!!! This was a step by step for Zimbra 8.x.x on Ubuntu 12.04 and definietly outdated. !!!
Spoofing is one of the real headaches from email server administrators. Specially when scam/spam artists send email from your own domain. Best way to stop this is implement spf check on your server and add a txt record for the domain in the name servers. Most of the email servers I work with are using Zimbra Collaboration Suite which uses a modified version of postfix as the MTA. Eventhough zimbra has a way to implement spf using cbpolicyd I could not find decent documentation or forum entries with enough details. I had to go through 5-6 different documents before I got spf to work successfully on zimbra.
Here you can find a step by step guide on how to implement spf check on zimbra servers. Tested on zimbra 8.0.7 on ubuntu 12.04
Activate SPF-CHECK on
Zimbra to minimize Spoofing
1)
zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd
+zimbraServiceEnabled cbpolicyd
2)
zmlocalconfig -e postfix_enable_smtpd_policyd=yes
3)
zmprov mcf +zimbraMtaRestriction "check_policy_service
inet:127.0.0.1:10031"
4)
zmlocalconfig -e cbpolicyd_log_level=4
5)
zmlocalconfig -e cbpolicyd_module_checkspf=1
6)
In /opt/zimbra/backup create file group.sql
BEGIN TRANSACTION;
INSERT INTO "policies" (Name,Priority,Description)
VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');
INSERT INTO "policy_members" (PolicyID,Source,Destination)
VALUES(6, 'any', 'any');
COMMIT;
7)
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb <
/opt/zimbra/backup/group.sql
8)
In /opt/zimbra/backup/ create file spf.sql
BEGIN TRANSACTION;
INSERT INTO "checkspf"
(PolicyID,Name,UseSPF,RejectFailedSPF,AddSPFHeader,Comment,Disabled)
VALUES (6,"SPF Policy",1,1,1,"Zimbra CheckSPF
Policy",0);
COMMIT;
9)
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb <
/opt/zimbra/backup/spf.sql
10)
add the following lines at the top of the
/opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf file if
antivirus is disabled.
permit_sasl_authenticated
permit_mynetworks
If
antivirus/antispam is enabled cut the top most line from
/opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and paste it
as the last line of the file. The line should look like this
%%contains VAR:zimbraServiceEnabled cbpolicyd^
check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
11) Cut the top most line of
/opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and paste
it as the third line from the bottom.
%%contains
VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service
inet:localhost:@@cbpolicyd_bind_port@@%%
10)
zmcontrol restart
No comments:
Post a Comment