Starting with Zimbra Collaboration 8.7 and above, Zimbra introduces Postscreen like an additional Anti-SPAM strategy. Zimbra Postscreen provides additional protection against mail server overload.
Zimbra Collaboration Postscreen is not an SMTP proxy; this is intentional. The purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic.
How it works
Scenario without Postscreen
A typical scenario without Postscreen, and without other Anti-SPAM security, will suffer of this common Problem, where bot and zombies talks with all the smtpd listeners that Zimbra is offering.
In this scenario, the good connections, or called other in this diagram, must wait until the bot or zombie finishes the communication, which sometimes can create a Timeout Error on Postfix for the good connections:
Mar 01 19:29:54 zimbrauk postfix/smtpd[24266]: timeout after RCPT from mail.example.com[60.60.60.70]

Scenario with Postscreen
A typical scenario with Postscreen, where bot and zombies talks with Postscreen, who do all the basic checks, and who can deny the connection if the message is clearly from a bot or zombie, if the connection is not in the temporary whitelist, Postscreen will pass the Email to the local Anti-SPAM and Anti-Virus engines, who can accept it or deny it as usual. You can see how is the Mail Flow in Postscreen on the section below.
In this scenario, the good connections, or called other in this diagram, pass the Postscreen security and talks directly with the smtp daemon, who will scan the Email as usual with the AS/AV. All the bot or zombie are rejected by default.

Postscreen workflow
See attached the workflow for Zimbra Collaboration Postscreen

Zimbra attributes for Postscreen
Here you can find all the new attributes for Postscreen, and the link to the original Postfix description help per attribute.
Please note the difference between the ignore, enforce and drop for certain attributes:
- ignore (default) – Ignore this result. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce – Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop – Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
How to enable it
Zimbra Collaboration Postscreen comes enabled by default in ZCS 8.7 or above, take a look to the previous Table where find all the defaults values per each Postscreen attribute.
Quick Example configuring Postscreen
Each scenario can be different, so please tune the next values according to your own Environment, in this case all values are set at GlobalConfig level: This configuration is medium/high level, enforcing a few attributes instead of ignore, change them to drop for higher level of security
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore zmprov mcf zimbraMtaPostscreenBareNewlineEnable no zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d zmprov mcf zimbraMtaPostscreenBlacklistAction ignore zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d zmprov mcf zimbraMtaPostscreenCommandCountLimit 20 zmprov mcf zimbraMtaPostscreenDnsblAction enforce zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2' zmprov mcf zimbraMtaPostscreenDnsblTTL 5m zmprov mcf zimbraMtaPostscreenDnsblThreshold 8 zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0 zmprov mcf zimbraMtaPostscreenGreetAction enforce zmprov mcf zimbraMtaPostscreenGreetTTL 1d zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d zmprov mcf zimbraMtaPostscreenPipeliningAction enforce zmprov mcf zimbraMtaPostscreenPipeliningEnable no zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all
Testing the Zimbra Collaboration Postscreen
Customers might want to set up the DNSBLs first, for example, but leave it on ignore. Postscreen will log what it would have done, but not do anything. Once you are satisfied it looks correct, then you can set values to enforce or drop in certain cases.
A real-world log example where you can see the error 550 from postscreen:
Mar 1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438 Mar 1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25 Mar 1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010 Mar 1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=, to= , proto=ESMTP, helo= Mar 1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438
IP Whitelist and Blacklist using Postscreen
You can use now Postfix to whitelist or Blacklist IPs in an easier way by following the next steps:
- Create /opt/zimbra/common/conf/postscreen_wblist
- Add entries to it. I’ve only used it as a blacklist. The IP range should be on CIDR format:
# Rules are evaluated in the order as specified. # Blacklist 60.70.80.* except 60.70.80.91. 60.70.80.91/32 permit 60.70.80.0/24 reject 70.70.70.0/24 reject
- Set postscreen to use it:
zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist" zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
- Wait for zmconfigd to pick up the change (60 seconds top)
- After the 60 seconds, or a manual restart of the MTA services, you will see something like this on the Log:
Jun 29 05:16:22 edge04e postfix/postscreen[7546]: BLACKLISTED [70.70.70.100]:55699
Quick note on for MTA on Cloud Environments
If you are using Amazon’s Elastic Load Balancer for handling SMTP traffic include simple load-based autoscaling, load distribution that’s aware of distribution across availability zones, you will need to configure the
zmprov mcf zimbraMtaPostscreenUpstreamProxyProtocol haproxy
And then, verify the change it’s in progress:
tail -f /var/log/zimbra.log Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: Fetching All configs Jun 24 17:24:29 zre-ldap004 zmconfigd[17944]: All configs fetched in 0.08 seconds Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Watchdog: service antivirus status is OK. Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Var zimbraMtaPostscreenUpstreamProxyProtocol changed from 'None' -> 'haproxy' Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_originating.re with mode 440 (0.01 sec) Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/postfix_header_checks with mode 440 (0.00 sec) Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/tag_as_foreign.re with mode 440 (0.01 sec) Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/common/conf/master.cf with mode 440 (0.01 sec) Jun 24 17:24:33 zre-ldap004 zmconfigd[17944]: Rewrote: /opt/zimbra/conf/mta_milter_options with mode 440 (0.00 sec) Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: All rewrite threads completed in 2.93 sec Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: controlProcess mta restart (-1) Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: CONTROL mta: bin/zmmtactl reload norewrite Jun 24 17:24:36 zre-ldap004 zmconfigd[17944]: mta reload initiated from zmconfigd Jun 24 17:24:36 zre-ldap004 saslauthd[20153]: server_exit : master exited: 20153 Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: detach_tty : master pid is: 2925 Jun 24 17:24:37 zre-ldap004 saslauthd[2925]: ipc_init : listening on socket: /opt/zimbra/data/sasl2/state/mux Jun 24 17:24:38 zre-ldap004 /postfix-script[2959]: refreshing the Postfix mail system Jun 24 17:24:38 zre-ldap004 postfix/master[20304]: reload -- version 3.1.1, configuration /opt/zimbra/common/conf Jun 24 17:24:38 zre-ldap004 zmconfigd[17944]: All restarts completed in 1.82 sec
And verify by running this command:
postconf postscreen_upstream_proxy_protocol postscreen_upstream_proxy_protocol = haproxy
Source Article : https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen