Sunday, December 13, 2015

SPF check with Zimbra

 !!! This was a step by step for Zimbra 8.x.x on Ubuntu 12.04 and definietly outdated. !!!

Spoofing is one of the real headaches from email server administrators. Specially when scam/spam artists send email from your own domain. Best way to stop this is implement spf check on your server and add a txt record for the domain in the name servers. Most of the email servers I work with are using Zimbra Collaboration Suite which uses a modified version of postfix as the MTA. Eventhough zimbra has a way to implement spf using cbpolicyd I could not find decent documentation or forum entries with enough details. I had to go through 5-6 different documents before I got spf to work successfully  on zimbra.

Here you can find a step by step guide on how to implement spf check on zimbra servers. Tested on zimbra 8.0.7 on ubuntu 12.04

Activate SPF-CHECK on Zimbra to minimize Spoofing

1) zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

2) zmlocalconfig -e postfix_enable_smtpd_policyd=yes

3) zmprov mcf +zimbraMtaRestriction "check_policy_service inet:127.0.0.1:10031"

4) zmlocalconfig -e cbpolicyd_log_level=4

5) zmlocalconfig -e cbpolicyd_module_checkspf=1

6) In /opt/zimbra/backup create file group.sql

BEGIN TRANSACTION;
INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');
INSERT INTO "policy_members" (PolicyID,Source,Destination) VALUES(6, 'any', 'any');
COMMIT;

7) sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < /opt/zimbra/backup/group.sql

8) In /opt/zimbra/backup/ create file spf.sql

BEGIN TRANSACTION;
INSERT INTO "checkspf" (PolicyID,Name,UseSPF,RejectFailedSPF,AddSPFHeader,Comment,Disabled) VALUES (6,"SPF Policy",1,1,1,"Zimbra CheckSPF Policy",0);
COMMIT;

9) sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < /opt/zimbra/backup/spf.sql

10) add the following lines at the top of the /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf file if antivirus is disabled.

permit_sasl_authenticated
permit_mynetworks

If antivirus/antispam is enabled cut the top most line from /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and paste it as the last line of the file. The line should look like this

%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%

11) Cut the top most line of /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and paste it as the third line from the bottom.

%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%


10) zmcontrol restart