Difference between revisions of "King0770-Notes-Ultra-Restrictive-Sending-And-Receiving"

(Section VII - Notable RFE's)
 
(27 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
{{WIP}}
 
{{WIP}}
  
<strong>The contents of this article are not yet complete and should be considered highly experimental.</strong>
+
==Scenario I==
  
Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.  
+
You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.  
  
==Section I - Edit smtpd_sender_restrictions.cf==
+
Create a <strong>internal_restrict</strong> group, and a <strong>Access Control</strong> name called <strong>DenySendAccess</strong>.
Backup the original file
 
<code><pre>
 
cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf
 
</pre></code>
 
  
Edit smtpd_sender_restrictions.cf to contain only the following.
 
 
<code><pre>
 
<code><pre>
check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"
reject
 
</pre></code>
 
  
Make sure to review zimbraMtaSmtpdSenderRestrictions as well.  
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"
<code><pre>
 
zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions
 
  
**OR**
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"
  
zmprov gs zimbra-mta.example.com | grep zimbraMtaSmtpdSenderRestrictions
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"
 
</pre></code>
 
</pre></code>
  
Should see this.
+
This should work as well if you need to prevent the user from sending messages to any accounts.  
 
<code><pre>
 
<code><pre>
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"
 
</pre></code>
 
</pre></code>
  
==Section II  - Edit allowed_domains file==
 
The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.
 
<code><pre>
 
for dom in `zmprov gad`; do echo "$dom  OK" >> /opt/zimbra/conf/allowed_domains; done
 
</pre></code>
 
  
Should look something like this; as an example
+
Now it's time to add a couple of internal accounts to prevent sending messages. <br>
 
<code><pre>
 
<code><pre>
abcdcompany.com   OK
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"
example.net      OK
 
</pre></code>
 
  
Don't forget to run postmap against the allowed_domains file
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"
<code><pre>
 
postmap /opt/zimbra/conf/allowed_domains
 
 
</pre></code>
 
</pre></code>
  
If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.
+
==Scenario II==
<code><pre>
+
Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain <br>
yahoo.com  OK
+
Another cbpolicyd solution
zimbra.com OK
 
</pre></code>
 
Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.
 
 
<code><pre>
 
<code><pre>
postmap /opt/zimbra/conf/allowed_domains
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"
</pre></code>
 
  
==Section III - Edit smtpd_recipient_restrictions.cf==
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"
Backup the original file
 
<code><pre>
 
cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf  /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf
 
</pre></code>
 
  
Edit smtpd_recipient_restrictions.cf to contain only the following.
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"
<code><pre>
 
check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains
 
reject
 
 
</pre></code>
 
</pre></code>
  
==Section IV - Restart MTA to pick up the changes==
+
==Scenario III==
<code><pre>
+
Quota Policy, contributed by Karl Buchner  <br>
zmmtactl restart
 
</pre></code>
 
  
==Section V - Sample Logs==
+
As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds). <br>
Local zimbra user sending to an external address
 
<code><pre>
 
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
 
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
 
</pre></code>
 
Most likely, the zimbra end user would see the error message of, <strong>Message not sent; one or more addresses were not accepted</strong>
 
  
External account sending to a zimbra address
 
 
<code><pre>
 
<code><pre>
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
 
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
 
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
 
</pre></code>
 
Most likely the external account will get a bounce message, <strong>Sender address rejected: Access denied</strong>
 
  
==Section VI - FAQ==
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"
<strong>Will I need to be root to make these changes?</strong><br>
 
No, just use the zimbra account
 
  
<strong>Will these changes survive upgrades?</strong><br>
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"
No
 
  
<strong>I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e.  freeipad.com    REJECT</strong><br>
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"
There's no need. Domains that are <strong>NOT</strong> in the allowed_domains file will be rejected.
 
  
<strong>If I decide to implement these changes, will Zimbra Support help me if I need assistance?</strong><br>
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"
This is a customization, and as such, Zimbra will <strong>not</strong> Support any custom changes. If you need to revert your changes, Zimbra Support can help.
 
  
<strong>I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?</strong><br>
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"
Correct.<br>
 
  
==Section VII - Notable RFE's==
+
</pre></code>
https://bugzilla.zimbra.com/show_bug.cgi?id=70599<br>
+
<strong>Note:</strong> this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.
https://bugzilla.zimbra.com/show_bug.cgi?id=5595<br>
 

Latest revision as of 17:20, 6 March 2018

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


Scenario I

You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.

Create a internal_restrict group, and a Access Control name called DenySendAccess.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"

This should work as well if you need to prevent the user from sending messages to any accounts.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"


Now it's time to add a couple of internal accounts to prevent sending messages.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"

Scenario II

Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain
Another cbpolicyd solution

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"

Scenario III

Quota Policy, contributed by Karl Buchner

As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds).

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"

Note: this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.

Jump to: navigation, search