Running an email server is a constant battle against spammers and hackers. I’ve enabled many settings and installed several tools to help prevent these attacks on Zimbra servers I administer. I’m documenting them here so I don’t forget!
Some Local Configs
1 2 3 4 5 6 7 8
Also, in the Zimbra admin, under “Global Settings”, I have “reject_non_fqdn_sender” and “reject_unknown_sender_domain” enabled. I also use the b.barracudacentral.org RBL.
Enabling policyd for Throttling
Let’s enable policyd through Zimbra’s handy provisioning:
Wait a few minutes for provisioning to finish. After that, we want to enable the Web UI. This must be done as root:
After that, edit the ./webui/includes/config.php. Comment out anything that’s not commented out and then make this the only active line:
If you don’t use spellcheck, httpsd may be down. Start it with a
zmhapachectl start as the zimbra user. Then you should be able to navigate to https://hostname:7780/webui/index.php. You’ll want to secure this or leave apache down after you’re finished configuring it.
Policyd Configuration for Throttling
I’m still adjusting my configuration, but to get a basic throttling setup going, I did the following:
- In Policies>Main, I disabled all policies except “Default System Policy” and “Default Outbound System Policy”
- For the “Default Outbound System Policy”, I modified the Members to make a Source of %internal_ips and Destination of any.
- In Policies>Groups, edit the Members of the internal_ips group and enter your subnet as the only member.
- In Quotas>Configure, I set up two quotas, one for Sender:user@domain and one for SASLUsername. Both of mine are configured to dump excess email into the Hold queue. Once those are set up, set the limit for each one. Everything you create will default to disabled and must be edited to change that to enabled.
- Monitor your hold queue very closely. I provided a script at /blog/2014/07/02/zimbra-abuse-alerts/ that I’m using.