Enabling and administering the Zimbra milter: Difference between revisions

(Created page with "{{Article Infobox|{{admin}}|{{ZCS 8.0}}|{{ZCS 7.0}}||}} ==Getting Started== The Zimbra milter allows for the regulation of distribution list senders on a Global or server le...")
 
 
(28 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}|{{ZCS 8.0}}|{{ZCS 7.0}}||}}
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Enabling and administering the Zimbra milter=
{{KB|{{Unsupported}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 7.0}}|}}
==Getting Started==
 
The Zimbra milter allows for the regulation of distribution list senders on a Global or server level. When the milter server is enabled, only users who have been granted (with steps below) explicit sending permissions will be allowed.
 
==Enabling the Milter Server==
 
'''''Note that the Milter server should only be enabled on servers running the MTA.'''''


==Getting Started==
Global: Home > Configure > Global Settings > MTA > Milter Server
 
Server: Home > Configure > Servers > Select Desired Server > MTA > Milter Server
 
*Alternatively using the CLI:


The Zimbra milter allows for the regulation of distribution list senders on a Global or server level. When the milter server is enabled, only users have been granted explicit sending permissions will be allowed.
su - zimbra
zmprov modifyConfig zimbraMilterServerEnabled TRUE


*In ZCS 8, to enable the Milter through the Administrators console;
For a specific server (say mail.zimbra.lab):


      Global: Home > Configure > Global Settings > MTA > Milter Server
zmprov modifyServer mail.zimbra.lab zimbraMilterServerEnabled TRUE


      Server: Home > Configure > Servers > Select Desired Server > Milter Server
The above steps will ensure that milter will be automatically started via "zmcontrol start"


*On the CLI:  
To start the milter manually:


        # su - zimbra
zmmilterctl start
        $ zmmilterctl start


To check the status of the milter:
To check the status of the milter:


        $ zmmilterctl status  
zmmilterctl status  


Usage: zmmilterctl start|stop|restart|reload|refresh|status
Usage: zmmilterctl start|stop|restart|reload|refresh|status


== Examples using CLI ==


When the milter server is enabled, all distribution lists will be regulated. Only those entities which have been granted explicit rights to send to a distribution list will be allowed.
The following will provide examples for granting sender permissions on the CLI:


*User - grants a user sending permissions to a distribution list


*The following will provide examples for granting sender permissions on the CLI:
zmprov grr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList           
 
*Group (distribution list) - grants a group sending rights to distribution list
 
zmprov grr dl distributionlist@zimbra.lab grp groupdl@zimbra.lab sendToDistList
 
*All Entities - allows all entities on the server to send to a distribution list
 
zmprov grr dl distributionlist@zimbra.lab all sendToDistList
 
*Domain - grant all users on a domain sending rights
 
zmprov grr dl distributionlist@zimbra.lab dom zimbra.lab sendToDistList
 
*Public - grant all users both internal/external sending rights
 
zmprov grr dl distributionlist@zimbra.lab pub sendToDistList
 
*After granting or revoking rights for the milter, you must reaload the configuration for the changes to take effect.
 
zmmtactl reload
 
== Examples using the admin interface ==
 
The following will provide examples for granting sender permissions on the Web Admin:
 
'''Note:''' Applicable to ZCS 8.7.11 or previous versions. Since ZCS 8.8 NG modules introduced, and enabling NG admin will hides ACL options in admin interface, but ACL permissions can be applied from command line.


*User - grants a user sending permissions to a distribution list
*User - grants a user sending permissions to a distribution list


        $ zmprov grr dl distributionlist@domain.com usr user@domain.com sendToDistList           
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add


*Group (distribution list) - grants a group sending rights to distribution list
*Group (distribution list) - grants a group sending rights to distribution list


        $ zmprov grr dl distributionlist@domain.com grp groupdl@domain.com sendToDistList
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add


*All Entities - allows on entities on the server to send to a distribution list
*All Entities - allows all entities on the server to send to a distribution list


        $ zmprov grr dl distributionlist@domain.com all sendToDistList
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add


*Domain - grant all users on a domain sending rights
*Domain - grant all users on a domain sending rights


        $ zmprov grr dl distributionlist@domain.com dom domain.com sendToDistList
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add


*Public - grant all users both internal/external sending rights
*Public - grant all users both internal/external sending rights


        $ zmprov grr dl distributionlist@domain.com pub sendToDistList
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
 
*After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.
 
zmmtactl reload
 
==Verifying permissions for an entity==
 
*Checking a single user or entity (CLI):
 
zmprov ckr dl distributionlist@zimbra.lab userorentity@zimbra.lab sendToDistList
ALLOWED
 
*Checking a domain (Web Admin):


Global: Home > Configure > Domain > zimbra.lab > Click on the gear > Configure Grant


*Verifying permissions for an entity
*Viewing granted permissions for the distribution list (CLI):


