The Craving Mind

Zimbra DKIM (Domainkeys identified Mail) include: 1. Private-key insert header of email sending mail server. 2. Public-key updated into DNS public. Step 1: To configure zimbra DKIM To add DKIM data into domain not existing DKIM /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com The output as bellow DKIM Data added to LDAP for domain example.com with selector 0E9F133A-9577-11E1-AD0E-2A2FBBAC6BCB Public key to enter into DNS: 0E9F133A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT "v=DKIM1;=rsa; p=MIGfMA0GCXXXSSFWwfdfdfEEAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ /4GSWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB" ; ----- DKIM 0E9F133A-9577-11E1-AD0E-2A2FBBAC6BCB for example.com After created key, then update DNS with text record is public-key a top. How to update zimbra DKIM data for domain /opt/zimbra/libexec/zmdkimkeyutil -u -d example.com How to retrie...

#To find current value zmprov gcf zimbraMessageIdDedupeCacheSize #The looks like as below zimbraMessageIdDedupeCacheSize: 3000 #The modified value and zimbra mailbox service restart zmprov mcf zimbraMessageIdDedupeCacheSize 0 zmmailboxdctl restart

Installation Environment  Virtual Machine (VM Virtualbox / VMWARE) HDD - 20 GB RAM - 4 GB Network Mode - Bridge UBUNTU - 16.04.4 LTS IP address - Static / Dynamic Hostname - www.example.com Smokeping Installation Steps: Install a fresh Ubuntu OS (16.04.4) in the VM. Set hostname as per convenience. (I used www.example.com) Update and upgrade existing packages. Install packages and dependencies for smokeping packages  as shown below: root@www:/home/bolcorp# apt install smokeping -y We need to modify some configuration as shown below: root@www:/home/bolcorp# vim /etc/smokeping/config.d/pathnames #sendmail = /usr/sbin/sendmail imgcache = /var/cache/smokeping/images imgurl   = ../smokeping/images datadir  = /var/lib/smokeping piddir  = /var/run/smokeping smokemail = /etc/smokeping/smokemail tmail = /etc/smokeping/tmail root@www:/home/bolcorp# vim /etc/smokeping/config.d/General *** General *** owner = Sharif contact...

Postfix only allow whitelisted Recipient Domain Step 1: Add line into main.cf file as below smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_domains, reject Note: Warring /etc/postfix/recipient_domains, reject , Allow receive email in recipient_domain, and REJECT All domain not in whitelisted domain. Step 2: To create recipient domain is the whitelist file mycompany.com OK mail.huuphan.com OK Note: only two domain mycompany.com and mail.huuphan.com receive mail Step 3: To generate hash file: $ sudo postmap /etc/postfix/recipient_domains Step 4: To restart postfix service $ sudo /etc/init.d/postfix restart Now to try sending an email to a another domain not in whitelist. You will find error something like that as below: NOQUEUE: reject: RCPT from …: 554 5.7.1 <HuuPV@gmail.com>: Recipient address rejected: Access denied

Zimbra client host rejected Access denied error log Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: NOQUEUE: reject: CONNECT from unknown[192.168.1.113]: 554 5.7.1 <unknown[ 192.168.1.113 ]>: Client host rejected: Access denied; proto=SMTP Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: lost connection after CONNECT from unknown[192.168.1.113] Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: disconnect from unknown[192.168.1.113] Allow the network "192.168.1.0/24" of client host for zimbraMtaMyNetworks attribute [zimbra@mail ~]$ zmprov ms `zmhostname` zimbraMtaMyNetworks "127.0.0.0/8 192.168.1.0/24 [::1]/128 [fe80::]/64" The change "smtpd_client_restrictions" and "smtpd_relay_restrictions" with content below [zimbra@mail ~]$ /opt/zimbra/postfix/conf/master.cf.in The edit master.cf.in file with content below %%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030 -o smtpd_etrn_restricti...

