Zimbra

Improving Anti Spam : Reject Unlisted Domain On Zimbra 8.5

Reject unlisted domain is one of many method to improve anti spam on email server, especially Zimbra mail server. On Zimbra, we can setup any IP address to listed as trusted network. IP address listed on trusted network, can sending email without authentication or prompt asking. In other words, listed ip address on trusted network can sending email with any domain, although is not listed on Zimbra.

If you have email server with domain example.com, email server should be sending email to outside with example.com domain, if not, then it should be rejected. This article, will describe step by step how to reject unlisted domain on Zimbra with Policyd. Assuming you have install and enable Policyd. If not, you can following this article to enable it : https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Make sure your Zimbra service apache have been running

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

policyd-groups


Select Policies | Main. Add new policy and give name or information like the following picture. Then submit query

policyd-reject-unlisted-domain

select new policy have been made and select members on action. Add member and fill on source/destination with group that has previously been made. See the following picture

policyd-reject-member

above configuration is explain source and destination is not from members listed on group. Select Access Control | Configure. Add new ACL and give name or information like this :

Name : Reject Unlisted Domain
Link to policy : Reject Unlisted Domain (New policy has previously been made)
Verdict : Reject
Data : Sorry, you are not authorized to sending email

See the following picture. Then submit query

policyd-acl

Make sure disabled status is no of all configuration has been made. Enable policyd accesscontrol and restart policyd service

su - zimbra
zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
zmcbpolicydctl restart

Please try to sending email use telnet on Zimbra mail server itself. it is the example result of above configuration

mail:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.xxxxxxx.xxx ESMTP Postfix
ehlo mail
250-mail.xxxxxxx.xxx
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ahmad@gmail.com
250 2.1.0 Ok
rcpt to:ahmad@yahoo.com
554 5.7.1 <ahmad@gmail.com>: Sender address rejected: Sorry, you are not authorized to sending email

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

55 comments

    1. I have followed your article about “Reject Unlisted Domain On Zimbra” but my zimbra server restricted all the mails going out saying “‘xxx@yahoo.com’ on 25/07/2015 16:51
      Server error: ‘554 5.7.1 : Sender address rejected: Sorry, you are not authorized to sending email’, what is this error?

      1. Hi Gayaliranga,

        Are you has been make sure the policy you are created is from !list_domain to !list_domain

        list_domain=fill with your domain

  1. Rejected unlisted domain we have way to block other domain. but the local domain i am getting spam by random username with local domain. how to allow only listed email accounts to send mail… how to block unlisted email accounts…

  2. Thank you for your article, any question :
    after I tried turned out to account reject the sender does not receive an error
    “Sender address rejected: Sorry, you are not authorized to sending email”

    how can the sender may receive the error?

    Thank You

  3. Hi,
    I get an error by executing the following command.
    zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE

    Error : ERROR: account.INVALID_ATTR_NAME (invalid attr name: invalid attr name – unable to modify attributes: zimbraCBPolicydAccessControlEnabled: attribute type undefined)

  4. helo, i have successully block the other domain but after several days, all blocked domain regain their access.. none of the setting is changing in cbopolicyd, how is this possible?

  5. Can i ask how to block an IP from trying to send spam using our server? This certain IP is trying to access our server thru ssh and trying to log on random account

    1. Hi Christian Kim,

      Please change default port SSH from 22 to other port. Example 2254.

      Change default port SSH will reduce (or not anymore) access to your server

  6. Hello, is it possible to import automaticly all domain i configur in Zymbra as member of “list_domain” Policy groups?

  7. Using the article I had implemented the policy but it has stopped sending mails among the users of the server within the server domain.
    Pl. help.

      1. Had implemented rate limit policy prior to this. Had defined my domain there in list_domain. Hence used the same variable here.

