In Zimbra you can optionally enable Postscreen as an additional Anti-SPAM strategy. Postscreen will offer additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections and decides which clients may talk to a Post-fix SMTP server process.
By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients and delays the onset of server overload conditions.
Configuring
To configure Postscreen you first need to create an account at Spamhaus and obtain a DQS query key. Then you can configure Postscreen as follows, replace your-dqs-key-here with your actual Spamhaus DQS key:
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore zmprov mcf zimbraMtaPostscreenBareNewlineEnable no zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d zmprov mcf zimbraMtaPostscreenBlacklistAction ignore zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d zmprov mcf zimbraMtaPostscreenCommandCountLimit 20 zmprov mcf zimbraMtaPostscreenDnsblAction enforce zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'your-dqs-key-here.zen.dq.spamhaus.net=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'your-dqs-key-here.zen.dq.spamhaus.net=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'your-dqs-key-here.zen.dq.spamhaus.net=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'your-dqs-key-here.zen.dq.spamhaus.net=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2' zmprov mcf zimbraMtaPostscreenDnsblTTL 5m zmprov mcf zimbraMtaPostscreenDnsblThreshold 8 zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0 zmprov mcf zimbraMtaPostscreenGreetAction enforce zmprov mcf zimbraMtaPostscreenGreetTTL 1d zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d zmprov mcf zimbraMtaPostscreenPipeliningAction enforce zmprov mcf zimbraMtaPostscreenPipeliningEnable no zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all zmprov mcf zimbraMtaPostscreenDnsblReplyMap lmdb:/opt/zimbra/conf/dnsbl-reply
Next you have to create a file /opt/zimbra/conf/dnsbl-reply with the following content:
'your-key-here'.sbl.dq.spamhaus.net sbl.spamhaus.org 'your-key-here'.xbl.dq.spamhaus.net xbl.spamhaus.org 'your-key-here'.pbl.dq.spamhaus.net pbl.spamhaus.org 'your-key-here'.zen.dq.spamhaus.net zen.spamhaus.org 'your-key-here'.dbl.dq.spamhaus.net dbl.spamhaus.org 'your-key-here'.zrd.dq.spamhaus.net zrd.spamhaus.org
Don’t forget to run postmap /opt/zimbra/conf/dnsbl-reply command. Please note that the syntax for /opt/zimbra/conf/dnsbl-reply is not the same as/opt/zimbra/conf/dnsbl-reply-map used in https://wiki.zimbra.com/wiki/Anti-spam.
Restart the MTA to load the changes, as user Zimbra:
zmmtactl restart
For the latest configuration on Spamhaus go to your Spamhaus Portal click Products -> DQS in the top menu, then click the Manual tab and refer to section 3.1.2 Configuring Postfix.
Further reading
- https://www.zimbra.com/business-email-collaboration/secure-email-features/email-security-postscreen/
- https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen
- https://blog.zimbra.com/2017/09/reduce-incoming-spam-overall-mta-overload-using-postscreen/
- https://www.postfix.org/POSTSCREEN_README.html#enable
Comments are closed.