Tuesday, March 18, 2014

zimbra whitelist

Add zimbra whitelist

Reference: wiki.zimbra.com


PLEASE NOTE:
WHITELISTING SPECIFIC IP ADDRESS & HOSTNAME CAN INCREASE SPAM EMAILS IN CASE OF THE CLIENT MACHINE (IP) THAT YOU WHITELIST IS INFECTED BY VIRUS, ALSO IF THE WHITELISTED IP/HOSTNAME IS ALREADY BLACKLISTED, THEN BLACKLIST RULES WILL BE CONSIDERED FIRST.

Workaround1: whitelist specific user/complete domain
Edit the Spamassassin config file "/opt/zimbra/conf/salocal.cf.in" add below lines to the end of the file to whitelist a complete domain or specific user. 
whitelist_from *@domain.com 
whitelist_from user@domain.com
After the above changes restart zmmtactl and zmamaviasdctl services and test the issue. 
zmmtactl restart && zmamavisdctl restart
Workaround2: Whitelist IP Addresses/Hostnames while using RBL restrictions
Example: 
[zimbra@zcs ~]$ vi /opt/zimbra/conf/postfix_rbl_override
[zimbra@zcs ~]$ cat /opt/zimbra/conf/postfix_rbl_override -> add IP/hostnames you want to   whitelist in this file.
10.137.27.80 OK
10.137.27.88 OK
zcs711.us.zimbralab.com OK
zcs714.us.zimbralab.com OK
[zimbra@zcs ~]$ postmap /opt/zimbra/conf/postfix_rbl_override
[zimbra@zcs ~]$ vi /opt/zimbra/conf/postfix_recipient_restrictions.cf
[zimbra@zcs ~]$ cat /opt/zimbra/conf/postfix_recipient_restrictions.cf
%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:127.0.0.1:10031%%
reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
reject_unlisted_recipient
%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%contains VAR:zimbraMtaRestriction reject_unknown_client%%
%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%
permit
[zimbra@zcs ~]$ zmmtactl restart
Rewriting configuration files...done.
postfix/postfix-script: refreshing the Postfix mail system
Stopping saslauthd...done.
Starting saslauthd...done.
[zimbra@zcs ~]$
Workaround3: Whitelist Hostname/IP addresses without restarting any services 
[[root@v01 ~]# mkdir /etc/zimbra_custom --> create a directory inside /etc
[root@v01 ~]# chown zimbra:zimbra /etc/zimbra_custom --> change user and group ownership to  zimbra
[root@v01 ~]# ls -ld /etc/zimbra_custom/
drwxr-xr-x 2 zimbra zimbra 4096 Jan 26 18:23 /etc/zimbra_custom/
[root@v01 ~]# su - zimbra --> switch to zimbra 
[zimbra@v01 ~]$ touch /etc/zimbra_custom/test_whitelist --> create a file
[zimbra@v01 ~]$ nano /etc/zimbra_custom/test_whitelist --> ad list of domains or specific user  that you want to whitelist
[zimbra@v01 ~]$ cat /etc/zimbra_custom/test_whitelist
v01.vinay.com OK
10.112.233.180 OK
[zimbra@v01 ~]$ /opt/zimbra/postfix/sbin/postmap /etc/zimbra_custom/test_whitelist --> create a  hash file using zimbra postmap
[zimbra@v01 ~]$ ls -l /etc/zimbra_custom/
total 12
-rw-r----- 1 zimbra zimbra 18 Jan 26 18:24 test_whitelist
-rw-r----- 1 zimbra zimbra 12288 Jan 26 18:24 test_whitelist.db --> .db file will be created
[zimbra@v01 ~]$
[zimbra@v01 ~]$ postconf |grep smtpd_recipient_restrictions --> check the current recipient  restrictions
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated,   permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient,   reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
[zimbra@v01 ~]$ postconf -e smtpd_recipient_restrictions="reject_non_fqdn_recipient,  permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,  reject_unlisted_recipient, check_sender_access hash:/etc/zimbra_custom/test_whitelist,  reject_invalid_helo_hostname, reject_non_fqdn_sender, permit" --> add the hash file to current  recipient restrictions
[zimbra@v01 ~]$ postconf |grep smtpd_recipient_restrictionssmtpd_recipient_restrictions =  reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks,  reject_unauth_destination, reject_unlisted_recipient, check_sender_access  hash:/etc/zimbra_custom/test_whitelist, reject_invalid_helo_hostname, reject_non_fqdn_sender,  permit
[zimbra@v01 ~]$


Note: All 3 workarounds will not survive upgrades, will have to take backup of above changes and redo the same changes after the upgrade.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)