Zimbra 設定擋信政策

可以手動設定擋信基本政策

運行環境


Zimbra 8.8.15

設定方式


  • 設定反垃圾郵件
## antispam enable
### check status
zmlocalconfig antispam_enable_rule_updates
zmlocalconfig antispam_enable_restarts
### set enable
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmprov mcf zimbraSpamKillPercent 75
zmprov mcf zimbraSpamTagPercent 20
zmprov mcf zimbraSpamSubjectTag "** CAUTION! SUSPICIOUS EMAIL **"

### restart
zmamavisdctl restart
  • 設定附件
## set MTA restriction
zmprov mcf +zimbraMtaBlockedExtension asd
zmprov mcf +zimbraMtaBlockedExtension bat
zmprov mcf +zimbraMtaBlockedExtension cab
zmprov mcf +zimbraMtaBlockedExtension chm
zmprov mcf +zimbraMtaBlockedExtension cmd
zmprov mcf +zimbraMtaBlockedExtension com
zmprov mcf +zimbraMtaBlockedExtension dll
zmprov mcf +zimbraMtaBlockedExtension do
zmprov mcf +zimbraMtaBlockedExtension exe
zmprov mcf +zimbraMtaBlockedExtension hlp
zmprov mcf +zimbraMtaBlockedExtension hta
zmprov mcf +zimbraMtaBlockedExtension js
zmprov mcf +zimbraMtaBlockedExtension jse
zmprov mcf +zimbraMtaBlockedExtension lnk
zmprov mcf +zimbraMtaBlockedExtension ocx
zmprov mcf +zimbraMtaBlockedExtension pif
zmprov mcf +zimbraMtaBlockedExtension reg
zmprov mcf +zimbraMtaBlockedExtension scr
zmprov mcf +zimbraMtaBlockedExtension shb
zmprov mcf +zimbraMtaBlockedExtension shm
zmprov mcf +zimbraMtaBlockedExtension shs
zmprov mcf +zimbraMtaBlockedExtension vbe
zmprov mcf +zimbraMtaBlockedExtension vbs
zmprov mcf +zimbraMtaBlockedExtension vbx
zmprov mcf +zimbraMtaBlockedExtension vxd
zmprov mcf +zimbraMtaBlockedExtension wsf
zmprov mcf +zimbraMtaBlockedExtension wsh
zmprov mcf +zimbraMtaBlockedExtension xl
zmprov mcf +zimbraMtaBlockedExtensionWarnAdmin TRUE
zmprov mcf +zimbraMtaBlockedExtensionWarnRecipient TRUE
zmprov mcf zimbraVirusBlockEncryptedArchive FALSE
zmprov gcf zimbraMTARestriction
  • 背景設定
## set Postscreen , 8.7 and above
### https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen
### medium/high level
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks
zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore
zmprov mcf zimbraMtaPostscreenBareNewlineEnable no
zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d
zmprov mcf zimbraMtaPostscreenBlacklistAction ignore
zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h
zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d
zmprov mcf zimbraMtaPostscreenCommandCountLimit 20
zmprov mcf zimbraMtaPostscreenDnsblAction enforce
zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2'
zmprov mcf zimbraMtaPostscreenDnsblTTL 5m
zmprov mcf zimbraMtaPostscreenDnsblThreshold 8
zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s
zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0
zmprov mcf zimbraMtaPostscreenGreetAction enforce
zmprov mcf zimbraMtaPostscreenGreetTTL 1d
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no
zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d
zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
zmprov mcf zimbraMtaPostscreenPipeliningEnable no
zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d
zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s
zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all
  • 設定黑白名單 IP
### Create /opt/zimbra/common/conf/postscreen_wblist
vim /opt/zimbra/common/conf/postscreen_wblist
### Rules are evaluated in the order as specified.
### Blacklist 60.70.80.* except  60.70.80.91.
60.70.80.91/32 permit
60.70.80.0/24 reject
### enable white/black list
zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist"
zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
  • 發信及接收檢查
### sender/recipient mismatch
zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf 
zmprov mcf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
  • 重啟剛剛設定的服務
zmmtactl restart
zmconfigdctl restart
  • 本機的 MTA 將 example.com 修改成該服務的網域
zmprov -l ms example.com zimbraMtaLmtpHostLookup native
zmprov -l mcf zimbraMtaLmtpHostLookup native
zmmtactl restart
zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 
zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled TRUE
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled TRUE
zmprov ms `zmhostname` zimbraMtaTlsAuthOnly FALSE
zmmemcachedctl restart
  • CLI 設定 DNSBL or RBL
zmprov mcf \
zimbraMtaRestriction reject_invalid_helo_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" \
zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" \
zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" \
zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org" \
zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" \
zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org" \
zimbraMtaRestriction "reject_rhsbl_reverse_client dbl.spamhaus.org" \
zimbraMtaRestriction "reject_rhsbl_sender multi.uribl.com" \
zimbraMtaRestriction "reject_rhsbl_sender multi.surbl.org" \
zimbraMtaRestriction "reject_rhsbl_sender rhsbl.sorbs.net" \
zimbraMtaRestriction "reject_rhsbl_sender dbl.spamhaus.org"

如果發現到寄件者被退信的狀況,請到後台裡面有一個全域設定的 MTA 選項裡面把有 「 multi.uribl.com 」 刪除掉這樣子就可以正常被信了

  • 重啟服務
zmcontrol restart



參考相關網頁