1) Get the users Zimbra ID:
1) Get the users Zimbra ID:


          $ zmprov ga user@domain.com |grep -i "zimbraid: "
zmprov ga user@zimbra.lab |grep -i "zimbraid: "


2) Check the permissions on the distribution list:
2) Check the permissions on the distribution list:


          $ zmprov gdl distributionlist@domain.com |less
zmprov gdl distributionlist@zimbra.lab |less


3) Find the 'zimbraACE' entries and compare the users' id:
3) Find the 'zimbraACE' entries and compare the users' id:


          zimbraACE: [zimbraId of user] usr sendToDistList
zimbraACE: [zimbraId of user] usr sendToDistList
          For example;
 
          zimbraACE: c524877c-e0a6-4255-bb1b-d02b35cc2dd5 dom sendToDistList
For example;
          zimbraACE: 99999999-9999-9999-9999-999999999999 pub sendToDistList
zimbraACE: c524877c-e0a6-4255-bb1b-d02b35cc2dd5 dom sendToDistList
zimbraACE: 99999999-9999-9999-9999-999999999999 pub sendToDistList
 
*Viewing granted permissions for the distribution list (Web Admin):
 
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL
 
==Modifying and revoking grants==
 
If you want to remove or modify permissions, you'll need to use 'zmprov rvr' instead of 'zmprov grr'.


*Modifying and revoking grants--if you want to remove or modify permissions, you'll need to use 'zmprov rvr' instead of 'zmprov grr'.
*Example of removing sendToDistList permissions for a user (CLI):
zmprov rvr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList


*Example of removing sendToDistList permissions for a user:  
*Example of removing sendToDistList permissions for a user (Web admin):  


          $ zmprov rvr dl distributionlist@domain.com usr user@domain.com sendToDistList
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Select the ACL > Delete


*After granting or revoking rights for the milter, you must reaload the configuration for the changes to take effect.  
*After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.  


          $ zmmtactl reload  
zmmtactl reload


==Disabling grants inheritance from parent distribution list==
If nested distribution list configured and public "sendToDistList" permissions granted to a parent distribution list then the same permissions will apply to child distribution list.


==Troubleshooting the Zimbra milter==
Let's assume there is a distribution list called parent-distributionlist@zimbra.lab with public sendToDistList rights. Now if there is a child distribution list (child-distributionlist@zimbra.lab) as a member in parent-distributionlist@zimbra.lab then the sendToDistList righst will be automatically inherited by the child distribution list. To prevent the same, need to be restricted the right of public sendToDistList of parent deistribution list to be inherited by any clild distribution list.


*Verify the milters settings:  
*Example of removing inheritance sendToDistList permissions for a user (CLI):
zmprov grr dl parent-distributionlist@zimbra.lab pub ^sendToDistList


          $ zmmilterctl status
Note:
          ''Milter server is running.''
<nowiki>{right}: can have the following prefixes:
            - : the right is specifically denied
            + : the same right or part of the right can be delegated(granted) to others
            * : the grant affects sub domains only
            ^ : the grant cannot be inherited by sub-groups on the target side</nowiki>


          $ zmmilterctl status
* Verifying the same:
zmprov ckr dl child-distributionlist@zimbra.lab user@zimbra.lab sendToDistList


Additional information to be posted
If grants are inheriting from the parent DL, then the output of the above command will be like below.
<nowiki>ALLOWED
Via:
target type : dl
target : parent-distributionlist@zimbra.lab
grantee type : pub
grantee :
right : sendToDistList</nowiki>


==Troubleshooting the Zimbra milter==


*Verify the milters settings:


zmmilterctl status
''Milter server is running.''


{{Article Footer|Zimbra Collaboration Suite 8 | 2013}}
{{Article Footer|ZCS 7.0, ZCS 8.0, ZCS 8.5, ZCS 8.6, ZCS 8.7, ZCS 8.8, ZCS 9| 2013}}
[[Category:Milter]]
[[Category:ACL]]

Latest revision as of 05:10, 6 April 2022

  1. Zimbra Tech Center
  2. Community Sandbox
  3. Enabling and administering the Zimbra milter

Enabling and administering the Zimbra milter

   KB 20524        Last updated on 2022-04-6  




0.00
(0 votes)

Getting Started

The Zimbra milter allows for the regulation of distribution list senders on a Global or server level. When the milter server is enabled, only users who have been granted (with steps below) explicit sending permissions will be allowed.

Enabling the Milter Server

Note that the Milter server should only be enabled on servers running the MTA. 

