Enabling and administering the Zimbra milter: Difference between revisions

No edit summary
 
(19 intermediate revisions by 3 users not shown)
Line 3: Line 3:
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
=Enabling and administering the Zimbra milter=
=Enabling and administering the Zimbra milter=
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
{{KB|{{Unsupported}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 7.0}}|}}
{{WIP}}
==Getting Started==
==Getting Started==


The Zimbra milter allows for the regulation of distribution list senders on a Global or server level. When the milter server is enabled, only users who have been granted explicit sending permissions will be allowed.  
The Zimbra milter allows for the regulation of distribution list senders on a Global or server level. When the milter server is enabled, only users who have been granted (with steps below) explicit sending permissions will be allowed.


==Enabling the Milter Server==
==Enabling the Milter Server==
Line 13: Line 12:
'''''Note that the Milter server should only be enabled on servers running the MTA.'''''
'''''Note that the Milter server should only be enabled on servers running the MTA.'''''


      Global: Home > Configure > Global Settings > MTA > Milter Server
Global: Home > Configure > Global Settings > MTA > Milter Server


      Server: Home > Configure > Servers > Select Desired Server > MTA > Milter Server  
Server: Home > Configure > Servers > Select Desired Server > MTA > Milter Server  


*Alternatively using the CLI:  
*Alternatively using the CLI:  
        # su - zimbra
        $ zmprov modifyConfig zimbraMilterServerEnabled TRUE


For a specific server (say eg.example.com):
su - zimbra
zmprov modifyConfig zimbraMilterServerEnabled TRUE


        $ zmprov modifyServer eg.example.com zimbraMilterServerEnabled TRUE
For a specific server (say mail.zimbra.lab):
 
zmprov modifyServer mail.zimbra.lab zimbraMilterServerEnabled TRUE


The above steps will ensure that milter will be automatically started via "zmcontrol start"
The above steps will ensure that milter will be automatically started via "zmcontrol start"


To start the milter manually:
To start the milter manually:
        $ zmmilterctl start
 
zmmilterctl start


To check the status of the milter:
To check the status of the milter:


        $ zmmilterctl status  
zmmilterctl status  


Usage: zmmilterctl start|stop|restart|reload|refresh|status
Usage: zmmilterctl start|stop|restart|reload|refresh|status


== Examples using CLI ==


*The following will provide examples for granting sender permissions on the CLI:
The following will provide examples for granting sender permissions on the CLI:


*User - grants a user sending permissions to a distribution list
*User - grants a user sending permissions to a distribution list


        $ zmprov grr dl distributionlist@domain.com usr user@domain.com sendToDistList             
zmprov grr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList             


*Group (distribution list) - grants a group sending rights to distribution list
*Group (distribution list) - grants a group sending rights to distribution list


        $ zmprov grr dl distributionlist@domain.com grp groupdl@domain.com sendToDistList
zmprov grr dl distributionlist@zimbra.lab grp groupdl@zimbra.lab sendToDistList


*All Entities - allows all entities on the server to send to a distribution list
*All Entities - allows all entities on the server to send to a distribution list


        $ zmprov grr dl distributionlist@domain.com all sendToDistList
zmprov grr dl distributionlist@zimbra.lab all sendToDistList


*Domain - grant all users on a domain sending rights
*Domain - grant all users on a domain sending rights


        $ zmprov grr dl distributionlist@domain.com dom domain.com sendToDistList
zmprov grr dl distributionlist@zimbra.lab dom zimbra.lab sendToDistList


*Public - grant all users both internal/external sending rights
*Public - grant all users both internal/external sending rights


        $ zmprov grr dl distributionlist@domain.com pub sendToDistList
zmprov grr dl distributionlist@zimbra.lab pub sendToDistList


*After granting or revoking rights for the milter, you must reaload the configuration for the changes to take effect.  
*After granting or revoking rights for the milter, you must reaload the configuration for the changes to take effect.  


          $ zmmtactl reload
zmmtactl reload
 
== Examples using the admin interface ==
 
The following will provide examples for granting sender permissions on the Web Admin:
 
'''Note:''' Applicable to ZCS 8.7.11 or previous versions. Since ZCS 8.8 NG modules introduced, and enabling NG admin will hides ACL options in admin interface, but ACL permissions can be applied from command line.
 
