8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

[16439dvirt]

[quote user="17126thunder04"]This seems to be a decent temporary fix, but I am still interested in configuring Zimbra so that


permit_sasl_authenticated


and


amavis_originating_bypass_sa = true


Do what they are supposed to do![/QUOTE]
+1
I found this thread after posting my bug:

which">https://bugzilla.zimbra.com/show_bug.cgi?id=79415
which, unfortunately, got reclassified as an "enhancement". I disagree, but have no ability to change it back.
If you're interested, lend your voice(s) there as well. THanks!

[quanah]

[quote user="17126thunder04"]



zimbra@cottontail:~/conf$ zmprov gacf | grep MtaRestriction

zimbraMtaRestriction: reject_non_fqdn_sender

zimbraMtaRestriction: reject_unknown_sender_domain

zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org

zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org

zimbraMtaRestriction: reject_rbl_client xbl.spamhaus.org

zimbraMtaRestriction: reject_rbl_client dbl.spamhaus.org

zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org

zimbraMtaRestriction: reject_rbl_client psbl.surriel.com



[/QUOTE]
I wanted to note, this is not the correct way to set RBL's in ZCS.
RBLs have their own attribute, zimbraMtaRestrictionRBLs
You simply set that to the RBL you want to use, like
zmprov ms +zimbraMtaRestrictionRBLs dbl.spamhaus.org
They should *not* be in zimbraMtaRestriction.
--Quanah

[16439dvirt]

[quote user="quanah"]I wanted to note, this is not the correct way to set RBL's in ZCS.
RBLs have their own attribute, zimbraMtaRestrictionRBLs
You simply set that to the RBL you want to use, like
zmprov ms +zimbraMtaRestrictionRBLs dbl.spamhaus.org
They should *not* be in zimbraMtaRestriction.
--Quanah[/QUOTE]
I'd guess people are just following the instructions at:
"Configuring and Monitoring Postfix DNSBL"


which">https://wiki.zimbra.com/wiki/Configurin ... tfix_DNSBL
which specifically states to use:



zmprov mcf zimbraMtaRestriction [RBL type]



and makes no mention of:



zimbraMtaRestrictionRBLs



fyi:


zimbra@test:~$ zmcontrol -v

Release 8.0.2.GA.5569.UBUNTU12.64 UBUNTU12_64 FOSS edition.

zimbra@test:~$ zmprov gacf | grep -i zimbraMtaRestrictionRBL

zimbra@test:~$ zmprov gs `zmhostname` | grep -i zimbraMtaRestrictionRBL

zimbra@test:~$ zmlocalconfig | grep -i zimbraMtaRestrictionRBL

zimbra@test:~$

[magneticinduction]

When I add RBLs I just use the web interface. This auth bug exists in that manner as well.

[16439dvirt]

[quote user="magneticinduction"]When I add RBLs I just use the web interface. This auth bug exists in that manner as well.[/QUOTE]
given that you've not 'polluted' your setup using other-than-UI, can you check/verify what _your_ setup returns for:


zmprov gacf | grep -i zimbraMtaRestriction

zmprov gs `zmhostname` | grep -i zimbraMtaRestriction

zmlocalconfig | grep -i zimbraMtaRestriction


?
update:
for anyone interested, the bug @
"SASL Authenticated mail submitted to port 587 from remote (mobile phone) networks is incorrectly checked/rejected by Zimbra Server's DNSBL checks"


has">https://bugzilla.zimbra.com/show_bug.cgi?id=79415
has been re-classified as a P2/Critical bug. I'd guess solutions will flow from there.

[magneticinduction]

[quote user="16439dvirt"]given that you've not 'polluted' your setup using other-than-UI, can you check/verify what _your_ setup returns for:


zmprov gacf | grep -i zimbraMtaRestriction

zmprov gs `zmhostname` | grep -i zimbraMtaRestriction

zmlocalconfig | grep -i zimbraMtaRestriction


?
update:
for anyone interested, the bug @
"SASL Authenticated mail submitted to port 587 from remote (mobile phone) networks is incorrectly checked/rejected by Zimbra Server's DNSBL checks"


has">https://bugzilla.zimbra.com/show_bug.cgi?id=79415
has been re-classified as a P2/Critical bug. I'd guess solutions will flow from there.[/QUOTE]


$ zmprov gacf | grep -i zimbraMtaRestriction
zimbraMtaRestriction: reject_non_fqdn_sender

zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org

zimbraMtaRestriction: reject_rbl_client xbl.spamhaus.org

zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
$ zmprov gs `me.domain.com` | grep -i zimbraMtaRestriction

me.domain.com: command not found
I dont think I made a typo up there.
$ zmlocalconfig | grep -i zimbraMtaRestriction


I got a blank output.

