Difference between revisions of "King0770-Notes-Ultra-Restrictive-Sending-And-Receiving"

(Section VI - FAQ)
(Section VI - FAQ)
Line 88: Line 88:
 
<strong>I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e.  freeipad.com    REJECT</strong><br>
 
<strong>I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e.  freeipad.com    REJECT</strong><br>
 
There's no need. Domains that are <strong>NOT</strong> in the allowed_domains file will be rejected.
 
There's no need. Domains that are <strong>NOT</strong> in the allowed_domains file will be rejected.
 +
 +
<strong>If I decide to implement these changes, will Zimbra Support help me if I need assistance?</strong><br>
 +
This is a customization, and as such, Zimbra will <strong>not</strong> Support any custom changes. If you need to revert your changes, Zimbra Support can help.

Revision as of 20:30, 28 November 2017

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


The contents of this article are not yet, complete and should be considered highly experimental.

Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.

Section I - Edit smtpd_sender_restrictions.cf

Backup the original file

cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf

Edit smtpd_sender_restrictions.cf to contain only the following.

check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
reject

Section II - Edit allowed_domains file

The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.

for dom in `zmprov gad`; do echo "$dom  OK" >> /opt/zimbra/conf/allowed_domains; done

Should look something like this; as an example

abcdcompany.com    OK
example.net       OK

Don't forget to run postmap against the allowed_domains file

postmap /opt/zimbra/conf/allowed_domains

If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.

yahoo.com   OK
zimbra.com  OK

Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.

postmap /opt/zimbra/conf/allowed_domains

Section III - Edit smtpd_recipient_restrictions.cf

Backup the original file

cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf  /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf

Edit smtpd_recipient_restrictions.cf to contain only the following.

check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
reject

Section IV - Restart MTA to pick up the changes

zmmtactl restart

Section V - Sample Logs

Local zimbra user sending to an external address

Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

Most likely, the zimbra end user would see the error message of, Message not sent; one or more addresses were not accepted

External account sending to a zimbra address

Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Most likely the external account will get a bounce message, Sender address rejected: Access denied

Section VI - FAQ

Will I need to be root to make these changes?
No, just use the zimbra account

Will these changes survive upgrades?
No

I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e. freeipad.com REJECT
There's no need. Domains that are NOT in the allowed_domains file will be rejected.

If I decide to implement these changes, will Zimbra Support help me if I need assistance?
This is a customization, and as such, Zimbra will not Support any custom changes. If you need to revert your changes, Zimbra Support can help.

Jump to: navigation, search