*User - grants a user sending permissions to a distribution list
 
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
 
*Group (distribution list) - grants a group sending rights to distribution list
 
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
 
*All Entities - allows all entities on the server to send to a distribution list
 
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
 
*Domain - grant all users on a domain sending rights
 
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
 
*Public - grant all users both internal/external sending rights
 
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
 
*After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.
 
zmmtactl reload


==Verifying permissions for an entity==
==Verifying permissions for an entity==


*Checking a single user or entity:
*Checking a single user or entity (CLI):


        $ zmprov ckr dl distributionlist@domain.com userorentity@domain.com sendToDistList
zmprov ckr dl distributionlist@zimbra.lab userorentity@zimbra.lab sendToDistList
        ALLOWED
ALLOWED


*Viewing granted permissions for the distribution list:
*Checking a domain (Web Admin):
 
Global: Home > Configure > Domain > zimbra.lab > Click on the gear > Configure Grant
 
*Viewing granted permissions for the distribution list (CLI):


1) Get the users Zimbra ID:
1) Get the users Zimbra ID:


          $ zmprov ga user@domain.com |grep -i "zimbraid: "
zmprov ga user@zimbra.lab |grep -i "zimbraid: "


2) Check the permissions on the distribution list:
2) Check the permissions on the distribution list:


          $ zmprov gdl distributionlist@domain.com |less
zmprov gdl distributionlist@zimbra.lab |less


3) Find the 'zimbraACE' entries and compare the users' id:
3) Find the 'zimbraACE' entries and compare the users' id:


          zimbraACE: [zimbraId of user] usr sendToDistList
zimbraACE: [zimbraId of user] usr sendToDistList
          For example;
 
          zimbraACE: c524877c-e0a6-4255-bb1b-d02b35cc2dd5 dom sendToDistList
For example;
          zimbraACE: 99999999-9999-9999-9999-999999999999 pub sendToDistList
zimbraACE: c524877c-e0a6-4255-bb1b-d02b35cc2dd5 dom sendToDistList
zimbraACE: 99999999-9999-9999-9999-999999999999 pub sendToDistList
 
*Viewing granted permissions for the distribution list (Web Admin):
 
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL


==Modifying and revoking grants==
==Modifying and revoking grants==


*If you want to remove or modify permissions, you'll need to use 'zmprov rvr' instead of 'zmprov grr'.
If you want to remove or modify permissions, you'll need to use 'zmprov rvr' instead of 'zmprov grr'.
 
*Example of removing sendToDistList permissions for a user (CLI):
zmprov rvr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList
 
*Example of removing sendToDistList permissions for a user (Web admin):


*Example of removing sendToDistList permissions for a user:  
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Select the ACL > Delete


          $ zmprov rvr dl distributionlist@domain.com usr user@domain.com sendToDistList
*After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.  


*After granting or revoking rights for the milter, you must reaload the configuration for the changes to take effect.
zmmtactl reload


          $ zmmtactl reload
==Disabling grants inheritance from parent distribution list==
If nested distribution list configured and public "sendToDistList" permissions granted to a parent distribution list then the same permissions will apply to child distribution list.


==Troubleshooting the Zimbra milter==
Let's assume there is a distribution list called parent-distributionlist@zimbra.lab with public sendToDistList rights. Now if there is a child distribution list (child-distributionlist@zimbra.lab) as a member in parent-distributionlist@zimbra.lab then the sendToDistList righst will be automatically inherited by the child distribution list. To prevent the same, need to be restricted the right of public sendToDistList of parent deistribution list to be inherited by any clild distribution list.


*Verify the milters settings:  
*Example of removing inheritance sendToDistList permissions for a user (CLI):
zmprov grr dl parent-distributionlist@zimbra.lab pub ^sendToDistList


          $ zmmilterctl status
Note:
          ''Milter server is running.''
<nowiki>{right}: can have the following prefixes:
            - : the right is specifically denied
            + : the same right or part of the right can be delegated(granted) to others
            * : the grant affects sub domains only
            ^ : the grant cannot be inherited by sub-groups on the target side</nowiki>


          $ zmmilterctl status
* Verifying the same:
zmprov ckr dl child-distributionlist@zimbra.lab user@zimbra.lab sendToDistList


Additional information to be posted
If grants are inheriting from the parent DL, then the output of the above command will be like below.
<nowiki>ALLOWED
Via:
target type : dl
target : parent-distributionlist@zimbra.lab
grantee type : pub
grantee :
right : sendToDistList</nowiki>


==Troubleshooting the Zimbra milter==


*Verify the milters settings:


zmmilterctl status
''Milter server is running.''


{{Article Footer|Zimbra Collaboration Suite 8 | 2013}}
{{Article Footer|ZCS 7.0, ZCS 8.0, ZCS 8.5, ZCS 8.6, ZCS 8.7, ZCS 8.8, ZCS 9| 2013}}
[[Category:Milter]]
[[Category:ACL]]

Latest revision as of 05:10, 6 April 2022

Enabling and administering the Zimbra milter

   KB 20524        Last updated on 2022-04-6  




0.00
(0 votes)

Getting Started

The Zimbra milter allows for the regulation of distribution list senders on a Global or server level. When the milter server is enabled, only users who have been granted (with steps below) explicit sending permissions will be allowed.

Enabling the Milter Server

Note that the Milter server should only be enabled on servers running the MTA.