A reverse DNS lookup or reverse DNS resolution (rDNS) is the querying of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. Step 1: Enable zimbraMtaRestriction as command below su - zimbra zmprov mcf +zimbraMtaRestriction "reject_unknown_client_hostname" Step 2: zimbra postfix reload postfix reload

How to List top sender address emails in zimbra from command line. From MTA zimbra I will run command to list 6 sender address email Zimbra. The command as below: $ cat /var/log/zimbra.log | awk -F 'from=<' '{print $2}' | awk -F'>' '{print $1}' | sed '/^$/d' | sort | uniq -c | sort -nk1 -r | sed -n '1,6p' Note: sed '/^$/d' : To delete only blank lines sed -n '1,6p' : To print 1 line to 6 line. awk -F 'from=<' '{print $2}' | awk -F'>' '{print $1}' : To print the email of sender address

# Open file salocal.cf.in vi /opt/zimbra/conf/salocal.cf.in adding on the bottom the following line body     LOCAL_RULE1     /Your email has/i score    LOCAL_RULE1     40.0 body     LOCAL_RULE2     /System Administrator/i score    LOCAL_RULE2     40.0 Note : LOCAL_RULE1/2 is a rule/acl which is contains “your email has” and “system administrator” and “score 40.0” is value that given if body email meet rule on acl. If you want to blacklist other words on the body of email, you must create another name of acl. # Save and restart service of Amavis zmamavisdctl restart please try to sending email with contains of body email “your email has” or “system administrator” and check on your zimbra.log Feb 12 12:40:44 mail amavis[26679]: (26679-01) Blocked SPAM {DiscardedInbound}, [209.85.216.50]:52623 [209.85.216.50] <imanudin.linux@gmail.com> -> <admin@iman...

# Create file blacklist.cf in spamassassin folder as root vi /opt/zimbra/data/spamassassin/rules/blacklist.cf Fill with the following example header     SPAM_BANNED     Subject =~ /me new photo/i describe   SPAM_BANNED     Subject contains me new photo score      SPAM_BANNED     40.0 Note : SPAM_BANNED is name of ACL who created. me new photo is subject who want to blacklisted and score 40.0 is score who given if subject meet with the ACL. If you want to create blacklist to other word/subject, don’t use the same name of ACL and create another ACL name. # Save and give owner for user and group Zimbra chown zimbra.zimbra /opt/zimbra/data/spamassassin/rules/blacklist.cf su - zimbra -c "zmamavisdctl restart" Please try to send email with subject “me new photo” and check on the log Feb 12 07:35:18 mail amavis[26021]: (26021-01) Blocked SPAM {DiscardedInternal}, ORIGINATING_POST/MYNETS LOC...

Why we must configuring rate limit sending message? If there user have compromised password, spammer will sending email to outside with random email address receipt  and very much email have been sent. Usually, public IP address will have blacklisted on any RBL and cannot sending email to outside. To prevent it, we can use Policyd and configure rate limit sending message with quotas modules on Policyd. Quotas modules can prevent user@domain or other configuration can sending some email per minutes or per hours. For example, per users can sending maximum 200 emails per hours How to configure it? This is step by step how to configure it. Assuming you have been install/enable Policyd. Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Ensure your Zimbra service apache have been running Select Policies | Groups . Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made....

Before configure this guidance, please make sure you’ve configured SPF checking. When you’ve done, by default will reject SPF only if configured fail (-). If SPF none or SPF soft fail, email will pass and given some score. If you want to block sender did not have SPF or soft fail, you can change CheckSPF module on PolicyD with this one. # On Zimbra 8.5/8.6 cd /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules mv CheckSPF.pm CheckSPF.pm-backup wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm # On Zimbra 8.7.x cd /opt/zimbra/common/lib/policyd-2.1/cbp/modules mv CheckSPF.pm CheckSPF.pm-backup wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm The following are example when receiving email from domain who did not have SPF or SPF soft fail Mar 23 16:15:22 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.xx.xxx.xxx]: 554 5.7.1 <admin@example.com>: ...

The following is step by step how to enable spf checking for incoming connection. You need to enable cbpolicyd. After enable policyd, please open policyd webui (http://IPZIMBRA:7780/webui/index.php) and create some groups, policy and spf. # Create Groups Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups # Create Policy Select Policies | Main. Add new policy and give name or information like the following picture. Then submit query select new policy has been made and select members on action. Add member and fill on source/destination with group that has been made. See the following example Above configuration only check spf if email connection come from external domain (Gmail, Yahoo and...

What is Policyd? Policyd is an anti spam plugin. Policyd have some module like quotas, access control, spf check, greylisting and others. Zimbra Collaboration Suite is an email server who use Postfix as engine for MTA. By default, policyd have been bundled with Zimbra from Zimbra version 7. Why we must use Policyd? Policyd have module quotas. This module can use for limit sending/receipt email. As example just allow sending/receipt email 200 emails/hours/users. If your email server attacked by spam or compromised password some users and used by spammer, the maximum email can be sent as many as 200 emails per hour. This policy will safe your IP public from blacklist on RBL. Besides, you can check who user send email with many email How To Install Policyd on Zimbra 8.5? This guidance is step by step how to install policyd on Zimbra 8.5 and latest # Activate Policyd su - zimbra zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd ...

You can have many domain in one Zimbra server. I have condition where either domain cannot sending to some domains. For example, i have 2 domains in Zimbra server, domain1.com and domain2.com. domain1.com can sending email to domain3.com but domain2.com cannot sending email to domain3.com. Whereas domain1.com and domain2.com are in one Zimbra server. it is rather strange indeed. For be able sending to domain3.com from domain2.com, i am decide to relay every sending email from domain2.com. For do that, i do the following guidance # Add the following configuration in /opt/zimbra/postfix/conf/main.cf sender_dependent_relayhost_maps = lmdb:/opt/zimbra/postfix/conf/bysender # Create file above and adding users/domains would be relay vi /opt/zimbra/postfix/conf/bysender Fill as the following example @domain2.com           [relay.example.com] user1@domain1.com      [relay.example.com] configuration a...

I have a condition where my customers cannot sending email for some domain by directly. I give an advice to them for using Relay for all external delivery. But they do not want all external delivery using relay for security reason. They want just some domain receiver for using relay. Okay, because them using Zimbra 8.5/8.6, i can do relay for some domain only. # Create transport for domain receiver that would be relay su - zimbra vi /opt/zimbra/postfix/conf/transportfile Fill with the following example domain1.com       :[relay.example.com] domain2.com       :[relay.example.com] user1@domain3.com :[relay.example.com] The above example, every sending email to domain1.com and domain2.com or user1@domain3.com, will be relay to relay.example.com. If your relay server using port such as 465, 587 or another port, you can change like this [relay.example.com]:587 # Postmap Transport postmap /opt/zimbra/postfix/conf...

When using password policy on Zimbra like minimum password age and maximum password age, user will not get notification when their password expire. I want users get notification when their password come near to expired. I am looking for that feature and finally get the script who can do that.  The script can be found from Wuxmedia github at this link : https://github.com/wuxmedia/Zimbra_passpoll/blob/master/passpoll.sh I am using these script with some modification for adjust with my Zimbra environment # Download script 1.cd /srv/ 2.wget -c https://raw.githubusercontent.com/imanudin11/script/master/cek-expire-password-zimbra.sh 3.chmod +x cek-expire-password-zimbra.sh 4.bash cek-expire-password-zimbra.sh Note : The script have policy 90 days password expired. Please change and adjust with your environment. The following is example when users get password policy and come near to expired password Ref: https://imanudin.net/2017/02/04/script-notify-expired-passwor...

Many ways to secure email delivery. One of them is use TLS connection/encrypted when sending email. The encryption connection will make connection between email server more secure. This guidance will explain step by step how to check smtp outgoing already use encryption or not. # Checking Header Please try to send email to Gmail or Yahoo and check in the header email. The following is example header email at Gmail. Return-Path: <xxxxx@xxxxxxxxx> Received: from xxxxxx.excellent.co.id (xxxxxxx.xxxxxxxx.xxx. [139.xxx.xxx.xxx]) by mx.google.com with ESMTPS id h85si6267366oib.24.2016.02.12.18.05.28 for <xxxxxxxxx@gmail.com> ( version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128 ); Fri, 12 Feb 2016 18:05:29 -0800 (PST) In the header, we get information about version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128 . It’s mean, your smtp outgoing already use encryption/TLS connection. # Checking Show details on Gmail If you see encryption: Stan...

