Are you using zen.spamhaus.org or dbl.spamhaus.org for fighting spam? Pay attention!

By Barry de Graaff on August 25, 2022 in Community, Partners, PowerTips – Admins, Zimbra SkillZ

Spamhaus is making some changes in their policy enforcement, from their website:

Are you currently using the Spamhaus Project’s DNS Blocklists (DNSBLs)? Do you access them via the Public Mirrors, for example, query “sbl.spamhaus.org” or “zen.spamhaus.org”? Do you use Cloudflare’s DNS? If you’ve answered “yes” to all three of those questions, you need to make some changes to your email infrastructure. These changes are quick and easy to make, but if you fail to make them, you could find that at some point in 2022, all or none of your email is blocked!

So if you use Cloudflare DNS and have configured Zimbra to use the public Spamhaus mirrors, you need to make some changes. Please note that even if you do not use Cloudflare there are other cases where you also cannot use “sbl.spamhaus.org” or “zen.spamhaus.org” anymore.

To find out if you are affected check for an increase in rejected email, in the log file /var/log/zimbra.log look for 554 5.7.1 Service unavailable example false positive:

Aug 20 15:31:19 mail2 postfix/smtpd[999335]: NOQUEUE: reject: RCPT from mail132-6.atl131.mandrillapp.com[198.2.132.6]: 554 5.7.1 Service unavailable; Client host [198.2.132.6] blocked using zen.spamhaus.org; from=<bounce-md_31064510.6300e225.v1-88ad894bd9cd45bfb6bc5ea42d8571d1@mandrillapp.com> to=<info@*********.***> proto=ESMTP helo=

To find out how you configured Postfix on Zimbra run as user Zimbra

zmprov gcf zimbraMtaRestriction

Setting up RBL’s

Before making changes to your production environment, test on a test environment first. This article is a work in progress, use it at your own discretion. Create a free account for the DQS service at Spamhaus via https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/

The log-in to the Spamhaus portal via https://portal.spamhaus.com/dqs/ and get your DQS Query Key. Then configure Zimbra by running the following commands as user zimbra (don’t forget to replace your-query-key-here with your actual key):

zmprov mcf zimbraMtaRestriction "reject_invalid_helo_hostname"
zmprov mcf +zimbraMtaRestriction "reject_non_fqdn_sender"
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override'
zmprov mcf +zimbraMtaRestriction "reject_rbl_client your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..11]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client psbl.surriel.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"

In some cases you will want to receive email from certain domains or IP’s regardless of them being in the RBL. This can be achieved by setting up an RBL overrride. Creating a file /opt/zimbra/conf/postfix_rbl_override with the following content:

zimbra.com OK
example.com OK
1.1.1.1 OK

Then run the following command as user zimbra:

postmap /opt/zimbra/conf/postfix_rbl_override

Next create a file /opt/zimbra/conf/dnsbl-reply-map with the following content (don’t forget to replace your-query-key-here with your actual key):

your-query-key-here.zen.dq.spamhaus.net=127.0.0.[2..11] 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99] 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24] 554 $rbl_class $rbl_what blocked using ZRD - domain too young
your-query-key-here.zen.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
your-query-key-here.dbl.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
your-query-key-here.zrd.dq.spamhaus.net         554 $rbl_class $rbl_what blocked using ZRD - domain too young

Since reject_rhsbl_helo is not supported in Zimbra yet you have to add it to /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf example result:

%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unlisted_recipient
%%exact VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%exact VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_reverse_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%exact VAR:zimbraMtaRestriction reject_unverified_recipient%%
reject_rhsbl_helo your-query-key-here.zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_helo your-query-key-here.dbl.dq.spamhaus.net=127.0.1.[2..99]
%%contains VAR:zimbraMtaRestriction check_recipient_access lmdb:/opt/zimbra/conf/postfix_recipient_access%%
%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%%
%%contains VAR:zimbraMtaRestriction check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%explode reject_rhsbl_client VAR:zimbraMtaRestrictionRHSBLCs%%
%%explode reject_rhsbl_reverse_client VAR:zimbraMtaRestrictionRHSBLRCs%%
%%explode reject_rhsbl_sender VAR:zimbraMtaRestrictionRHSBLSs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
%%contains VAR:zimbraMtaRestriction check_recipient_access ldap:/opt/zimbra/conf/ldap-splitdomain.cf%%
%%exact VAR:zimbraMtaRestriction reject%%
permit

Next run as user zimbra:

postmap /opt/zimbra/conf/dnsbl-reply-map

Next we have to add the rbl_reply_maps to Postfix main.cf. Add the following line (as root) to /opt/zimbra/common/conf/main.cf

rbl_reply_maps = lmdb:/opt/zimbra/conf/dnsbl-reply-map

Then run

zmmtactl restart

Each time you make changes to rbl_reply_maps or postfix_rbl_override, you need to run the postmap command then zmmtactl restart. You also need to re-apply changes to main.cf, smtpd_recipient_restrictions.cf and dnsbl-reply-map after a Zimbra upgrade or patch installation.

Test configuration

In your browser go to https://blt.spamhaus.com/test fill out your email
address and run the SMTP test:

Navigation

Are you using zen.spamhaus.org or dbl.spamhaus.org for fighting spam? Pay attention!

Setting up RBL’s

Test configuration

Further reading

2 Responses to Are you using zen.spamhaus.org or dbl.spamhaus.org for fighting spam? Pay attention!