Difference between revisions of "King0770-Notes-Ultra-Restrictive-Sending-And-Receiving"

(Section I - Edit smtpd_sender_restrictions.cf)
(Section VIII - Advanced Configuration)
Line 120: Line 120:
 
==Section VIII - Advanced Configuration==
 
==Section VIII - Advanced Configuration==
 
<strong>NOT COMPLETE!!!</strong><br>
 
<strong>NOT COMPLETE!!!</strong><br>
If you wanted to different, you can use the smtpd_restriction_classes setting.<br>
+
If you wanted to use a different method, you can use the smtpd_restriction_classes setting.<br>
 
For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is <strong>one</strong> account that needs to be able to an external domain, say for example yahoo.com, here's what you can do.  
 
For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is <strong>one</strong> account that needs to be able to an external domain, say for example yahoo.com, here's what you can do.  
  

Revision as of 23:43, 19 January 2018

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


The contents of this article are not yet complete and should be considered highly experimental.

Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.

Section I - Edit smtpd_sender_restrictions.cf

Backup the original file

cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf

Edit smtpd_sender_restrictions.cf to contain only the following.

check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
reject

Make sure to review zimbraMtaSmtpdSenderRestrictions as well.

zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions

**OR**

zmprov gs zimbra-mta.example.com | grep zimbraMtaSmtpdSenderRestrictions

Should see this.

zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject

If needed...

zmprov mcf +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject"

Section II - Edit allowed_domains file

The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.

for dom in `zmprov gad`; do echo "$dom  OK" >> /opt/zimbra/conf/allowed_domains; done

Should look something like this; as an example

abcdcompany.com    OK
example.net       OK

Don't forget to run postmap against the allowed_domains file

postmap /opt/zimbra/conf/allowed_domains

If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.

yahoo.com   OK
zimbra.com  OK

Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.

postmap /opt/zimbra/conf/allowed_domains

Section III - Edit smtpd_recipient_restrictions.cf

Backup the original file

cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf  /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf

Edit smtpd_recipient_restrictions.cf to contain only the following.

check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains
reject

Section IV - Restart MTA to pick up the changes

zmmtactl restart

Section V - Sample Logs

Local zimbra user sending to an external address

Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

Most likely, the zimbra end user would see the error message of, Message not sent; one or more addresses were not accepted

External account sending to a zimbra address

Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Most likely the external account will get a bounce message, Sender address rejected: Access denied

Section VI - FAQ

Will I need to be root to make these changes?
No, just use the zimbra account

Will these changes survive upgrades?
No

I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e. freeipad.com REJECT
There's no need. Domains that are NOT in the allowed_domains file will be rejected.

If I decide to implement these changes, will Zimbra Support help me if I need assistance?
This is a customization, and as such, Zimbra will not Support any custom changes. If you need to revert your changes, Zimbra Support can help.

I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?
Correct.

Section VII - Notable RFE's

https://bugzilla.zimbra.com/show_bug.cgi?id=70599
https://bugzilla.zimbra.com/show_bug.cgi?id=5595

Section VIII - Advanced Configuration

NOT COMPLETE!!!
If you wanted to use a different method, you can use the smtpd_restriction_classes setting.
For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is one account that needs to be able to an external domain, say for example yahoo.com, here's what you can do.

a) Edit /opt/zimbra/conf/zmconfigd.cf with the following

POSTCONF smtpd_restriction_classes  internal_only, yahoo_only
POSTCONF internal_only   check_sender_access lmdb:/opt/zimbra/conf/internal_only, reject
POSTCONF yahoo_only     check_sender_access lmdb:/opt/zimbra/conf/yahoo_only, reject

Place the lines just above the RESTART mta

b) Create the /opt/zimbra/conf/internal_only with your local zimbra domains

abcdcompany.com    OK

And run postmap against the file

postmap /opt/zimbra/conf/internal_only

c) Create the /opt/zimbra/conf/yahoo_only file with the following

yahoo.com    OK

d) Create the /opt/zimbra/conf/internal_permitted file with the following

abcdcompany.com	internal_only

e) Create the /opt/zimbra/conf/yahoo_permitted file with the following

boss@abcdcompany.com	yahoo_only

f) Run postmap against the files

postmap  /opt/zimbra/conf/internal_permitted
postmap /opt/zimbra/conf/yahoo_permitted

g) Edit the /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf with the following

check_sender_access lmdb:/opt/zimbra/conf/internal_permitted
check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject

h) Edit the /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf with the following

check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted
check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject

i) Restart MTA

zmmtactl restart

j) Should have the following

postconf smtpd_restriction_classes smtpd_sender_restrictions smtpd_recipient_restrictions

smtpd_restriction_classes = internal_only, yahoo_only
smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/internal_permitted, check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
smtpd_recipient_restrictions = check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted, check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
Jump to: navigation, search