habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Collaboration Postscreen Implementation

4 min read

zimbra postscreen

Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail server overload.

Zimbra Collaboration Postscreen is not an SMTP proxy; this is intentional. The purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic.

How it works

Scenario without Postscreen

A typical scenario without Postscreen, and without other Anti-SPAM security, will suffer of this common Problem, where bot and zombies talks with all the smtpd listeners that Zimbra is offering.

In this scenario, the good connections, or called other in this diagram, must wait until the bot or zombie finishes the communication, which sometimes can create a Timeout Error on Postfix for the good connections:

Mar 01 19:29:54 zimbrauk postfix/smtpd[24266]: timeout after RCPT from mail.example.com[60.60.60.70]

Scenario with Postscreen

A typical scenario with Postscreen, where bot and zombies talks with Postscreen, who do all the basic checks, and who can deny the connection if the message is clearly from a bot or zombie, if the connection is not in the temporary whitelist, Postscreen will pass the Email to the local Anti-SPAM and Anti-Virus engines, who can accept it or deny it as usual. You can see how is the Mail Flow in Postscreen on the section below.

In this scenario, the good connections, or called other in this diagram, pass the Postscreen security and talks directly with the smtp daemon, who will scan the Email as usual with the AS/AV. All the bot or zombie are rejected by default.

See also  Zimbra Set COS (class of service) All User
Postscreen-002.png

Postscreen workflow

See attached the workflow for Zimbra Collaboration Postscreen

Postscreen-003.png

Zimbra attributes for Postscreen

Here you can find all the new attributes for Postscreen, and the link to the original Postfix description help per attribute.

Please note the difference between the ignore, enforce and drop for certain attributes:

  • ignore (default) – Ignore this result. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
  • enforce – Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
  • drop – Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.

How to enable it

Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute.

Quick Example configuring Postscreen

Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level: This configuration is medium/high level, enforcing a few attributes instead of ignore, change them to drop for higher level of security

zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks
zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore
zmprov mcf zimbraMtaPostscreenBareNewlineEnable no
zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d
zmprov mcf zimbraMtaPostscreenBlacklistAction ignore
zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h
zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d
zmprov mcf zimbraMtaPostscreenCommandCountLimit 20
zmprov mcf zimbraMtaPostscreenDnsblAction enforce
zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2'
zmprov mcf zimbraMtaPostscreenDnsblTTL 5m
zmprov mcf zimbraMtaPostscreenDnsblThreshold 8
zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s
zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0
zmprov mcf zimbraMtaPostscreenGreetAction enforce
zmprov mcf zimbraMtaPostscreenGreetTTL 1d
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no
zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d
zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
zmprov mcf zimbraMtaPostscreenPipeliningEnable no
zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d
zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s
zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all

Testing the Zimbra Collaboration Postscreen

Customers might want to set up the DNSBLs first, for example, but leave it on ignore. Postscreen will log what it would have done, but not do anything. Once you are satisfied it looks correct, then you can set values to enforce or drop in certain cases.

See also  Log Zimbra.log not Show Anything

A real-world log example where you can see the error 550 from postscreen:

Mar  1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438 
Mar  1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25 
Mar  1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010 
Mar  1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=<[email protected]>, to=<[email protected]>, proto=ESMTP, helo=<gmail.com>
Mar  1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438 

IP Whitelist and Blacklist using Postscreen

You can use now Postfix to whitelist or Blacklist IPs in an easier way by following the next steps:

  • Create /opt/zimbra/common/conf/postscreen_wblist
  • Add entries to it. I’ve only used it as a blacklist. The IP range should be on CIDR format:
# Rules are evaluated in the order as specified.
# Blacklist 60.70.80.* except  60.70.80.91.
60.70.80.91/32 permit
60.70.80.0/24 reject
70.70.70.0/24 reject
  • Set postscreen to use it:
zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist"
zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
  • Wait for zmconfigd to pick up the change (60 seconds top)
  • After the 60 seconds, or a manual restart of the MTA services, you will see something like this on the Log:
Jun 29 05:16:22 edge04e postfix/postscreen[7546]: BLACKLISTED [70.70.70.100]:55699

Quick note on for MTA on Cloud Environments

If you are using Amazon’s Elastic Load Balancer for handling SMTP traffic include simple load-based autoscaling, load distribution that’s aware of distribution across availability zones, you will need to configure the

zmprov mcf zimbraMtaPostscreenUpstreamProxyProtocol haproxy

And then, verify the change it’s in progress:

tail -f /var/log/zimbra.log
Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: Fetching All configs
Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: All configs fetched in 0.08 seconds
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Watchdog: service antivirus status is OK.
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Var zimbraMtaPostscreenUpstreamProxyProtocol changed from 'None' -> 'haproxy'
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_originating.re with mode 440 (0.01 sec)
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/postfix_header_checks with mode 440 (0.00 sec)
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_foreign.re with mode 440 (0.01 sec)
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/master.cf with mode 440 (0.01 sec)
Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/mta_milter_options with mode 440 (0.00 sec)
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: All rewrite threads completed in 2.93 sec
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: controlProcess mta restart (-1)
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: CONTROL mta: bin/zmmtactl reload norewrite
Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: mta reload initiated from zmconfigd
Jun 24 17:24:36 zre-ldap004 saslauthd[20153]: server_exit     : master exited: 20153
Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: detach_tty      : master pid is: 2925
Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: ipc_init        : listening on socket: /opt/zimbra/data/sasl2/state/mux
Jun 24 17:24:38 zre-ldap004 /postfix-script[2959]: refreshing the Postfix mail system
Jun 24 17:24:38 zre-ldap004 postfix/master[20304]: reload -- version 3.1.1, configuration /opt/zimbra/common/conf
Jun 24 17:24:38 zre-ldap004 zmconfigd[17944]: All restarts completed in 1.82 sec

And verify by running this command:

postconf postscreen_upstream_proxy_protocol
postscreen_upstream_proxy_protocol = haproxy

Source Article : https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen

habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Relay Amazon SES

Zimbra is a widely used collaboration platform that provides robust email services. When it comes to improving email deliverability and ensuring the security of...
habibzain
1 min read

Install Zimbra 10 Ubuntu 20.04 from Scratch

Zimbra 10 may have had specific installation requirements, and there might be updates or changes beyond that point. Here is simple guide how to...
habibzain
4 min read

Zimbra Cannot start TLS: handshake failure

The Zimbra log show error message “Cannot start TLS handshake” typically indicates an issue with establishing a secure TLS (Transport Layer Security) connection. This...
habibzain
1 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox