servers return an error that the domain does not exist, the email will be rejected as the domain is not known.
If the root name servers state that the domain exists, and there is a problem with the server that handles DNS for that domain, our mail server will ask the sending server to resend the message at a later date. The email will not be rejected, it will only be delayed until that DNS server starts working. This is to keep legitimate mail from being stopped due to a malfunctioning DNS server.
You can enable this option to reject email from domains that do not actually exist.
Impact
This can cause a small number of false positives because someone may send an email out using a new email address before their domain has been set up properly in DNS. It is, however, very effective at blocking spam. Because we are an ISP, and are constantly adding new domains, we do not turn it on by default.
reject_unknown_sender_domain
Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM address has no DNS A or MX record, or when it has a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
Installed yes via command line
reject_unverified_sender
Reject the request when mail to the MAIL FROM address is known to bounce, or when the sender address destination is not reachable. Address verification information is managed by the verify(8) server; see the ADDRESS_VERIFICATION_README file for details.
1st Section
Hostname in greeting violates RFC - Reject Invalid or Missing Hostnames – on by default
This setting allows you to reject email from senders that provide invalid information about the hostname from which they are being sent.
When a sending server connects our mail servers, the first thing we require it to do is identify itself. The sending server announces its hostname with a "HELO" or "EHLO" command. Most legitimate email servers include in this command their complete domain name. This domain name is in a very specific format. Spammers often use buggy or hastily written software that does not bother to send a proper EHLO. Often, they send a single name (e.g. "server1") or a random number. This setting allows you to block email sent from servers that do not announce their hostname properly when they identify themselves.
Impact
Enabling this option is very effective at catching spam generated by computer viruses. It is not particularly effective at blocking spam overall, and can block a fair amount of legitimate email.
reject_invalid_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname syntax is invalid.
Client must greet with fully qualified hostname - Reject Non-FQDN Hostnames – In Use
This setting allows you to block email that does not appear to be coming from a specific server at a particular hostname.
When a sending server announces its hostname, it is supposed to send the entire address of the email server, not just the domain name (e.g. mail.example.com rather than just example.com). RFC compliant email servers will send this information in a specific format. This is called a "Fully Qualified Domain Name" (FQDN). Many spammers do not provide complete or correct information; they just use the top level domain name. This setting allows you to block email from a sender that does not provide an FQDN.
Impact
This option can block a fair amount of legitimate email, but it also blocks a fair amount of spam that would otherwise get through.
reject_non_fqdn_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname is not in fully-qualified domain form, as required by the RFC.
The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504).
Sender Address must be fully qualified – Reject non fqdn sender – on by default
reject_non_fqdn_sender
Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC.
2nd Section
ClientÂ’s Ip address - Reject Unknown Clients
This setting allows you to reject email from senders that do not have a proper name tied to the IP address of their outgoing email server.
Every computer on the Internet has a unique address known as its IP address. Any server that is sending legitimate email should have its IP address tied to a domain name. This is done via a service called DNS, or Domain Name Service. Many spammers do not have any DNS information attached to their IP address, or the information is misleading.
When a server sends mail to you, we perform a reverse lookup of its IP address to see if it has valid DNS information. You can use this setting to block email sent from servers that either do not have DNS information available or have misleading DNS entries.
More information on reverse DNS checks can be found at Wikipedia.
Impact
We estimate that enabling this option may block around 1% of legitimate email but could also be effective in blocking more spam from reaching your email INBOX. This can add up to a lot of legitimate email, especially from mail servers using unreliable DNS servers or that refuse to put their reverse DNS in place correctly.
reject_unknown_client_hostname (with Postfix
Reject the request when 1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address.
This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above.
The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem.
Hostname in greeting - Reject Unknown Hostnames – Don’t Use
This setting allows you to reject email from servers that use hostnames that don't exist.
When a sending server announces its hostname, our server checks to see if that hostname has DNS information. Many spammers know that servers will block mail from people that do not use a proper EHLO (discussed above). They try to trick those servers by sending a hostname that's formatted correctly, but doesn't actually exist (e.g. "thisisafakehostname.com"). You can use this setting to block email from servers that use fake or incorrect hostnames when they identify themselves.
Impact
This option can block a lot of legitimate email, and is not particularly effective at blocking spam. It's not recommended.
reject_unknown_helo_hostname (with Postfix
Reject the request when the HELO or EHLO hostname has no DNS A or MX record.
The unknown_hostname_reject_code parameter specifies the numerical response code for rejected requests (default: 450).
The unknown_helo_hostname_tempfail_action parameter specifies the action after a temporary DNS error (default: defer_if_permit).
Senders Domain - Reject Unknown Sender Domains – In USE
This setting allows you to reject email from email addresses that aren't properly set up to receive email.
Anyone can send email from a legitimate server using any email address as their FROM address. Spam can come from a legitimate email server and from a valid user of that server, but it can have a deceptive or fake FROM address. This spam would bypass any of the above checks although it would be traceable back to a specific user at an Internet Service Provider (ISP). We check the domain name after the @ sign given in the FROM email address to see if that domain has proper DNS information.
First, our email server checks the DNS "root name servers" to see if the domain in question exists.
If the Domain does, then our server asks that domain's DNS server for its information.
If the root name servers return an error that the domain does not exist, the email will be rejected as the domain is not known.
If the root name servers state that the domain exists, and there is a problem with the server that handles DNS for that domain, our mail server will ask the sending server to resend the message at a later date. The email will not be rejected, it will only be delayed until that DNS server starts working. This is to keep legitimate mail from being stopped due to a malfunctioning DNS server.
You can enable this option to reject email from domains that do not actually exist.
Impact
This can cause a small number of false positives because someone may send an email out using a new email address before their domain has been set up properly in DNS. It is, however, very effective at blocking spam. Because we are an ISP, and are constantly adding new domains, we do not turn it on by default.
reject_unknown_sender_domain
Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM address has no DNS A or MX record, or when it has a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
Installed yes via command line
reject_unverified_sender
Reject the request when mail to the MAIL FROM address is known to bounce, or when the sender address destination is not reachable. Address verification information is managed by the verify(8) server; see the ADDRESS_VERIFICATION_README file for details.
Ubuntu 804lts - Admin GUI Error for RBL's - Workaround
mshanley, thanks for the links. One of the first things I noticed was this comment when I looked up cbl.abuseat.org
"The Composite Blocking List (CBL) is a free list meant to block "IPs exhibiting characteristics which are specific to open proxies of various sorts." It should block very little non-spam.
It is incorporated into Spamhaus ZEN. If you are already using Spamhaus ZEN, you do not need to utilize the CBL separately. (Spamhaus ZEN is highly recommended.) "
so, by me having both listed it is a waste of time and space.
I moved zen to the top of my list and now it has the highest reject count so far today. Prior to that it was listed about 5 I think in my list and had no rejections. I guess that means that the first on the list works first and the nwhat is leftover moves down the list.
Bill
"The Composite Blocking List (CBL) is a free list meant to block "IPs exhibiting characteristics which are specific to open proxies of various sorts." It should block very little non-spam.
It is incorporated into Spamhaus ZEN. If you are already using Spamhaus ZEN, you do not need to utilize the CBL separately. (Spamhaus ZEN is highly recommended.) "
so, by me having both listed it is a waste of time and space.
I moved zen to the top of my list and now it has the highest reject count so far today. Prior to that it was listed about 5 I think in my list and had no rejections. I guess that means that the first on the list works first and the nwhat is leftover moves down the list.
Bill