Difference between revisions of "King0770-Notes-Ultra-Restrictive-Sending-And-Receiving"

(Section VIII - Advanced Configuration)
(Section I - Edit smtpd_sender_restrictions.cf)
Line 30: Line 30:
 
<code><pre>
 
<code><pre>
 
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject
 
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject
 +
</pre></code>
 +
 +
If needed...
 +
<code><pre>
 +
zmprov mcf +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject"
 
</pre></code>
 
</pre></code>
  

Revision as of 23:34, 19 January 2018

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


The contents of this article are not yet complete and should be considered highly experimental.

Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.

Section I - Edit smtpd_sender_restrictions.cf

Backup the original file

cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf

Edit smtpd_sender_restrictions.cf to contain only the following.

check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
reject

Make sure to review zimbraMtaSmtpdSenderRestrictions as well.

zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions

**OR**

zmprov gs zimbra-mta.example.com | grep zimbraMtaSmtpdSenderRestrictions

Should see this.

zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject

If needed...

zmprov mcf +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject"

Section II - Edit allowed_domains file

The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.

for dom in `zmprov gad`; do echo "$dom  OK" >> /opt/zimbra/conf/allowed_domains; done

Should look something like this; as an example

abcdcompany.com    OK
example.net       OK

Don't forget to run postmap against the allowed_domains file

postmap /opt/zimbra/conf/allowed_domains

If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.

yahoo.com   OK
zimbra.com  OK

Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.

postmap /opt/zimbra/conf/allowed_domains

Section III - Edit smtpd_recipient_restrictions.cf

Backup the original file

cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf  /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf

Edit smtpd_recipient_restrictions.cf to contain only the following.

check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains
reject

Section IV - Restart MTA to pick up the changes

zmmtactl restart

Section V - Sample Logs

Local zimbra user sending to an external address

Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

Most likely, the zimbra end user would see the error message of, Message not sent; one or more addresses were not accepted

External account sending to a zimbra address

Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Most likely the external account will get a bounce message, Sender address rejected: Access denied

Section VI - FAQ

Will I need to be root to make these changes?
No, just use the zimbra account

Will these changes survive upgrades?
No

I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e. freeipad.com REJECT
There's no need. Domains that are NOT in the allowed_domains file will be rejected.

If I decide to implement these changes, will Zimbra Support help me if I need assistance?
This is a customization, and as such, Zimbra will not Support any custom changes. If you need to revert your changes, Zimbra Support can help.

I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?
Correct.

Section VII - Notable RFE's

https://bugzilla.zimbra.com/show_bug.cgi?id=70599
https://bugzilla.zimbra.com/show_bug.cgi?id=5595

Section VIII - Advanced Configuration

NOT COMPLETE!!!
If you wanted to different, you can use the smtpd_restriction_classes setting.
For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is one account that needs to be able to an external domain, say for example yahoo.com, here's what you can do.

a) Edit /opt/zimbra/conf/zmconfigd.cf with the following

POSTCONF smtpd_restriction_classes  internal_only, yahoo_only
POSTCONF internal_only   check_sender_access lmdb:/opt/zimbra/conf/internal_only, reject
POSTCONF yahoo_only     check_sender_access lmdb:/opt/zimbra/conf/yahoo_only, reject

Place the lines just above the RESTART mta

b) Create the /opt/zimbra/conf/internal_only with your local zimbra domains

abcdcompany.com    OK

And run postmap against the file

postmap /opt/zimbra/conf/internal_only

c) Create the /opt/zimbra/conf/yahoo_only file with the following

yahoo.com    OK

d) Create the /opt/zimbra/conf/internal_permitted file with the following

abcdcompany.com	internal_only

e) Create the /opt/zimbra/conf/yahoo_permitted file with the following

boss@abcdcompany.com	yahoo_only

f) Run postmap against the files

postmap  /opt/zimbra/conf/internal_permitted
postmap /opt/zimbra/conf/yahoo_permitted

g) Edit the /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf with the following

check_sender_access lmdb:/opt/zimbra/conf/internal_permitted
check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject

h) Edit the /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf with the following

check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted
check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject

i) Restart MTA

zmmtactl restart

j) Should have the following

postconf smtpd_restriction_classes smtpd_sender_restrictions smtpd_recipient_restrictions

smtpd_restriction_classes = internal_only, yahoo_only
smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/internal_permitted, check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
smtpd_recipient_restrictions = check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted, check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
Jump to: navigation, search