Enterprise Security black, white and gray lists

Zimbra incorporates a spam filter that allows you to reliably protect your company’s mail from receiving infected messages that are not related to business correspondence. We’ve seen how to manage it on the user side in the article ” Zimbra User Guide: Managing SPAM “, as well as how to set up more comprehensive protection as a system administrator. But what should you do when your company is targeted by a malicious attacker that includes socially engineered emails, trusted mailboxes, or even a DoS attack on a mail server? In these cases, creating white, black and even gray lists could be the solution.

Blacklist

Creating a blacklist can help to reliably protect against such types of attacks when attackers gain control over the mail of a reliable counterparty in your organization and start sending infected excel files or archives from it with supposedly new account details, invoices, and so on. If you manage to add the counterparty’s mail to the blacklist in time, you can reduce the effect of the efforts of the attackers to zero.  You can learn more by reading the article ” Zimbra Black List and White List “.

How it works

Black and white lists in Zimbra can be formed at two levels at once. So, for example, a ban on receiving mail can be set in the Amavis program interface, which is built into the Zimbra Collaboration Suite and is responsible for filtering mail. In addition to separating business emails from spam on various indirect grounds, Amavis also sends emails for analysis to the SpamAssassin spam filter and ClamAV antivirus.

Amavis

In Amavis, you can add to white and black lists not only individual mailboxes and entire domains, but also individual IP addresses and even entire subnets. To block or allow a mailbox or domain, you first need to create whitelist and/or blacklist files in the /opt/zimbra/conf/ folder, and then add to them the mail addresses or domains that you are going to allow or block:

cat /opt/zimbra/conf/whitelist
ceo@partnerdomain.com
partnerdomain.org

cat /opt/zimbra/conf/blacklist
spamuser@spamdomain.com
spamdomain.org

After that, you need to add to the /opt/zimbra/conf/amavisd.conf.in file, two lines with a rule for checking the files we have previously created:

read_hash (\% whitelist_sender, '/ opt / zimbra / conf / whitelist');
read_hash (\% blacklist_sender, '/ opt / zimbra / conf / blacklist');

After saving all the changes, you need to restart Amavis:

su - zimbra -c "zmamavisdctl restart"

If you have trusted networks, for example a local area network of an enterprise or a subnet of a remote branch, for which you would like to disable anti-virus and anti-spam checks, then Amavis can also help you to do this. First, you need to activate the initially disabled function of bypassing checks for the selected ip-addresses and subnets using a special command and restarting Amavis and related programs:

zmprov mcf zimbraAmavisOriginatingBypassSA TRUE
zmantispamctl restart
zmantivirusctl restart
zmamavisdctl restart


Adding to the list of trusted subnets is done using the following command:

zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 10.0.0.0/8 192.168.1.0/22'


You can check the current list of trusted networks using the following commands:

postconf mynetworks
zmprov gs `zmhostname` zimbraMtaMyNetworks


You can also block IP addresses in Zimbra at the Postfix level. This method is great for protecting the server from DoS attacks. To find detailed instructions on how it works, you can read the article: “ Zimbra Black List and White List

Gray List

A separate item is the creation of the so-called “gray list“. It is usually used to protect against automatic spam, but it can also be useful for protecting against malicious emails from a trusted counterparty’s mailbox hijacked by cybercriminals. Its principle of operation is based on the fact that a letter from the sender is not accepted the first time and he receives a message about the temporary unavailability of the server. The logic here is that the sender, who purposefully sends a letter to the server, will try to send it again, and the software for automated sending of emails will not repeat sending. 
Greylisting in Zimbra is possible thanks to the Postgrey daemon from the Postfix authors. It is available in the official repositories and can be easily installed using standard tools.

A greylisting Example

In Ubuntu, for example, the daemon is started by the command

/etc/init.d/postgrey start 

after that it will be available on port 60000 and you just have to configure it correctly. To do this, open the following file in your editor

/opt/zimbra/conf/postfix_recipient_restrictions.cf 

Then add the line

check_policy_service inet: 127.0.0.1: 60000 

before each line starting with ‘%%‘. 

After that, all that remains is to restart Postfix using the postfix reload command.

Technical writer at Zextras. Linux and technology enthusiast. He describes himself as an atypical and polyhedric IT expert, thanks to a creative and open minded attitude, and to the experience gained over time as an IT technician, system engineer and developer.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Zimbra Black List and White List
Zimbra Collaboration Suite and Anti-Phishing