Zimbra and server overload protection
E-mail has been firmly established as a standard for business communication. Due to the high economic efficiency of e-mails, as well as a number of features associated with citing text and attachment of attachments, e-mails are the best suited for the role of a universal way for exchanging documents and polite business communication. These same features were the reason why spammers fell in love with e-mail. As a result, today e-mail is a huge raging ocean of spam, in the waters of which only occasionally there are business letters. That is why one of the priorities of the administrator of any mail server is to protect against spam e-mails. Let's look at what can be done with this in the Zimbra Collaboration Suite Open-Source Edition.
Despite the free solution, Zimbra OSE is able to provide the system administrator with a lot of extremely effective tools to solve the problem of receiving unwanted emails. We have already written about utilities such as Amavis, SpamAssassin, ClamAV and cbpolicyd, which allow you to securely filter incoming mail, eliminating spam, as well as infected and phishing emails. However, their key disadvantage is that they all work with already received email messages and spend on filtering useless messages system resources, which can always be used much better. But what if your company turned out to be under the gun of a large botnet that constantly throws your mail server with so many junk emails that it takes the lion's share of MTA server capacity to filter them alone?
In theory, you can protect yourself from this by connecting a cloud service to filter incoming mail, but in practice this method of protection will not suit every enterprise, because in this case you will have to entrust the third parties with processing not only spam, but also business correspondence, which is not always safe, and often directly contradicts the company's security policy. In addition, there are risks associated with the reliability of the cloud spam filter. The solution to this situation could be the organization of server protection on its own. Especially for these purposes, the Postscreen utility was built into Zimbra, which is designed to protect the mail server from emails sent by botnets without loading the mail server.
')
The essence of Postscreen is that this utility scans all requests to connect to the mail server and does not allow clients that seem to be suspicious to connect to the server. Since, according to statistics, about 90% of spam in the world is sent by botnets, Postscreen is often used as the first level of protection for the mail server from unwanted mailings. Due to this, the mail server can work stably without overloading even in the face of strong spam attacks from large botnets.
The operation of Postscreen is quite simple, the utility is capable of conducting a series of simple checks for incoming emails before transferring them to the mail server or other services that conduct a deeper and more detailed check of incoming emails. Each of the checks, respectively, may be passed, and may not be passed. Based on the results of each of the checks, Postscreen can take one of three actions to choose a Zimbra administrator: Drop , Ignore or Enforce . The Drop action forcibly breaks the connection with the client if the check fails, the Ignore action allows you to ignore the test results when making the final decision, but to collect information and statistics about the checks, and the Enforce action allows you to take into account the results of the checks made when making the final decision, but at the same time continue to perform all the tests that are scheduled by the system administrator.
A simple principle does not mean ease of use and configuration. The fact is that an incorrectly configured Postscreen can be the reason why a number of important letters for an enterprise do not reach the addressee. That is why the setting up of such a powerful tool as the Postscreen must be approached with great care and be constantly tested for behavior in certain situations.
Postscreen in Zimbra is included initially, but many may not be satisfied with the initial configuration. Now we will consider the best in terms of security and no risk option settings Postscreen. Its essence lies in the fact that after the failure of any of the checks, Postscreen will not break the connection with the client without talking, and will carry out all checks to the end and if these checks fail, will give an error message. This will allow the live sender to be notified that the letter is not delivered in the event that Postscreen considers it as spam. This is achieved by setting the enforce value in the inspection parameters. It is this value that allows you to complete the started checks to the end, without breaking the connection with the client at the first failure, but at the same time after their completion you still block the spam letter without delivering it to the server.
In order to enable the necessary checks, enter the following commands:
zmprov mcf zimbraMtaPostscreenDnsblSites' b. ..7] * 6 'zimbraMtaPostscreenDnsblSites' zen.spamhaus.org = 127.0.0.3 * 4' zimbraMtaPostscreenDnsblSites' zen.spamhaus.org = 127.0.0.2 * 3 '
This command allows you to add a DNS check for incoming connections on the two most popular public spam databases and rate letters depending on which of the bases the sender's address is found in. The more penalty "stars" the client dials, the more likely he is a spammer.
zmprov mcf zimbraMtaPostscreenDnsblAction enforce
This team determines the action that takes place on the basis of passing the DNS-check. In this case, the result of the check is remembered, and the letter itself continues to pass further tests.
zmprov mcf zimbraMtaPostscreenGreetAction enforce
Since in the SMTP protocol, after a direct connection, the server first starts communicating with the client and, accordingly, Postscreen can send a greeting to the client. Due to the fact that many spam clients, without waiting for the end of the greeting, begin to send commands, they can be easily recognized. This command allows you to take into account the results of this test, but at the same time continue to perform further tests.
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
As part of this verification, Postscreen allows you to filter out connections that do not originate from email clients. Since they do not send any letters, you can disconnect them from the server without any fear.
zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
This check is based on the fact that by default in the SMTP protocol the client can send only one command at a time and then wait for the server to respond to this command. However, many spam bots behave differently, sending many commands without waiting for a response from the server. This allows virtually unmistakable identification of spam bots.
In principle, these checks for Postscreen will be more than enough to cut off the bulk of spam bots from the server and to achieve a significant reduction in the load on your mail server. At the same time, living people will receive a message that their letter was not delivered, which significantly reduces the risk of losing important emails due to the Postscreen settings. In the event that this happens, you can add a trusted sender to the white list of Postscreen. In order to create whitelisting and blacklists of Postscreen, you must first create the file / opt / zimbra / conf / postfix / postscreen_wblist .
In it we will add the list of allowed and prohibited ip-addresses and subnets in the format of the table CIDR. For example, we block the subnet 121.144.169. *, But allow the connection to a single ip-address from this subnet:
We draw your attention to the importance of the order of records. The fact is that Postscreen will scan the file with white and black lists before the first match, and if the blocked subnet will stand before the resolved IP address, then the check simply does not reach the record that this IP address is added to the white list and connection with the server will not happen.
After the white and black lists file has been edited and saved, you can enable the corresponding check using the following commands:
Now, Postscreen, in addition to the checks we have already specified, will also access the file with white and black lists, which will allow the administrator to easily resolve issues with the inability to connect to the server of reliable senders.
Despite the free solution, Zimbra OSE is able to provide the system administrator with a lot of extremely effective tools to solve the problem of receiving unwanted emails. We have already written about utilities such as Amavis, SpamAssassin, ClamAV and cbpolicyd, which allow you to securely filter incoming mail, eliminating spam, as well as infected and phishing emails. However, their key disadvantage is that they all work with already received email messages and spend on filtering useless messages system resources, which can always be used much better. But what if your company turned out to be under the gun of a large botnet that constantly throws your mail server with so many junk emails that it takes the lion's share of MTA server capacity to filter them alone?
In theory, you can protect yourself from this by connecting a cloud service to filter incoming mail, but in practice this method of protection will not suit every enterprise, because in this case you will have to entrust the third parties with processing not only spam, but also business correspondence, which is not always safe, and often directly contradicts the company's security policy. In addition, there are risks associated with the reliability of the cloud spam filter. The solution to this situation could be the organization of server protection on its own. Especially for these purposes, the Postscreen utility was built into Zimbra, which is designed to protect the mail server from emails sent by botnets without loading the mail server.
')
The essence of Postscreen is that this utility scans all requests to connect to the mail server and does not allow clients that seem to be suspicious to connect to the server. Since, according to statistics, about 90% of spam in the world is sent by botnets, Postscreen is often used as the first level of protection for the mail server from unwanted mailings. Due to this, the mail server can work stably without overloading even in the face of strong spam attacks from large botnets.
The operation of Postscreen is quite simple, the utility is capable of conducting a series of simple checks for incoming emails before transferring them to the mail server or other services that conduct a deeper and more detailed check of incoming emails. Each of the checks, respectively, may be passed, and may not be passed. Based on the results of each of the checks, Postscreen can take one of three actions to choose a Zimbra administrator: Drop , Ignore or Enforce . The Drop action forcibly breaks the connection with the client if the check fails, the Ignore action allows you to ignore the test results when making the final decision, but to collect information and statistics about the checks, and the Enforce action allows you to take into account the results of the checks made when making the final decision, but at the same time continue to perform all the tests that are scheduled by the system administrator.
