Postscreen for Zimbra
Zimbra_Postscreen_Whitepaper
Zimbra_Postscreen_Whitepaper
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Postscreen</strong> <strong>for</strong> <strong>Zimbra</strong><br />
<strong>Postscreen</strong> <strong>for</strong> <strong>Zimbra</strong><br />
<strong>Postscreen</strong> Workflow<br />
<strong>Zimbra</strong> Attributes <strong>for</strong> <strong>Postscreen</strong><br />
For a complete list of new attirbutes <strong>for</strong> postscreen, please refer to the<br />
<strong>Zimbra</strong> Collaboration <strong>Postscreen</strong> wiki. You will also be able to link to the<br />
original postfix description help per attribute.<br />
Please note the difference between the ignore, en<strong>for</strong>ce and drop <strong>for</strong><br />
certain attributes:<br />
• ignore (default) - Ignore this result. Allow other tests to complete.<br />
Repeat this test the next time the client connects. This option is<br />
useful <strong>for</strong> testing and collecting statistics without blocking mail.<br />
• en<strong>for</strong>ce - Allow other tests to complete. Reject attempts to deliver<br />
mail with a 550 SMTP reply, and log the helo/sender/recipient<br />
in<strong>for</strong>mation. Repeat this test the next time the client connects.<br />
• drop - Drop the connection immediately with a 521 SMTP reply.<br />
Repeat this test the next time the client connects.<br />
Enabling <strong>Postscreen</strong><br />
<strong>Zimbra</strong> postscreen comes enabled by default in ZCS 8.7 or above.<br />
For a complete list of <strong>Zimbra</strong> attributes<br />
<strong>for</strong> postscreen, refer to the <strong>Zimbra</strong><br />
Collaboration <strong>Postscreen</strong> wiki.<br />
Configuring <strong>Postscreen</strong>: Example<br />
Each scenario is different, so please tune the values in this example<br />
<strong>for</strong> your own environment. In this example, all values are set at the<br />
GlobalConfig level. This level is medium/high, en<strong>for</strong>cing a few attributes<br />
instead of ignore, changing them <strong>for</strong> a higher level of security.<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>AccessList permit_mynetworks<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>BareNewlineAction ignore<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>BareNewlineEnable no<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>BareNewlineTTL 30d<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>BlacklistAction ignore<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>CacheCleanupInterval 12h<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>CacheRetentionTime 7d<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>CommandCountLimit 20<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>DnsblAction en<strong>for</strong>ce<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>DnsblSites ‘b.barracudacentral.<br />
org=127.0.0.2*7’ zimbraMta<strong>Postscreen</strong>DnsblSites ‘dnsbl.inps.<br />
de=127.0.0.2*7’ zimbraMta<strong>Postscreen</strong>DnsblSites ‘zen.spamhaus.<br />
org=127.0.0.[10;11]*8’ zimbraMta<strong>Postscreen</strong>DnsblSites ‘zen.<br />
spamhaus.org=127.0.0.[4..7]*6’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘zen.spamhaus.org=127.0.0.3*4’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘zen.spamhaus.org=127.0.0.2*3’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘list.dnswl.org=127.0.[0..255].0*-2’<br />
zimbraMta<strong>Postscreen</strong>DnsblSites ‘list.dnswl.org=127.0.[0..255].1*-<br />
3’ zimbraMta<strong>Postscreen</strong>DnsblSites ‘list.dnswl.<br />
org=127.0.[0..255].2*-4’ zimbraMta<strong>Postscreen</strong>DnsblSites ‘list.<br />
dnswl.org=127.0.[0..255].3*-5’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘bl.mailspike.net=127.0.0.2*5’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘bl.mailspike.net=127.0.0.[10;11;12]*4’<br />
zimbraMta<strong>Postscreen</strong>DnsblSites ‘wl.mailspike.<br />
net=127.0.0.[18;19;20]*-2’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘dnsbl.sorbs.net=127.0.0.10*8’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘dnsbl.sorbs.net=127.0.0.5*6’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘dnsbl.sorbs.net=127.0.0.7*3’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘dnsbl.sorbs.net=127.0.0.8*2’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘dnsbl.sorbs.net=127.0.0.6*2’ zimbraMta<strong>Postscreen</strong>DnsblSites<br />
‘dnsbl.sorbs.net=127.0.0.9*2’<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>DnsblTTL 5m<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>DnsblThreshold 8<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>DnsblTimeout 10s<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>DnsblWhitelistThreshold 0<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>GreetAction en<strong>for</strong>ce<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>GreetTTL 1d<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>NonSmtpCommandAction drop<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>NonSmtpCommandEnable no<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>NonSmtpCommandTTL 30d<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>PipeliningAction en<strong>for</strong>ce<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>PipeliningEnable no<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>PipeliningTTL 30d<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>WatchdogTimeout 10s<br />
zmprov mcf zimbraMta<strong>Postscreen</strong>WhitelistInterfaces static:all<br />
6 7