[16439dvirt]

[quote user="magneticinduction"]
$ zmprov gs `me.domain.com` | grep -i zimbraMtaRestriction

me.domain.com: command not found
I dont think I made a typo up there.
[/QUOTE]
it's either


zmprov gs `hostname` | grep -i zimbraMtaRestriction


or


zmprov gs me.domain.com | grep -i zimbraMtaRestriction


the backticks cause the cmd within to be exec'd

[17126thunder04]

I was going to report that even though authenticated user mail was not being spam checked any more, it was still being checked against RBLs. However, after reviewing the bug linked above, the fix from Quanah Gibson-Mount seems to have fixed it for me!
[quote]

For 8.0.2, I *believe* the following will fix the issue, but I have no way to

test:
cd /opt/zimbra/conf/zmconfigd/

vi smtpd_recipient_restrictions.cf
Add the following 2 lines to the start of the file:

permit_sasl_authenticated

permit_mynetworks
zmcontrol stop;zmcontrol start

[/quote]
In terms of the zimbraMtaRestriction vs zimbraMtaRestrictionRBL, here's what my server returns:


zimbra@cottontail:~$ zmprov gacf | grep -i zimbraMtaRestriction

zimbraMtaRestriction: reject_non_fqdn_sender

zimbraMtaRestriction: reject_unknown_sender_domain

zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org

zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org

zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org




zimbra@cottontail:~$ zmprov gs `zmhostname` | grep -i zimbraMtaRestriction

zimbra@cottontail:~$




zimbra@cottontail:~$ zmlocalconfig | grep -i zimbraMtaRestriction

zimbra@cottontail:~$


We upgraded from 6.0.14 to 8.0.2, which I'm sure makes a difference. We only add/remove RBLs through the admin GUI and rarely (if ever) make config changes via any of the CLI tools. Also, when I make RBL changes post 8.0.2 upgrade, they still seem to apply as "zimbraMtaRestriction: reject_rbl_client xxx". This is just an FYI more than anything else.

[16439dvirt]

[quote user="17126thunder04"]In terms of the zimbraMtaRestriction vs zimbraMtaRestrictionRBL, here's what my server returns:

...

We upgraded from 6.0.14 to 8.0.2, which I'm sure makes a difference. We only add/remove RBLs through the admin GUI and rarely (if ever) make config changes via any of the CLI tools. Also, when I make RBL changes post 8.0.2 upgrade, they still seem to apply as "zimbraMtaRestriction: reject_rbl_client xxx". This is just an FYI more than anything else.

[/QUOTE]
I clean-installed 8.0.0, and upgraded to 8.0.2.
So neither you, nor I, nor magneticinduction see and trace of zimbraMtaRestrictionRBL, rather only zimbraMtaRestriction, regardless of how we add the DNSBL -- cmd line or shell.
Which seems to contradict:
[quote user="quanah"]I wanted to note, this is not the correct way to set RBL's in ZCS.
RBLs have their own attribute, zimbraMtaRestrictionRBLs
You simply set that to the RBL you want to use, like
zmprov ms +zimbraMtaRestrictionRBLs dbl.spamhaus.org
They should *not* be in zimbraMtaRestriction.

[/QUOTE]
I'm hoping we can get some clarification & consistent documentation on this.

[quanah]

[quote user="16439dvirt"]I clean-installed 8.0.0, and upgraded to 8.0.2.
So neither you, nor I, nor magneticinduction see and trace of zimbraMtaRestrictionRBL, rather only zimbraMtaRestriction, regardless of how we add the DNSBL -- cmd line or shell.

I'm hoping we can get some clarification & consistent documentation on this.[/QUOTE]
cd /opt/zimbra/conf/zmconfigd

grep zimbraMtaRestrictionRBLs smtpd_recipient_restrictions.cf
The code does not lie. The documentation is clearly wrong, and the Admin console is clearly broken.
--Quanah