A simple principle does not mean ease of use and configuration. The fact is that an incorrectly configured Postscreen can be the reason why a number of important letters for an enterprise do not reach the addressee. That is why the setting up of such a powerful tool as the Postscreen must be approached with great care and be constantly tested for behavior in certain situations.
Postscreen in Zimbra is included initially, but many may not be satisfied with the initial configuration. Now we will consider the best in terms of security and no risk option settings Postscreen. Its essence lies in the fact that after the failure of any of the checks, Postscreen will not break the connection with the client without talking, and will carry out all checks to the end and if these checks fail, will give an error message. This will allow the live sender to be notified that the letter is not delivered in the event that Postscreen considers it as spam. This is achieved by setting the enforce value in the inspection parameters. It is this value that allows you to complete the started checks to the end, without breaking the connection with the client at the first failure, but at the same time after their completion you still block the spam letter without delivering it to the server.
In order to enable the necessary checks, enter the following commands:
zmprov mcf zimbraMtaPostscreenDnsblSites' b. ..7] * 6 'zimbraMtaPostscreenDnsblSites' zen.spamhaus.org = 127.0.0.3 * 4' zimbraMtaPostscreenDnsblSites' zen.spamhaus.org = 127.0.0.2 * 3 '
This command allows you to add a DNS check for incoming connections on the two most popular public spam databases and rate letters depending on which of the bases the sender's address is found in. The more penalty "stars" the client dials, the more likely he is a spammer.
zmprov mcf zimbraMtaPostscreenDnsblAction enforce
This team determines the action that takes place on the basis of passing the DNS-check. In this case, the result of the check is remembered, and the letter itself continues to pass further tests.
zmprov mcf zimbraMtaPostscreenGreetAction enforce
Since in the SMTP protocol, after a direct connection, the server first starts communicating with the client and, accordingly, Postscreen can send a greeting to the client. Due to the fact that many spam clients, without waiting for the end of the greeting, begin to send commands, they can be easily recognized. This command allows you to take into account the results of this test, but at the same time continue to perform further tests.
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
As part of this verification, Postscreen allows you to filter out connections that do not originate from email clients. Since they do not send any letters, you can disconnect them from the server without any fear.
zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
This check is based on the fact that by default in the SMTP protocol the client can send only one command at a time and then wait for the server to respond to this command. However, many spam bots behave differently, sending many commands without waiting for a response from the server. This allows virtually unmistakable identification of spam bots.
In principle, these checks for Postscreen will be more than enough to cut off the bulk of spam bots from the server and to achieve a significant reduction in the load on your mail server. At the same time, living people will receive a message that their letter was not delivered, which significantly reduces the risk of losing important emails due to the Postscreen settings. In the event that this happens, you can add a trusted sender to the white list of Postscreen. In order to create whitelisting and blacklists of Postscreen, you must first create the file / opt / zimbra / conf / postfix / postscreen_wblist .
In it we will add the list of allowed and prohibited ip-addresses and subnets in the format of the table CIDR. For example, we block the subnet 121.144.169. *, But allow the connection to a single ip-address from this subnet:
# Rules are evaluated in order.
# Blacklist 121.144.169. * Except 121.144.169.196.
121.144.169.196/32 permit
121.144.169.0/24 reject
We draw your attention to the importance of the order of records. The fact is that Postscreen will scan the file with white and black lists before the first match, and if the blocked subnet will stand before the resolved IP address, then the check simply does not reach the record that this IP address is added to the white list and connection with the server will not happen.
After the white and black lists file has been edited and saved, you can enable the corresponding check using the following commands:
zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr: / opt / zimbra / conf / postfix / postscreen_wblist"
zmprov mcf zimbraMtaPostscreenBlacklistAction enforce
Now, Postscreen, in addition to the checks we have already specified, will also access the file with white and black lists, which will allow the administrator to easily resolve issues with the inability to connect to the server of reliable senders.
Source: https://habr.com/ru/post/457896/
All Articles