        The log reads like this:

        [2016/04/28-12:50:33 – 61888] [CORE] INFO: module=AccessControl, action=reject, host=, helo=, from=, to=, reason=verdict

      2. Here is the correct version:

        [2016/04/28-12:50:33 – 61888] [CORE] INFO: module=AccessControl, action=reject, host=ip_address, helo=server_name, from=user1@domain, to=user2@domain, reason=verdict

        1. Hi,

          Please make sure give ! in front of group when configure Policies. If you not give symbol !, the policies will drop all email from internal to internal. But not from internal to external and external to internal

  8. I had placed ! in front of group while configuring policies.

    However, I had got it through by enabling “default inbound” and “default internal” policies using groups “internal_ips” and “internal_domains” which I had disabled earlier. Is it OK doing this.

    Thanks for your time

  9. As Salam Iman,

    I have followed your article and it is works. But when I received email from someone who need requested to be notified, it rejected that email. The error message as below when I clicked to be notified :

    msg : system failure : error while sending read receipt

    Thank you.

  10. Dear Iman,

    Many thanks for your articles you made on your blog. They helped me a lot to improve the security of my Zimbra servers.

    But I need help to fix my problem with this policyd settings in this article. The setting works as escpected but the out-of-office messages stopped. If I disable this then it works.

    Error message in mailbox.log:
    (Zimbra user: user1@zimbradomain.com,
    Other user: other@otherdomain.com)

    [name=user1@zimbradomain.com;mid=260;ip=11.22.33.44;] smtp – Failed to send message
    com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient other@otherdomain.com: 554 5.7.1 : Sender address rejected: Sorry, you are not authorized to sending email.

    I don’t understand why Zimbra wants to identify the sender as Other user and not Zimbra user.

    Any help will be appreciated. Thanks.

      1. Hi Iman,
        That was I excepted to happen, but it is not happening. I use the latest Zimbra 8.7 OSE. Do you need more info from log file?
        Thanks.

      2. Sorry Iman,

        Maybe I misunderstood your answer. So is there any way to make exceptions for out-of-office messages in policyd settings?

        1. Hi Andras,

          You can make exception by sender/recipient. If you make exception, is not easy because sender is random. I think you should disable the rule for certain period (when you enable Out of Office)

          1. Yes, I disabled it. I really like this restriction but I won’t using it as I hosting ~30 domains and few hundreds of accounts on this server.

  11. Salaam Iman.

    Great how-to to secure zimbra servers !

    One question. Can we use wildcard too in domain name. Such as @*.example.com (I want to relay mails with @abc.example.com, @xyz.example.com etc)

    Thank you.

  12. I have a question about read receipts. After implementing these rules. When a user gets an email asking for read confirmation. They click on send and get an error in the browser. After digging I found this is cbpolicyd log. It appears the confirmation is sent from email address

    [CORE] INFO: module=AccessControl, action=reject, host=X.X.X.12, helo=mail.company.net, from=, to=sanga.c@companyB.care, reason=verdict

    How can I correct for this issue?

      1. Thanks for the update! I guess we have to make some decisions on whether block the spam or allow the features the users requested.

        1. After some tests I found a solution, in the Policy Group add a new entry in the list_domain group and add the ip of your server in the example X.X.X.12/32. With this new entry you will be able to confirm the read receipt request.

  13. Greetings, I have the following query, is it possible to use a tool such as cbpolicyd to reject Zimbra SPAM attacks?

  14. Hi Iman, when i select as “Virdict” filter, what type of filter can i do? Where can i find a manual for filer syntax?

    1. Hi Gianmario,
      When you are using filter, you can trigger into another process like scanning external antispam, forward into another relay server and etc. I am use filter for relay into another server

  15. Hello,

    In the “list_domain” member should I add all the domains I want to release? Is not there a way for it to automatically know which domains are listed in Zimbra, and block everything that is not listed?

    Thanks

  16. Please, Is it possible to block email where return-path in header does not match from address?

    We get a lot of email with return-path = spam account but From = internal email address and it confuses some of our users and they end up opening spam viruses. If possible to block by policyd, please explain how.

    Thanks you are Genius

      1. Thanks, I already have that configured. But my issue is the spammer is not relaying or authenticating via my server. Its spam from account outside my server eg spam@gmail.com, but the from address is configured as user@myserver.com, when it gets to mailbox unless you view orginal email, the spam address is not visible.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.