How To Use Zimbra Postscreen? | Zimbra

In this article, you will learn about using and configuring Zimbra Postscreen.

Zimbra Postscreen

Zimbra Postscreen is an anti-bot/dos started in Zimbra 8.7. It tackles mail server overload by keeping spambots away and making more SMTP processes available for legitimate clients. Zimbra Postscreen process handles multiple inbound SMTP connections and deciding which client can talk to a post-fix SMTP server process.

Zimbra Postscreen is enabled by default on Zimbra 8.7 and above. The only thing you need to do is to change its attributes default values to your liking according to your environment.

Zimbra Postscreen Configuration

In order to configure your Zimbra Postscreen, you need to know its attributes and their default values which are shown below.

To understand each Postscreen attribute and its usage see Postscreen Attributes Explained.

Value Explanation

Use Zimbra CLI attributes to set parameters for Postscreen operations. For any attribute that provides the ignore, enforce, or drop instruction, use this guideline

• ignore –  This is useful when you want to test and collect statistics without blocking an email. It means other tests can be completed and repeat this test when the client connected again.
• enforce – It means other tests can be completed and reject any request for delivering email with a 550 SMTP reply, and log the helo/sender/recipient information, also repeat this test when the client connected again.
• drop – It means to drop any connection with a 521 SMTP reply, and repeat this test when the client connected again.

For example,

zmprov mcf zimbraMtaPostscreenBlacklistAction drop

sets the zimbraMtaPostscreenBlacklistAction attribute to drop.

You can consider Zimbra Postscreen as an inbound email firewall. To see more details about Zimbra Postscreen you can see Zimbra wiki Postscreen page, it also provides an example of Postscreen configuration, although it might not be the best configuration. In our example we configure these five attributes: zimbraMtaPostscreenDnsblAction, zimbraMtaPostscreenDnsblSites, zimbraMtaPostscreenDnsblThreshold, zimbraMtaPostscreenDnsblTTL, and zimbraMtaPostscreenGreetAction which we will explain each one.

Example Attribute Explanation

These are the description of our example attributes, to learn more about other attributes you can see our article Postscreen Attributes Explained or read the Postfix PostScreen Reference page.

zimbraMtaPostscreenDnsblSites

An optional list of DNS white/blacklist domains, filters, and weight factors. When the list is non-empty, the dnsblog daemon will query these domains with the IP addresses of remote SMTP clients, and postscreen will update an SMTP client’s DNSBL score with each non-error reply. When a client’s score is equal to or greater than the threshold specified with postscreen_dnsbl_threshold, postscreen can drop the connection with the remote SMTP client. Specify a list of domain=filter*weight entries, separated by comma or whitespace.

When no =filter is specified, postscreen will use any non-error DNSBL reply. Otherwise, the postscreen uses only DNSBL replies that match the filter. The filter has the form d.d.d.d, where each d is a number or a pattern inside [] that contains one or more “;”-separated numbers or number..number ranges.

When no *weight is specified, postscreen increments the remote SMTP client’s DNSBL score by 1. Otherwise, the weight must be an integral number, and the postscreen adds the specified weight to the remote SMTP client’s DNSBL score. Specify a negative number for whitelisting.

When one postscreen_dnsbl_sites entry produces multiple DNSBL responses, the postscreen applies the weight at most once.

For example, to use example.com as a high-confidence blocklist, and to block mail with example.net and example.org only when both agree:

postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = example.com*2, example.net, example.org

To filter only DNSBL replies containing 127.0.0.4:

postscreen_dnsbl_threshold = 2
postscrpostscreen_dnsbl_sites = example.com=127.0.0.4

The zimbraMtaPostscreenDnsblSitescan be configured as simple as below using only the free list provided by Barracuda Central by running this as a Zimbra user

zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7'

or alternatively, it can be configured as aggressively as Zimbra wiki Postscreen page suggests by opening an interactive shell as a Zimbra user

zmprov

and insert these configurations

modifyConfig zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7'
modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7'
modifyConfig +zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8'
modifyConfig +zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6'
modifyConfig +zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4'
modifyConfig +zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3'
modifyConfig +zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2'
modifyConfig +zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3'
modifyConfig +zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4'
modifyConfig +zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5'
modifyConfig +zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5'
modifyConfig +zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4'
modifyConfig +zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2'
modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8'
modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6'
modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3'
modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2'
modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2'
modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2'

zimbraMtaPostscreenDnsblAction 

The action that postscreen is to take when a remote SMTP client’s combined DNSBL score is equal to or greater than a threshold (as defined with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parameters), as either ignore (default), enforce, or drop.

We set it to enforce by running this as a Zimbra user

zmprov mcf zimbraMtaPostscreenDnsblAction enforce

zimbraMtaPostscreenDnsblThreshold 

Value to define the inclusive lower bound for blocking a remote SMTP client, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter. The default value is 1, we set it to 8 by running this as a Zimbra user

zmprov mcf zimbraMtaPostscreenDnsblThreshold 8

zimbraMtaPostscreenDnsblTTL 

The amount of time allowable for postscreen to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again. Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default value is 1h, we set it to 5m by running this as a Zimbra user

zmprov mcf zimbraMtaPostscreenDnsblTTL 5m

zimbraMtaPostscreenGreetAction 

The action that postscreen is to take when a remote SMTP client speaks before its turn within the time specified with the postscreen_greet_wait parameter, as either ignore (default), enforce, or drop. We set it to enforce by running this as a Zimbra user

zmprov mcf zimbraMtaPostscreenGreetAction enforce

Testing Postscreen

To test Postscreen you can view the results without taking any action. To do so instruct Postscreen to log email connections without taking action on them by using Postscreen value ignore. Check the results until you are happy with them and set the Postscreen values to enforce or drop emails, as required.

This an example of the results of a test session showing a 550 blocked error from Postscreen

Mar 1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438
Mar 1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25
Mar 1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010
Mar 1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=<hfxdgdsggfvfg@gmail.com>, to=<support@zimbra.com>, proto=ESMTP, helo=<gmail.com>
Mar 1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438

How To White-list and Black-list IPs

To insert IP addresses to a white-list or a black-list you should first create a file in /opt/zimbra/common/conf/ by

touch /opt/zimbra/common/conf/postscreen_wblist

then add the IP addresses and the value indicating what to do with that IP. For example,

60.70.80.91/32 permit
60.70.80.0/24 reject
70.70.70.0/24 reject

As you see each IP address should be in CIDR format (compact representation of an IP address and its associated network mask), for example,192.168.100.14/24 represents the IPv4 address 192.168.100.14 and its associated network prefix 192.168.100.0, or equivalently, its subnet mask 255.255.255.0.

After saving the file tell the postscreen to use it by

zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist"
zmprov mcf zimbraMtaPostscreenBlacklistAction enforce

restart the MTA services.