For additional guidance, check out our community articles detailing the process of migrating from your current platform to Carbonio CE.
In this article, you will learn about using and configuring Zimbra Postscreen.
Zimbra Postscreen is an anti-bot/dos started in Zimbra 8.7. It tackles mail server overload by keeping spambots away and making more SMTP processes available for legitimate clients. Zimbra Postscreen process handles multiple inbound SMTP connections and deciding which client can talk to a post-fix SMTP server process.
Zimbra Postscreen is enabled by default on Zimbra 8.7 and above. The only thing you need to do is to change its attributes default values to your liking according to your environment.
Zimbra Postscreen Configuration
In order to configure your Zimbra Postscreen, you need to know its attributes and their default values which are shown below.
To understand each Postscreen attribute and its usage see Postscreen Attributes Explained.
Use Zimbra CLI attributes to set parameters for Postscreen operations. For any attribute that provides the ignore, enforce, or drop instruction, use this guideline
- ignore – This is useful when you want to test and collect statistics without blocking an email. It means other tests can be completed and repeat this test when the client connected again.
- enforce – It means other tests can be completed and reject any request for delivering email with a 550 SMTP reply, and log the helo/sender/recipient information, also repeat this test when the client connected again.
- drop – It means to drop any connection with a 521 SMTP reply, and repeat this test when the client connected again.
zmprov mcf zimbraMtaPostscreenBlacklistAction drop
zimbraMtaPostscreenBlacklistAction attribute to
You can consider Zimbra Postscreen as an inbound email firewall. To see more details about Zimbra Postscreen you can see Zimbra wiki Postscreen page, it also provides an example of Postscreen configuration, although it might not be the best configuration. In our example we configure these five attributes:
zimbraMtaPostscreenGreetAction which we will explain each one.
Example Attribute Explanation
An optional list of DNS white/blacklist domains, filters, and weight factors. When the list is non-empty, the dnsblog daemon will query these domains with the IP addresses of remote SMTP clients, and postscreen will update an SMTP client’s DNSBL score with each non-error reply. When a client’s score is equal to or greater than the threshold specified with
postscreen_dnsbl_threshold, postscreen can drop the connection with the remote SMTP client. Specify a list of
domain=filter*weight entries, separated by comma or whitespace.
=filter is specified, postscreen will use any non-error DNSBL reply. Otherwise, the postscreen uses only DNSBL replies that match the filter. The filter has the form
d.d.d.d, where each d is a number or a pattern inside
 that contains one or more “;”-separated numbers or number..number ranges.
*weight is specified, postscreen increments the remote SMTP client’s DNSBL score by 1. Otherwise, the weight must be an integral number, and the postscreen adds the specified weight to the remote SMTP client’s DNSBL score. Specify a negative number for whitelisting.
postscreen_dnsbl_sites entry produces multiple DNSBL responses, the postscreen applies the weight at most once.
For example, to use example.com as a high-confidence blocklist, and to block mail with example.net and example.org only when both agree:
postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = example.com*2, example.net, example.org
To filter only DNSBL replies containing 127.0.0.4:
postscreen_dnsbl_threshold = 2 postscrpostscreen_dnsbl_sites = example.com=127.0.0.4
zimbraMtaPostscreenDnsblSitescan be configured as simple as below using only the free list provided by Barracuda Central by running this as a Zimbra user
zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7'
or alternatively, it can be configured as aggressively as Zimbra wiki Postscreen page suggests by opening an interactive shell as a Zimbra user
and insert these configurations
modifyConfig zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' modifyConfig +zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' modifyConfig +zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' modifyConfig +zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' modifyConfig +zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' modifyConfig +zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' modifyConfig +zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' modifyConfig +zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' modifyConfig +zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' modifyConfig +zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' modifyConfig +zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' modifyConfig +zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' modifyConfig +zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2'
The action that postscreen is to take when a remote SMTP client’s combined DNSBL score is equal to or greater than a threshold (as defined with the
postscreen_dnsbl_threshold parameters), as either ignore (default), enforce, or drop.
We set it to enforce by running this as a Zimbra user
zmprov mcf zimbraMtaPostscreenDnsblAction enforce
Value to define the inclusive lower bound for blocking a remote SMTP client, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter. The default value is 1, we set it to 8 by running this as a Zimbra user
zmprov mcf zimbraMtaPostscreenDnsblThreshold 8
The amount of time allowable for postscreen to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again. Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default value is 1h, we set it to 5m by running this as a Zimbra user
zmprov mcf zimbraMtaPostscreenDnsblTTL 5m
The action that postscreen is to take when a remote SMTP client speaks before its turn within the time specified with the postscreen_greet_wait parameter, as either ignore (default), enforce, or drop. We set it to enforce by running this as a Zimbra user
zmprov mcf zimbraMtaPostscreenGreetAction enforce
To test Postscreen you can view the results without taking any action. To do so instruct Postscreen to log email connections without taking action on them by using Postscreen value
ignore. Check the results until you are happy with them and set the Postscreen values to enforce or drop emails, as required.
This an example of the results of a test session showing a 550 blocked error from Postscreen
Mar 1 02:03:26 edge01 postfix/postscreen: DNSBL rank 28 for [126.96.36.199]:20438 Mar 1 02:03:26 edge01 postfix/postscreen: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25 Mar 1 02:03:26 edge01 postfix/postscreen: WHITELISTED [10.210.0.161]:58010 Mar 1 02:03:27 edge01 postfix/postscreen: NOQUEUE: reject: RCPT from [188.8.131.52]:20438: 550 5.7.1 Service unavailable; client [184.108.40.206] blocked using zen.spamhaus.org; from=<firstname.lastname@example.org>, to=<email@example.com>, proto=ESMTP, helo=<gmail.com> Mar 1 02:03:27 edge01 postfix/postscreen: DISCONNECT [220.127.116.11]:20438
How To White-list and Black-list IPs
To insert IP addresses to a white-list or a black-list you should first create a file in
then add the IP addresses and the value indicating what to do with that IP. For example,
18.104.22.168/32 permit 22.214.171.124/24 reject 126.96.36.199/24 reject
As you see each IP address should be in CIDR format (compact representation of an IP address and its associated network mask), for example,192.168.100.14/24 represents the IPv4 address 192.168.100.14 and its associated network prefix 192.168.100.0, or equivalently, its subnet mask 255.255.255.0.
After saving the file tell the postscreen to use it by
zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist" zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
restart the MTA services.