I have a zimbra 8.7.11 community edition server running on Ubuntu 14.04.5 LTS.

Sometimes, individual SMTP servers from very large domains, such as yahoo.com or hotmail.com get listed in DNS RBLs.

I was trying to whitelist their servers at the postfix level using this file:


Here is an example:

mail-dm3nam03on0060.outbound.protection.outlook.com OK
mail-dm3nam03on0077.outbound.protection.outlook.com OK
mail-oln040092008029.outbound.protection.outlook.com OK
*outbound.protection.outlook.com OK

I ran postmap /opt/zimbra/conf/postfix_blacklist afterwards.

The wildcard entry at the bottom doesn't seem to whitelist every hostname within the .protection.outlook.com domain and there are too many actual host names to try and whitelist. We typically whitelist when we notice a host is getting blocked, but that's more of a reactionary approach and doesn't seem to be very efficient.

Is it possible to use wildcards here?

2 Answers2


Because you run postmap for the /opt/zimbra/conf/postfix_blacklist it means this is a lookup table; postmap creates a postfix_blacklist.db that contains hashes for lookups. Using hashed lookup tables makes searches faster, but won't allow using wildcards.

On the other hand, you should read ZCS 8.5 Features affecting Postfix:

Starting with ZCS8.5 and later, Postfix is linked to LMDB, the same backend we use with OpenLDAP. Prior to ZCS 8.0, Postfix was linked to Berkeley DB.

According both this article and the documentation, /opt/zimbra/conf/postfix_blacklist is for blacklisting IPs and there's other file, /opt/zimbra/conf/postfix_rbl_override, for whitelisting RBL blacklisted IP addresses.

  • The postfix_blacklist has syntax REJECT
  • The postfix_rbl_override has syntax OK.
  • Both uses IP addresses rather than hostnames, and just one IP address per line.
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • what about using a file with regular expressions? – sebix Aug 11 '17 at 11:47
  • Postfix certainly has ability for that, but this is Zimbra, and it's documentation isn't opening the issue much more than this. As a bundle, Zimbra may have made it hard or impossible to customize Postfix in all its flexibility. – Esa Jokinen Aug 11 '17 at 11:51
  • Hi and thank you for your answer. However, that KB article is only verified for Zimbra 8.5, not 8.7. Not all features listed in the Zimbra wiki or KB articles are automatically forward compatible, unless specifically stated. I also note that /opt/zimbra/conf/postfix_blacklist works for both ACCEPT or REJECT entries and host names also work in addition to IP address. The original question was about whether it is possible to use wildcards or any other method to block or accept an entire domain that includes subdomain host names. – David Killingsworth Aug 14 '17 at 07:00

Starting with Zimbra 8.7, you can create a blacklist with a mix of addresses and/or domains (see certified Zimbra 8.7 doc here: https://wiki.zimbra.com/wiki/Domain_level_blocking_of_users)

1) using the zimbra user, create file /opt/zimbra/common/conf/postfix_reject_sender

2) add list of rejected addresses and domains like this:

  • user@domain.com REJECT
  • domainX.com REJECT

    DO NOT use the "*" as a wildcard, I tried it and it breaks the MTA!

3) execute zimbraMtaSmtpdSenderRestrictions:

zmprov ms 'yourzimbraservername' +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/common/conf/postfix_reject_sender"

NOTE: replace "yourzimbraservername" with your zimbra server's FQDN

4) run POSTMAP:

/opt/zimbra/common/sbin/postmap /opt/zimbra/common/conf/postfix_reject_sender

5) for your change to take effect immediately, you can force it with:

zmmtactl restart

NOTE: Many instructions on the web refer to Zimbra 8.5 and 8.6, make sure the instructions you refer to and valid for Zimbra 8.7

  • 101