Global: Home > Configure > Global Settings > MTA > Milter Server
Server: Home > Configure > Servers > Select Desired Server > MTA > Milter Server 
  • Alternatively using the CLI:
su - zimbra
zmprov modifyConfig zimbraMilterServerEnabled TRUE

For a specific server (say mail.zimbra.lab):

zmprov modifyServer mail.zimbra.lab zimbraMilterServerEnabled TRUE

The above steps will ensure that milter will be automatically started via "zmcontrol start"

To start the milter manually:

zmmilterctl start

To check the status of the milter:

zmmilterctl status 

Usage: zmmilterctl start|stop|restart|reload|refresh|status

Examples using CLI

The following will provide examples for granting sender permissions on the CLI:

  • User - grants a user sending permissions to a distribution list
zmprov grr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList            
  • Group (distribution list) - grants a group sending rights to distribution list
zmprov grr dl distributionlist@zimbra.lab grp groupdl@zimbra.lab sendToDistList
  • All Entities - allows all entities on the server to send to a distribution list
zmprov grr dl distributionlist@zimbra.lab all sendToDistList
  • Domain - grant all users on a domain sending rights
zmprov grr dl distributionlist@zimbra.lab dom zimbra.lab sendToDistList
  • Public - grant all users both internal/external sending rights
zmprov grr dl distributionlist@zimbra.lab pub sendToDistList
  • After granting or revoking rights for the milter, you must reaload the configuration for the changes to take effect.
zmmtactl reload

Examples using the admin interface

The following will provide examples for granting sender permissions on the Web Admin:

Note: Applicable to ZCS 8.7.11 or previous versions. Since ZCS 8.8 NG modules introduced, and enabling NG admin will hides ACL options in admin interface, but ACL permissions can be applied from command line.

  • User - grants a user sending permissions to a distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Group (distribution list) - grants a group sending rights to distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • All Entities - allows all entities on the server to send to a distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Domain - grant all users on a domain sending rights
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Public - grant all users both internal/external sending rights
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.
zmmtactl reload

Verifying permissions for an entity

  • Checking a single user or entity (CLI):
zmprov ckr dl distributionlist@zimbra.lab userorentity@zimbra.lab sendToDistList
ALLOWED
  • Checking a domain (Web Admin):

Global: Home > Configure > Domain > zimbra.lab > Click on the gear > Configure Grant

  • Viewing granted permissions for the distribution list (CLI):

1) Get the users Zimbra ID:

zmprov ga user@zimbra.lab |grep -i "zimbraid: "

2) Check the permissions on the distribution list:

zmprov gdl distributionlist@zimbra.lab |less

3) Find the 'zimbraACE' entries and compare the users' id:

zimbraACE: [zimbraId of user] usr sendToDistList

For example;

zimbraACE: c524877c-e0a6-4255-bb1b-d02b35cc2dd5 dom sendToDistList
zimbraACE: 99999999-9999-9999-9999-999999999999 pub sendToDistList
  • Viewing granted permissions for the distribution list (Web Admin):
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL

Modifying and revoking grants

If you want to remove or modify permissions, you'll need to use 'zmprov rvr' instead of 'zmprov grr'.

  • Example of removing sendToDistList permissions for a user (CLI):
zmprov rvr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList
  • Example of removing sendToDistList permissions for a user (Web admin):
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Select the ACL > Delete
  • After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.
zmmtactl reload

Disabling grants inheritance from parent distribution list

If nested distribution list configured and public "sendToDistList" permissions granted to a parent distribution list then the same permissions will apply to child distribution list.

Let's assume there is a distribution list called parent-distributionlist@zimbra.lab with public sendToDistList rights. Now if there is a child distribution list (child-distributionlist@zimbra.lab) as a member in parent-distributionlist@zimbra.lab then the sendToDistList righst will be automatically inherited by the child distribution list. To prevent the same, need to be restricted the right of public sendToDistList of parent deistribution list to be inherited by any clild distribution list.

  • Example of removing inheritance sendToDistList permissions for a user (CLI):
zmprov grr dl parent-distributionlist@zimbra.lab pub ^sendToDistList

Note:

{right}: can have the following prefixes:
            - : the right is specifically denied
            + : the same right or part of the right can be delegated(granted) to others
            * : the grant affects sub domains only
            ^ : the grant cannot be inherited by sub-groups on the target side
  • Verifying the same:
zmprov ckr dl child-distributionlist@zimbra.lab user@zimbra.lab sendToDistList

If grants are inheriting from the parent DL, then the output of the above command will be like below.

ALLOWED
Via:
target type : dl
target : parent-distributionlist@zimbra.lab
grantee type : pub
grantee :
right : sendToDistList

Troubleshooting the Zimbra milter

  • Verify the milters settings:
zmmilterctl status 
Milter server is running.
Verified Against: ZCS 7.0, ZCS 8.0, ZCS 8.5, ZCS 8.6, ZCS 8.7, ZCS 8.8, ZCS 9 Date Created: 2013
Article ID: https://wiki.zimbra.com/index.php?title=Enabling_and_administering_the_Zimbra_milter Date Modified: 2022-04-06



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search