1. Open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line at the top check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders 2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system POSTCONF    smtpd_restriction_classes  local_only POSTCONF    local_only  FILE  postfix_check_recipient_access.cf RESTART mta 3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject 4. Create a file “/opt/zimbra/postfix/conf/restricted_senders” and list all the users, whom you want to restrict. Follow this syntax: user@yourdomain.com            local_only 5. Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax: ...

Step 1: Open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add the below line at the top. %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/common/conf/restricted_senders%% Then execute: zmprov ms `zmhostname` +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/common/conf/restricted_senders" Step 2: Open file /opt/zimbra/conf/zmconfigd.cf and add below lines before "RESTART mta". POSTCONF    smtpd_restriction_classes  local_only POSTCONF    local_only  FILE  postfix_check_recipient_access.cf Note: We can find like below SECTION mta DEPENDS amavis  -----------  -----------  ----------- RESTART mta Step 3: Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line. check_recipient_access lmdb:/opt/zimbra/common/conf/local_domains, reject Step 4: Create a file /opt/zimbra/common/conf/restricted_senders ...

MTA notifications: For any general SMTP-related notification, check: $ zmlocalconfig smtp_destination and if wrong, please change it via: $ zmlocalconfig -e smtp_destination=admin@domain.com

If you will get a prompt stating something like “Port conflict detected: 53 (zimbra-dnscache)” with a prompt to hit ENTER to continue, you can just hit enter and let the installation/upgrade run out. Once everything is running, you will see that the Zimbra DnsCache service is in a stopped state. To fix this error, all you have to do is $ zmcontrol status $ zmprov ms `zmhostname` -zimbraServiceEnabled dnscache $ zmprov ms `zmhostname` -zimbraServiceInstalled dnscache $ zmcontrol status You will see that the service is removed from Zimbra’s Services. REF: https://dilliganesh.wordpress.com/2018/08/13/how-to-remove-dnscache-from-zimbra-services/

To lock the account: # su zimbra $ zmprov ma user@domain.com zimbraAccountStatus lock Note : When a mailbox status is locked, the login is disabled until you unlock the account but mail is still delivered. To Unlock the account: # su zimbra $ zmprov ma user@domain.com zimbraAccountStatus active To lockout the account: # su zimbra $ zmprov ma user@domain.com zimbraAccountStatus lockout Note : Users who try to log in and have forgotten their password are temporarily locked out after a specified number of consecutive failed login attempts. To closed the account: # su zimbra $ zmprov ma user@domain.com zimbraAccountStatus closed Note : When a mailbox status is closed, the login is disabled. This status is used to soft-delete an account. The account exists until you delete it. Maintenance: When a mailbox status is maintenance, login is disabled and mail addressed to the account is queued at the MTA.

Step: 1 To stop zimbra all services. #su zimbra #zmcontrol stop Step: 2 To execute the below commands with new hostname #/opt/zimbra/libexec/zmsetservername -n newhostname (mail.server.lan) Step: 3 Then start the zimbra service. #zmcontrol start REF: https://dilliganesh.wordpress.com/category/zimbra/

Default Configuration The Flex Links are not configured, and there are no backup interfaces defined. The preemption mode is OFF. The preemption delay is 35 seconds. The MAC address-table move update feature is not configured on the switch. Restrictions for Flex Links  • You can configure only one Flex Links backup link for any active link, and it must be a different interface from the active interface.  • An interface can belong to only one Flex Links pair. An interface can be a backup link for only one active link. An active link cannot belong to another Flex Links pair.  • Neither of the links can be a port that belongs to an EtherChannel. However, you can configure two port channels (EtherChannel logical interfaces) as Flex Links, and you can configure a port channel and a physical interface as Flex Links, with either the port channel or the physical interface as the active link.  • A backup link does not have to be the same t...