Running your own non-bouncing Zimbra server

Nov 28,2016 No comments yet By Origo

Despite having configured SPF, DKIM and DMARC for my email domain, I recently noticed that the mail queue of my Zimbra server was going through the roof with thousands of undelivered and postponed email messages, mostly with sender “mailer-daemon” and some recipient I did not know. If you run a Zimbra server and have this problem or perhaps even better; if you don’t have it yet and don’t want to have it, read on.

Prerequisites

A few of us still like to run our own email servers and refuse to admit defeat to the increasing complexity this involves. And it is admittedly getting complicated. I have used Zimbra as email server platform of choice for many years, mostly without problems. Recent years have of course seen a steady stream of junk email, but also a stream of initiatives designed to combat this at the server and infrastructure level. The technologies that seem to be here to stay are Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both techniques are based on the DNS-system, more specifically on publishing special records in your email domain’s zone, thus allowing other email servers to verify that email coming from your server is valid and authentic. SPF allows email servers to look up which servers you have permitted to send email from your domain. DKIM allow email servers to lookup the public cryptographic keys for your domain which you also have published in DNS zone, and verify that email messages have in fact been signed using the matching private key and not been tampered with. Information about your implementation of SPF and DKIM may be published in your DNS zone as well, in a standardized format known as Domain-based Message Authentication, Reporting and Conformance (DMARC), which also specifies how mail failing to meet your policies should be handled.

The backscatter problem

Configuring Zimbra (or Postfix for that matter, which is the MTA Zimbra uses) for SPF, DKIM and DMARC is mostly pretty well-documented. However you may find yourself in a situation, where you have done all the required work, sucessfully tested your setup using the excellent MXtoolbox, but still find yourself unable to deliver email to other email servers, specifically you may find it hard to deliver email to Google’s Gmail servers.

First step is to check your log files. Start with “/var/log/mail.log”.

If you find error messages in you mail log containing something along the lines of:

“550 5.7.1 Our system has detected an unusual amount of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address4 has been rejected/temporarily blocked.”

it is possible, that your email domain is a favourite of spammers. It is also very possible that they are using bogus email addresses ending in your domain name. SPF is designed to eliminate this by checking if the spammer’s email server is in fact allowed to send email with addresses ending in your domain name. Not everyone has implemented SPF, and a lot of the spam being sent is getting accepted by the receiving email servers. Some of it is then categorized as spam or it is determined that the recipient does not exist, and the poor email is bounced back to the apparent sender – an email address ending in your domain name. This is called backscatter. There is not much you can do about it, except make sure your have SPF, DKIM and DMARC set up correctly and then ignore it. The problem I, and I suspect other Zimbra users, had was that our Zimbra mail server was not ignoring this backscatter, but in fact bouncing it back. This of course only aggravates the original problem of too much junk email bouncing around the Internet. Sigh…

The non-bouncing email server

Letting all incoming email through the door, and then bouncing troublemakers was probably a good idea at some point in Internet history, but today you are usually much better off just not opening the door to anyone you don’t know. Let’s try to make our Zimbra server non-bouncing.

For starters, you should follow these instructions, in order to have Zimbra reject emails to non-existing recipients, instead of accepting them and then bouncing them back afterwards. This does in fact make Zimbra reject email to unknow accounts rather than queuing and bouncing. Problem solved I thought. Except a lot of “status bounced” messages kept appearing in “/var/log/mail.log”. I noticed that the messages getting accepted and bounced were mostly being tagged as spam as well. It turns out that Zimbra’s built-in utility for handling spam filters – Amavisd was getting in the way. Mail flagged as spam was not being rejected outright, only non-spam emails for non-existing users were being rejected. That was only a small portion of the backscatter it turned out. The fix was to reconfigure Amavisd. I do not know if this can be done using “zmprov” – I edited “/opt/zimbra/conf/amavisd.conf.in” and added the following lines:

$warnspamsender = 0;
$warnbadhsender = 0;
$warnvirussender = 0;
$warnbannedsender = 0;

right under “# COMMONLY ADJUSTED SETTINGS:”. After adding the lines, I did a “zmamavisdctl stop” and “zmamavisdctl start” as the zimbra user. Now messages tagged as spam for non-existing users was also getting rejected, which is what I wanted. Problem really solved I thought.

Except I still noticed some “status bounced” messages in the log files. I also noticed that the “status=bounced” lines in the log file all were preceded by a line containing a “orig_to=<some_address@some.domain>”, where “some.domain” was a Zimbra alias domain. This time apparently Zimbra’s nice alias domain feature was getting in the way. Oh well, can’t have it all, I guess. So I fired up the Zimbra admin UI, deleted the alias domain, and added aliases for the indidual email addresses I wanted aliases for instead. For now it looks like I have a non-bouncing Zimbra server. Will update this post if more bounces show up.

Leave a Comment

Your email address will not be published. Required fields are marked *

*






Services

Products

Company

Help