Global: Home > Configure > Global Settings > MTA > Milter Server

Server: Home > Configure > Servers > Select Desired Server > MTA > Milter Server
  • Alternatively using the CLI:
su - zimbra
zmprov modifyConfig zimbraMilterServerEnabled TRUE

For a specific server (say mail.zimbra.lab): 

zmprov modifyServer mail.zimbra.lab zimbraMilterServerEnabled TRUE

The above steps will ensure that milter will be automatically started via "zmcontrol start"

To start the milter manually: 

zmmilterctl start

To check the status of the milter: 

zmmilterctl status

Usage: zmmilterctl start|stop|restart|reload|refresh|status

Examples using CLI

The following will provide examples for granting sender permissions on the CLI:

  • User - grants a user sending permissions to a distribution list
zmprov grr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList
  • Group (distribution list) - grants a group sending rights to distribution list
zmprov grr dl distributionlist@zimbra.lab grp groupdl@zimbra.lab sendToDistList
  • All Entities - allows all entities on the server to send to a distribution list
zmprov grr dl distributionlist@zimbra.lab all sendToDistList
  • Domain - grant all users on a domain sending rights
zmprov grr dl distributionlist@zimbra.lab dom zimbra.lab sendToDistList
  • Public - grant all users both internal/external sending rights
zmprov grr dl distributionlist@zimbra.lab pub sendToDistList
  • After granting or revoking rights for the milter, you must reaload the configuration for the changes to take effect.
zmmtactl reload

Examples using the admin interface

The following will provide examples for granting sender permissions on the Web Admin:

Note: Applicable to ZCS 8.7.11 or previous versions. Since ZCS 8.8 NG modules introduced, and enabling NG admin will hides ACL options in admin interface, but ACL permissions can be applied from command line.

  • User - grants a user sending permissions to a distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Group (distribution list) - grants a group sending rights to distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • All Entities - allows all entities on the server to send to a distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Domain - grant all users on a domain sending rights
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Public - grant all users both internal/external sending rights
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.
zmmtactl reload

Verifying permissions for an entity

  • Checking a single user or entity (CLI):
zmprov ckr dl distributionlist@zimbra.lab userorentity@zimbra.lab sendToDistList
ALLOWED
  • Checking a domain (Web Admin):

Global: Home > Configure > Domain > zimbra.lab > Click on the gear > Configure Grant

  • Viewing granted permissions for the distribution list (CLI):

1) Get the users Zimbra ID: 

zmprov ga user@zimbra.lab |grep -i "zimbraid: "

2) Check the permissions on the distribution list: 

zmprov gdl distributionlist@zimbra.lab |less

3) Find the 'zimbraACE' entries and compare the users' id: 

zimbraACE: [zimbraId of user] usr sendToDistList

For example; 

zimbraACE: c524877c-e0a6-4255-bb1b-d02b35cc2dd5 dom sendToDistList
zimbraACE: 99999999-9999-9999-9999-999999999999 pub sendToDistList
  • Viewing granted permissions for the distribution list (Web Admin):
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL

Modifying and revoking grants

If you want to remove or modify permissions, you'll need to use 'zmprov rvr' instead of 'zmprov grr'.

  • Example of removing sendToDistList permissions for a user (CLI):
zmprov rvr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList
  • Example of removing sendToDistList permissions for a user (Web admin):
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Select the ACL > Delete
  • After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.
zmmtactl reload

Disabling grants inheritance from parent distribution list

If nested distribution list configured and public "sendToDistList" permissions granted to a parent distribution list then the same permissions will apply to child distribution list.

Let's assume there is a distribution list called parent-distributionlist@zimbra.lab with public sendToDistList rights. Now if there is a child distribution list (child-distributionlist@zimbra.lab) as a member in parent-distributionlist@zimbra.lab then the sendToDistList righst will be automatically inherited by the child distribution list. To prevent the same, need to be restricted the right of public sendToDistList of parent deistribution list to be inherited by any clild distribution list.

  • Example of removing inheritance sendToDistList permissions for a user (CLI):
zmprov grr dl parent-distributionlist@zimbra.lab pub ^sendToDistList

Note: 

{right}: can have the following prefixes:
            - : the right is specifically denied
            + : the same right or part of the right can be delegated(granted) to others
            * : the grant affects sub domains only
            ^ : the grant cannot be inherited by sub-groups on the target side
  • Verifying the same:
zmprov ckr dl child-distributionlist@zimbra.lab user@zimbra.lab sendToDistList

If grants are inheriting from the parent DL, then the output of the above command will be like below. 

ALLOWED
Via:
target type : dl
target : parent-distributionlist@zimbra.lab
grantee type : pub
grantee :
right : sendToDistList

Troubleshooting the Zimbra milter

  • Verify the milters settings:
zmmilterctl status 
Milter server is running.
Verified Against: ZCS 7.0, ZCS 8.0, ZCS 8.5, ZCS 8.6, ZCS 8.7, ZCS 8.8, ZCS 9 Date Created: 2013
Article ID: https://wiki.zimbra.com/index.php?title=Enabling_and_administering_the_Zimbra_milter Date Modified: 2022-04-06



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Retrieved from "http://wiki.zimbra.com/index.php?title=Enabling_and_administering_the_Zimbra_milter&oldid=68865"
Jump to: navigation, search