Spamming Issue
Outgoing spamming issue
Problem
1: IP blacklisted 2: Not able to send email because of accumulated deferred queue.
Solution
Identify the compromised accounts. Following command will help to give the probable account whose password might compromised if the count was unexpectedly high.
cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -nr
You need to reset the password of the probable users (top 4 having most counts) and restart the MTA service with the following command.
su - zimbra zmmtactl restart
To minimize the situation of sending email from non authenticated users you can enforce the user to have the auth with the from address and following wiki would help you for this.
https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5
And restart the mailbox service on the mailbox server.
su - zimbra zmmailboxdctl restart
Please also make sure that the zimbraMtaMyNetworks would have the Ip's of the server only not network which you are not sure wanted to allow or not because no policy would work for the ip listed in my network, you can get the detail by the following command.
su - zimbra zmprov gs serverName zimbraMtaMyNetworks
Incoming spamming
Problem
Not able to send or receive email Having deferred email in the queue
Solution
Check the queue if it was flooded with the email
/opt/zimbra/libexec/zmqstat hold=2054 corrupt=0 deferred=2 active=20000 incoming=37593
With the following command you can checked what all IP's were making how many connections
cat /var/log/zimbra.log | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'| sort | uniq -c | sort -nr
439416 xxx.xxx.xxx.xxx19884 192.168.1.246 11587 192.168.5.1 2723 192.168.5.246
Mark the REJECT of the email from that IP, For that following configuration can help.
su - zimbra zmprov gacf zimbraMtaRestriction zimbraMtaRestriction: check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist zimbraMtaRestriction: check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override strings /opt/zimbra/conf/postfix_blacklist.lmdb xxx.xxx.xxx.xxx REJECT
Reviewing the configuration for the RBL configuration if it is in place or not. If not immediately added the following RBL
zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"
Check the queue so that for all MAILER-DAEMON email you can put them onto hold queue later can review and delete.
/opt/zimbra/postfix/sbin/postqueue -p | head
74A443D43D43* 21733 Wed Month 30 12:29:15 MAILER-DAEMON user1@domain.com
A614D3D43CCF* 21745 Wed Month 30 12:29:43 MAILER-DAEMON user2@domain.com
781443D4364F* 21751 Wed Month 30 12:25:16 MAILER-DAEMON user3@domain.com
5C72C3D44438* 21721 Wed Month 30 12:36:53 MAILER-DAEMON user4@domain.com
With the following command you can put all the MAILER-DAEMON email on hold. Check them or simply you can delete them.
/opt/zimbra/postfix/sbin/postqueue -p | awk 'BEGIN { RS = "" } { if ($7 == "MAILER-DAEMON" ) print $1 }' | tr -d '!*' | /opt/zimbra/postfix/sbin/postsuper -h -As soon you put those email on hold your queue look like the following and now emails are getting delivered properly.
# /opt/zimbra/libexec/zmqstat hold=43464 corrupt=0 deferred=0 active=0 incoming=0
To improve your Anti-spam-system you can refer the following wiki and implement the things according to your need.
https://wiki.zimbra.com/wiki/Improving_Anti-spam_system
Requires Login