Black, white and gray lists on guard of enterprise security
In the last article, we introduced you to the work of the built-in spam filter in the Zimbra Collaboration Suite, which allows you to reliably protect your company from receiving infected messages and emails that are not related to business correspondence. But what to do in cases where the company is subjected to a targeted attack by attackers, part of which is composed of letters using social engineering techniques, the use of trusted mailboxes or even a DoS attack on the mail server? The salvation from these troubles can be the creation of white, black and gray lists.
Creating a blacklist can help reliably protect against these types of attacks, when attackers gain control over the mail of a reliable counterpart of your organization and start sending out infected excel files or archives with supposedly new requisites, invoices, and so on. If you have time to add mail to the counterparty to the blacklist, you can reduce the effect of the intruders to zero. Let's take a look at how this works in the Zimbra Collaboration Suite.
Black and white lists in Zimbra can be formed on two levels at once. For example, a ban on receiving mail can be set in the Amavis software interface, which is built into the ZCS and is responsible for filtering mail. In addition to separating business letters from spam according to various indirect signs, Amavis also sends letters for analysis to SpamAssassin spam filter and ClamAV antivirus.
In Amavis, you can add to the white and black lists not only individual mailboxes and entire domains, but also individual ip-addresses and even entire subnets. In order to block or allow a mailbox or domain, you must first create the whitelist and / or blacklist files in the / opt / zimbra / conf / folderand then add to them email addresses or domains that you are going to allow or block.
After that, you need to add two lines to the /opt/zimbra/conf/amavisd.conf.in file with the rule for checking previously created files.
After saving all changes, you must restart Amavis.
If you have trusted networks, for example, an enterprise local area network or a remote branch subnet for which you would like to disable anti-virus and anti-spam checks, then Amavis can also help you to do this. First of all, you need to activate the initially disabled bypass checks for selected ip-addresses and subnets with the help of a special command and restart Amavis and related programs.
Add to the list of trusted subnets using the following command
You can check the current list of trusted networks using the following commands:
You can block ip-addresses in Zimbra even at the Postfix level. This method helps to protect the server from DoS attacks. Detailed instructions are set out in a previous article .
A separate item is the creation of the so-called "gray list". It is usually used to protect against automatic spam, but it can also be useful to protect against malicious emails coming from the mailbox of a trusted counterparty. The principle of its operation is based on the fact that the letter from the sender is not received the first time and he receives a message about the temporary unavailability of the server. The logic here is that the sender, who purposefully sends a letter to the server, will try to send again, and the software for automated sending of e-mails will not repeat sending. That is why when the attackers gain control of your counterpart's mailbox and start automatically distributing infected messages to all addresses from the contact book,
You can configure graylists in Zimbra thanks to Postfrey daemon from Postfix authors. It is available in official repositories and is easily installed by regular means. In Ubuntu, the daemon is started using the /etc/init.d/postgrey start command , after which it will be available on port 60000 and you just have to configure it correctly. To do this, open the file /opt/zimbra/conf/postfix_recipient_restrictions.cf in the editor and add the line check_policy_service inet: 127.0.0.1: 60000 before each line starting with '%%'. After that, it remains only to restart Postfix using the postfix reload command .
Creating a blacklist can help reliably protect against these types of attacks, when attackers gain control over the mail of a reliable counterpart of your organization and start sending out infected excel files or archives with supposedly new requisites, invoices, and so on. If you have time to add mail to the counterparty to the blacklist, you can reduce the effect of the intruders to zero. Let's take a look at how this works in the Zimbra Collaboration Suite.
Black and white lists in Zimbra can be formed on two levels at once. For example, a ban on receiving mail can be set in the Amavis software interface, which is built into the ZCS and is responsible for filtering mail. In addition to separating business letters from spam according to various indirect signs, Amavis also sends letters for analysis to SpamAssassin spam filter and ClamAV antivirus.
In Amavis, you can add to the white and black lists not only individual mailboxes and entire domains, but also individual ip-addresses and even entire subnets. In order to block or allow a mailbox or domain, you must first create the whitelist and / or blacklist files in the / opt / zimbra / conf / folderand then add to them email addresses or domains that you are going to allow or block.
$ cat / opt / zimbra / conf / whitelist
ceo@partner.com
partner.org
$ cat / opt / zimbra / conf / blacklist
spammer@spam.com
spam.org
After that, you need to add two lines to the /opt/zimbra/conf/amavisd.conf.in file with the rule for checking previously created files.
read_hash (\% whitelist_sender, '/ opt / zimbra / conf / whitelist');
read_hash (\% blacklist_sender, '/ opt / zimbra / conf / blacklist');
After saving all changes, you must restart Amavis.
# su - zimbra -c "zmamavisdctl restart"
If you have trusted networks, for example, an enterprise local area network or a remote branch subnet for which you would like to disable anti-virus and anti-spam checks, then Amavis can also help you to do this. First of all, you need to activate the initially disabled bypass checks for selected ip-addresses and subnets with the help of a special command and restart Amavis and related programs.
$ zmprov mcf zimbraAmavisOriginatingBypassSA TRUE
$ zmantispamctl restart
$ zmantivirusctl restart
$ zmamavisdctl restart
Add to the list of trusted subnets using the following command
$ zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 10.0.0.0/8 192.168.1.0/22'
You can check the current list of trusted networks using the following commands:
$ postconf mynetworks
$ zmprov gs `zmhostname` zimbraMtaMyNetworks
You can block ip-addresses in Zimbra even at the Postfix level. This method helps to protect the server from DoS attacks. Detailed instructions are set out in a previous article .
A separate item is the creation of the so-called "gray list". It is usually used to protect against automatic spam, but it can also be useful to protect against malicious emails coming from the mailbox of a trusted counterparty. The principle of its operation is based on the fact that the letter from the sender is not received the first time and he receives a message about the temporary unavailability of the server. The logic here is that the sender, who purposefully sends a letter to the server, will try to send again, and the software for automated sending of e-mails will not repeat sending. That is why when the attackers gain control of your counterpart's mailbox and start automatically distributing infected messages to all addresses from the contact book,
You can configure graylists in Zimbra thanks to Postfrey daemon from Postfix authors. It is available in official repositories and is easily installed by regular means. In Ubuntu, the daemon is started using the /etc/init.d/postgrey start command , after which it will be available on port 60000 and you just have to configure it correctly. To do this, open the file /opt/zimbra/conf/postfix_recipient_restrictions.cf in the editor and add the line check_policy_service inet: 127.0.0.1: 60000 before each line starting with '%%'. After that, it remains only to restart Postfix using the postfix reload command .