Navigation

Are you using zen.spamhaus.org or dbl.spamhaus.org for fighting spam? Pay attention!

By on August 25, 2022 in Community, Partners, PowerTips – Admins, Zimbra SkillZ

Spamhaus is making some changes in their policy enforcement, from their website:

Are you currently using the Spamhaus Project’s DNS Blocklists (DNSBLs)? Do you access them via the Public Mirrors, for example, query “sbl.spamhaus.org” or “zen.spamhaus.org”? Do you use Cloudflare’s DNS? If you’ve answered “yes” to all three of those questions, you need to make some changes to your email infrastructure. These changes are quick and easy to make, but if you fail to make them, you could find that at some point in 2022, all or none of your email is blocked!

So if you use Cloudflare DNS and have configured Zimbra to use the public Spamhaus mirrors, you need to make some changes. Please note that even if you do not use Cloudflare there are other cases where you also cannot use “sbl.spamhaus.org” or “zen.spamhaus.org” anymore.

To find out if you are affected check for an increase in rejected email, in the log file /var/log/zimbra.log look for 554 5.7.1 Service unavailable example false positive:

Aug 20 15:31:19 mail2 postfix/smtpd[999335]: NOQUEUE: reject: RCPT from mail132-6.atl131.mandrillapp.com[198.2.132.6]: 554 5.7.1 Service unavailable; Client host [198.2.132.6] blocked using zen.spamhaus.org; from=<bounce-md_31064510.6300e225.v1-88ad894bd9cd45bfb6bc5ea42d8571d1@mandrillapp.com> to=<info@*********.***> proto=ESMTP helo=

To find out how you configured Postfix on Zimbra run as user Zimbra

zmprov gcf zimbraMtaRestriction

Setting up RBL’s

Before making changes to your production environment, test on a test environment first. This article is a work in progress, use it at your own discretion. Create a free account for the DQS service at Spamhaus via https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/

The log-in to the Spamhaus portal via https://portal.spamhaus.com/dqs/ and get your DQS Query Key. Then configure Zimbra by running the following commands as user zimbra (don’t forget to replace your-query-key-here with your actual key):

zmprov mcf zimbraMtaRestriction "reject_invalid_helo_hostname"
zmprov mcf +zimbraMtaRestriction "reject_non_fqdn_sender"
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override'
zmprov mcf +zimbraMtaRestriction "reject_rbl_client your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..11]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client psbl.surriel.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"

In some cases you will want to receive email from certain domains or IP’s regardless of them being in the RBL. This can be achieved by setting up an RBL overrride. Creating a file /opt/zimbra/conf/postfix_rbl_override with the following content:

zimbra.com OK
example.com OK
1.1.1.1 OK

Then run the following command as user zimbra:

postmap /opt/zimbra/conf/postfix_rbl_override

Next create a file /opt/zimbra/conf/dnsbl-reply-map with the following content (don’t forget to replace your-query-key-here with your actual key):

your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..11] 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99] 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24] 554 $rbl_class $rbl_what blocked using ZRD - domain too young
your-query-key-here.zen.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
your-query-key-here.dbl.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
your-query-key-here.zrd.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using ZRD - domain too young

Since reject_rhsbl_helo is not supported in Zimbra yet you have to add it to /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf example result:

%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unlisted_recipient
%%exact VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%exact VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_reverse_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%exact VAR:zimbraMtaRestriction reject_unverified_recipient%%
reject_rhsbl_helo your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_helo your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]
%%contains VAR:zimbraMtaRestriction check_recipient_access lmdb:/opt/zimbra/conf/postfix_recipient_access%%
%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%%
%%contains VAR:zimbraMtaRestriction check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%explode reject_rhsbl_client VAR:zimbraMtaRestrictionRHSBLCs%%
%%explode reject_rhsbl_reverse_client VAR:zimbraMtaRestrictionRHSBLRCs%%
%%explode reject_rhsbl_sender VAR:zimbraMtaRestrictionRHSBLSs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
%%contains VAR:zimbraMtaRestriction check_recipient_access ldap:/opt/zimbra/conf/ldap-splitdomain.cf%%
%%exact VAR:zimbraMtaRestriction reject%%
permit

Next run as user zimbra:

postmap /opt/zimbra/conf/dnsbl-reply-map

Next we have to add the rbl_reply_maps to Postfix main.cf. Add the following line (as root) to /opt/zimbra/common/conf/main.cf

rbl_reply_maps = lmdb:/opt/zimbra/conf/dnsbl-reply-map

Then run

zmmtactl restart

Each time you make changes to rbl_reply_maps or postfix_rbl_override, you need to run the postmap command then zmmtactl restart. You also need to re-apply changes to main.cf, smtpd_recipient_restrictions.cf and dnsbl-reply-map after a Zimbra upgrade or patch installation.

Test configuration

In your browser go to https://blt.spamhaus.com/test fill out your email
address and run the SMTP test:

image
image
image

Further reading

, ,

2 Responses to Are you using zen.spamhaus.org or dbl.spamhaus.org for fighting spam? Pay attention!

  1. Honza September 12, 2022 at 11:40 PM #

    Thank you for the great tip.
    How do I set postcreen?

    zmprov mcf +zimbraMtaPostscreenDnsblSites: “your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..255]”

    postscreen_dnsbl_reply_map = texthash:/opt/zimbra/conf/dnsbl_reply – /opt/zimbra/common/conf/main.cf … this Main.cf settings will not accept me.

    /opt/zimbra/conf/dnsbl_reply>
    your-query-key-here.sbl.dq.spamhaus.net sbl.spamhaus.org
    your-query-key-here.xbl.dq.spamhaus.net xbl.spamhaus.org
    your-query-key-here.pbl.dq.spamhaus.net pbl.spamhaus.org
    your-query-key-here.zen.dq.spamhaus.net zen.spamhaus.org
    your-query-key-here.dbl.dq.spamhaus.net dbl.spamhaus.org
    your-query-key-here.zrd.dq.spamhaus.net zrd.spamhaus.org

    • Avatar photo
      Barry de Graaff September 23, 2022 at 11:25 PM #

      Hello Honza,

      Instead of using texthash, use lmdb. Create dnsbl-reply-map as documented in above blog post and https://wiki.zimbra.com/wiki/Anti-spam. Don’t forget to run postmap command.

      Next we have to add the postscreen_dnsbl_reply_map to Postfix main.cf. Add the following line (as root) to /opt/zimbra/common/conf/main.cf
      postscreen_dnsbl_reply_map = lmdb:/opt/zimbra/conf/dnsbl-reply-map
      zmmtactl restart

      And that should apply the changes correctly, can you confirm if this works for you. The complete steps for Postscreen will then be as below.

      Thanks! Barry

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures