Improving Anti Spam : Reject Unlisted Domain On Zimbra 8.5

Posted by

Reject unlisted domain is one of many method to improve anti spam on email server, especially Zimbra mail server. On Zimbra, we can setup any IP address to listed as trusted network. IP address listed on trusted network, can sending email without authentication or prompt asking. In other words, listed ip address on trusted network can sending email with any domain, although is not listed on Zimbra.

If you have email server with domain example.com, email server should be sending email to outside with example.com domain, if not, then it should be rejected. This article, will describe step by step how to reject unlisted domain on Zimbra with Policyd. Assuming you have install and enable Policyd. If not, you can following this article to enable it : https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Make sure your Zimbra service apache have been running

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

policyd-groups


Select Policies | Main. Add new policy and give name or information like the following picture. Then submit query

policyd-reject-unlisted-domain

select new policy have been made and select members on action. Add member and fill on source/destination with group that has previously been made. See the following picture

policyd-reject-member

above configuration is explain source and destination is not from members listed on group. Select Access Control | Configure. Add new ACL and give name or information like this :

Name : Reject Unlisted Domain
Link to policy : Reject Unlisted Domain (New policy has previously been made)
Verdict : Reject
Data : Sorry, you are not authorized to sending email

See the following picture. Then submit query

policyd-acl

Make sure disabled status is no of all configuration has been made. Enable policyd accesscontrol and restart policyd service

su - zimbra
zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
zmcbpolicydctl restart

Please try to sending email use telnet on Zimbra mail server itself. it is the example result of above configuration

mail:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.xxxxxxx.xxx ESMTP Postfix
ehlo mail
250-mail.xxxxxxx.xxx
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ahmad@gmail.com
250 2.1.0 Ok
rcpt to:ahmad@yahoo.com
554 5.7.1 <ahmad@gmail.com>: Sender address rejected: Sorry, you are not authorized to sending email

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

82 comments

    1. I have followed your article about “Reject Unlisted Domain On Zimbra” but my zimbra server restricted all the mails going out saying “‘xxx@yahoo.com’ on 25/07/2015 16:51
      Server error: ‘554 5.7.1 : Sender address rejected: Sorry, you are not authorized to sending email’, what is this error?

      1. Hi Gayaliranga,

        Are you has been make sure the policy you are created is from !list_domain to !list_domain

        list_domain=fill with your domain

  1. Rejected unlisted domain we have way to block other domain. but the local domain i am getting spam by random username with local domain. how to allow only listed email accounts to send mail… how to block unlisted email accounts…

  2. Thank you for your article, any question :
    after I tried turned out to account reject the sender does not receive an error
    “Sender address rejected: Sorry, you are not authorized to sending email”

    how can the sender may receive the error?

    Thank You

  3. Hi,
    I get an error by executing the following command.
    zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE

    Error : ERROR: account.INVALID_ATTR_NAME (invalid attr name: invalid attr name – unable to modify attributes: zimbraCBPolicydAccessControlEnabled: attribute type undefined)

  4. helo, i have successully block the other domain but after several days, all blocked domain regain their access.. none of the setting is changing in cbopolicyd, how is this possible?

  5. Can i ask how to block an IP from trying to send spam using our server? This certain IP is trying to access our server thru ssh and trying to log on random account

    1. Hi Christian Kim,

      Please change default port SSH from 22 to other port. Example 2254.

      Change default port SSH will reduce (or not anymore) access to your server

  6. Hello, is it possible to import automaticly all domain i configur in Zymbra as member of “list_domain” Policy groups?

  7. Using the article I had implemented the policy but it has stopped sending mails among the users of the server within the server domain.
    Pl. help.

      1. Had implemented rate limit policy prior to this. Had defined my domain there in list_domain. Hence used the same variable here.

        The log reads like this:

        [2016/04/28-12:50:33 – 61888] [CORE] INFO: module=AccessControl, action=reject, host=, helo=, from=, to=, reason=verdict

      2. Here is the correct version:

        [2016/04/28-12:50:33 – 61888] [CORE] INFO: module=AccessControl, action=reject, host=ip_address, helo=server_name, from=user1@domain, to=user2@domain, reason=verdict

        1. Hi,

          Please make sure give ! in front of group when configure Policies. If you not give symbol !, the policies will drop all email from internal to internal. But not from internal to external and external to internal

  8. I had placed ! in front of group while configuring policies.

    However, I had got it through by enabling “default inbound” and “default internal” policies using groups “internal_ips” and “internal_domains” which I had disabled earlier. Is it OK doing this.

    Thanks for your time

  9. As Salam Iman,

    I have followed your article and it is works. But when I received email from someone who need requested to be notified, it rejected that email. The error message as below when I clicked to be notified :

    msg : system failure : error while sending read receipt

    Thank you.

  10. Dear Iman,

    Many thanks for your articles you made on your blog. They helped me a lot to improve the security of my Zimbra servers.

    But I need help to fix my problem with this policyd settings in this article. The setting works as escpected but the out-of-office messages stopped. If I disable this then it works.

    Error message in mailbox.log:
    (Zimbra user: user1@zimbradomain.com,
    Other user: other@otherdomain.com)

    [name=user1@zimbradomain.com;mid=260;ip=11.22.33.44;] smtp – Failed to send message
    com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient other@otherdomain.com: 554 5.7.1 : Sender address rejected: Sorry, you are not authorized to sending email.

    I don’t understand why Zimbra wants to identify the sender as Other user and not Zimbra user.

    Any help will be appreciated. Thanks.

      1. Hi Iman,
        That was I excepted to happen, but it is not happening. I use the latest Zimbra 8.7 OSE. Do you need more info from log file?
        Thanks.

      2. Sorry Iman,

        Maybe I misunderstood your answer. So is there any way to make exceptions for out-of-office messages in policyd settings?

        1. Hi Andras,

          You can make exception by sender/recipient. If you make exception, is not easy because sender is random. I think you should disable the rule for certain period (when you enable Out of Office)

          1. Yes, I disabled it. I really like this restriction but I won’t using it as I hosting ~30 domains and few hundreds of accounts on this server.

  11. Salaam Iman.

    Great how-to to secure zimbra servers !

    One question. Can we use wildcard too in domain name. Such as @*.example.com (I want to relay mails with @abc.example.com, @xyz.example.com etc)

    Thank you.

  12. I have a question about read receipts. After implementing these rules. When a user gets an email asking for read confirmation. They click on send and get an error in the browser. After digging I found this is cbpolicyd log. It appears the confirmation is sent from email address

    [CORE] INFO: module=AccessControl, action=reject, host=X.X.X.12, helo=mail.company.net, from=, to=sanga.c@companyB.care, reason=verdict

    How can I correct for this issue?

      1. Thanks for the update! I guess we have to make some decisions on whether block the spam or allow the features the users requested.

        1. After some tests I found a solution, in the Policy Group add a new entry in the list_domain group and add the ip of your server in the example X.X.X.12/32. With this new entry you will be able to confirm the read receipt request.

  13. Greetings, I have the following query, is it possible to use a tool such as cbpolicyd to reject Zimbra SPAM attacks?

  14. Hi Iman, when i select as “Virdict” filter, what type of filter can i do? Where can i find a manual for filer syntax?

    1. Hi Gianmario,
      When you are using filter, you can trigger into another process like scanning external antispam, forward into another relay server and etc. I am use filter for relay into another server

  15. Hello,

    In the “list_domain” member should I add all the domains I want to release? Is not there a way for it to automatically know which domains are listed in Zimbra, and block everything that is not listed?

    Thanks

  16. Please, Is it possible to block email where return-path in header does not match from address?

    We get a lot of email with return-path = spam account but From = internal email address and it confuses some of our users and they end up opening spam viruses. If possible to block by policyd, please explain how.

    Thanks you are Genius

      1. Thanks, I already have that configured. But my issue is the spammer is not relaying or authenticating via my server. Its spam from account outside my server eg spam@gmail.com, but the from address is configured as user@myserver.com, when it gets to mailbox unless you view orginal email, the spam address is not visible.

  17. Hi imanudin,

    Zimbra Server Going to spam folder yahoo gmail and when I Check my spf and dkim dmarc PASS in gmail yahoo but still going spam can you give solution this and You need other information.

    GTS

  18. Hi Imanudin,

    I was tried and my domain google TXT records google-site-verification code but still going spam please can you suggest me what is next i need follow.

    GTS

  19. Hi imanudin,

    I cound’t understand SMTP relay like sendgrid and smtp2go, because I am totally new
    Can you send any document or link, Please help me on this.

    GTS

  20. Hi imanudin,

    In send-grid only TXT records and MX records are add my domain or also can add cname also please advise on this and thanks for your quick response.

    GTS

  21. Hi Imanudin,

    When I send to gmail going spam folder but When I check the source file here showing all pass

    SPF: PASS with IP Adress Learn more
    DKIM: ‘PASS’ with domain domain.com Learn more
    DMARC: ‘PASS’ Learn more

    But Still going spam folder can suggest me

    gts

  22. hello,
    Microsoft mail server is rejecting sent from my Zimbra mail server. so please need your suggestion i have mention that undelivered message detail.
    “I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below.
    For further assistance, please send mail to postmaster.
    If you do so, please include this problem report. You can delete your own text from the attached returned message.

    The mail system

    : host
    outlook-com.olc.protection.outlook.com[104.47.5.33] said: 550 5.7.1
    Unfortunately, messages from [ x.x.x.x] weren’t sent. Please contact
    your Internet service provider since part of their network is on our block
    list (S3150). You can also refer your provider to
    http://mail.live.com/mail/troubleshooting.aspx#errors.
    [HE1EUR02FT047.eop-EUR02.prod.protection.outlook.com] (in reply to MAIL
    FROM command)

  23. Hi ,
    I have installed and configured policyd on zimbra-8.5 with mentioned steps in below link.
    https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/
    https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/

    However after completing it i am unable to access Zimbra web UI and after restarting zimbra services as well getting below status.
    [zimbra@mail ~]$ zmcontrol status
    Host mail.test.net
    amavis Running
    antispam Running
    antivirus Running
    cbpolicyd Stopped
    policyd is not running.
    ldap Running
    logger Running
    mailbox Stopped
    mysql.server is not running.
    memcached Running
    mta Running
    opendkim Running
    proxy Running
    service webapp Stopped
    mysql.server is not running.
    snmp Running
    spell Running
    stats Stopped
    zimbra webapp Stopped
    mysql.server is not running.
    zimbraAdmin webapp Stopped
    mysql.server is not running.
    zimlet webapp Stopped
    mysql.server is not running.
    zmconfigd Running
    [zimbra@mail ~]$

    Could you please help on this to check ?

  24. Dear Pak Imam,

    Artikelnya sangat bagus sekali, sangat berguna apabila email server berada di jaringan kantor atau menggunakan nat firewall, biasanya kalau pc yang kena virus, menyerang outlook kemudian menduplikat email dan mengirim ke alamat email yang berada di kontak outlook
    Terimakasih banyak

  25. mas ahmad,

    nanya dong. saya dah ikutin step by step. tapi kok emailnya masih nyelonong keluar aja ya? semua udah di ikutin. tak ada yg terlewatkan. knp ya? pake FOSS 8.8.15

    1. Hi mas Dede,
      Pastikan port 10031 nya sudah listen jika dicek via perintah berikut :

      netstat -atpn | grep -i 10031
      su - zimbra
      postconf | grep -i 10031
      

      Pastikan juga service CBPolicyd nya sudah di enable

  26. Hi, how can I block any mail with from fake address domain from a customer who is in the mynetworsk allowed to send mail to local domain and external domain?

  27. Terimakasih banyak atas tutorial yang telah di buat mas. Sangat membantu banyak orang.

    Saya sudah mengikuti tata cara install Policyd nya dengan benar dan sudah bisa di akses.
    Namun, saat menambahkan Group atau settingan apapun hasilnya tidak tersimpan. Masalahnya dimana y mas kira-kira?

      1. Hi mas,
        Konfigurasi ulang database ini tidak berpengaruh ke settingan zimbra utama y?
        Saya masih agak ragu untuk eksekusi pembuatan ulang database policyd karena email server nya sudah di gunakan.
        Namun jika memang tidak mengganggu, saya akan eksekusi segera.

        Terimakasih.

        1. Hi mas,
          Seharusnya tidak. Hanya berpengaruh ke database PolicyD saja. Jika ragu, bisa coba testing pada server development terlebih dahulu

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.