Difference between revisions of "King0770-Notes-Ultra-Restrictive-Sending-And-Receiving"

(Section VIII - Advanced Configuration)
 
(24 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
{{WIP}}
 
{{WIP}}
  
<strong>The contents of this article are not yet complete and should be considered highly experimental.</strong>
+
==Scenario I==
  
Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.  
+
You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.  
  
==Section I - Edit smtpd_sender_restrictions.cf==
+
Create a <strong>internal_restrict</strong> group, and a <strong>Access Control</strong> name called <strong>DenySendAccess</strong>.
Backup the original file
 
<code><pre>
 
cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf
 
</pre></code>
 
  
Edit smtpd_sender_restrictions.cf to contain only the following.
 
 
<code><pre>
 
<code><pre>
check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"
reject
 
</pre></code>
 
  
Make sure to review zimbraMtaSmtpdSenderRestrictions as well.
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"
<code><pre>
 
zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions
 
 
 
**OR**
 
 
 
zmprov gs zimbra-mta.example.com | grep zimbraMtaSmtpdSenderRestrictions
 
</pre></code>
 
  
Should see this.
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"
<code><pre>
 
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject
 
</pre></code>
 
  
==Section II  - Edit allowed_domains file==
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"
The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.  
 
<code><pre>
 
for dom in `zmprov gad`; do echo "$dom  OK" >> /opt/zimbra/conf/allowed_domains; done
 
 
</pre></code>
 
</pre></code>
  
Should look something like this; as an example
+
This should work as well if you need to prevent the user from sending messages to any accounts.
 
<code><pre>
 
<code><pre>
abcdcompany.com    OK
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"
example.net      OK
 
 
</pre></code>
 
</pre></code>
  
Don't forget to run postmap against the allowed_domains file
 
<code><pre>
 
postmap /opt/zimbra/conf/allowed_domains
 
</pre></code>
 
  
If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.
+
Now it's time to add a couple of internal accounts to prevent sending messages. <br>
 
<code><pre>
 
<code><pre>
yahoo.com  OK
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"
zimbra.com  OK
 
</pre></code>
 
Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.
 
<code><pre>
 
postmap /opt/zimbra/conf/allowed_domains
 
</pre></code>
 
 
 
==Section III - Edit smtpd_recipient_restrictions.cf==
 
Backup the original file
 
<code><pre>
 
cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf  /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf
 
</pre></code>
 
 
 
Edit smtpd_recipient_restrictions.cf to contain only the following.
 
<code><pre>
 
check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains
 
reject
 
</pre></code>
 
 
 
==Section IV - Restart MTA to pick up the changes==
 
<code><pre>
 
zmmtactl restart
 
</pre></code>
 
 
 
==Section V - Sample Logs==
 
Local zimbra user sending to an external address
 
<code><pre>
 
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
 
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
 
</pre></code>
 
Most likely, the zimbra end user would see the error message of, <strong>Message not sent; one or more addresses were not accepted</strong>
 
  
External account sending to a zimbra address
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"
<code><pre>
 
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
 
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
 
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
 
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
 
 
</pre></code>
 
</pre></code>
Most likely the external account will get a bounce message, <strong>Sender address rejected: Access denied</strong>
 
 
==Section VI - FAQ==
 
<strong>Will I need to be root to make these changes?</strong><br>
 
No, just use the zimbra account
 
 
<strong>Will these changes survive upgrades?</strong><br>
 
No
 
 
<strong>I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e.  freeipad.com    REJECT</strong><br>
 
There's no need. Domains that are <strong>NOT</strong> in the allowed_domains file will be rejected.
 
 
<strong>If I decide to implement these changes, will Zimbra Support help me if I need assistance?</strong><br>
 
This is a customization, and as such, Zimbra will <strong>not</strong> Support any custom changes. If you need to revert your changes, Zimbra Support can help.
 
 
<strong>I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?</strong><br>
 
Correct.<br>
 
 
==Section VII - Notable RFE's==
 
https://bugzilla.zimbra.com/show_bug.cgi?id=70599<br>
 
https://bugzilla.zimbra.com/show_bug.cgi?id=5595<br>
 
 
==Section VIII - Advanced Configuration==
 
<strong>NOT COMPLETE!!!</strong><br>
 
If you wanted to different, you can use the smtpd_restriction_classes setting.<br>
 
For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is <strong>one</strong> account that needs to be able to an external domain, say for example yahoo.com, here's what you can do.
 
  
a) Edit /opt/zimbra/conf/zmconfigd.cf with the following
+
==Scenario II==
 +
Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain <br>
 +
Another cbpolicyd solution
 
<code><pre>
 
<code><pre>
POSTCONF smtpd_restriction_classes  internal_only, yahoo_only
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"
POSTCONF internal_only  check_sender_access lmdb:/opt/zimbra/conf/internal_only, reject
 
POSTCONF yahoo_only    check_sender_access lmdb:/opt/zimbra/conf/yahoo_only, reject
 
</pre></code>
 
  
Place the lines just above the <strong>RESTART mta</strong>
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"
  
b) Create the /opt/zimbra/conf/internal_only with your local zimbra domains
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"
<code><pre>
 
abcdcompany.com    OK
 
 
</pre></code>
 
</pre></code>
  
And run postmap against the file
+
==Scenario III==
<code><pre>
+
Quota Policy, contributed by Karl Buchner  <br>
postmap /opt/zimbra/conf/internal_only
 
</pre></code>
 
  
c) Create the /opt/zimbra/conf/yahoo_only file with the following
+
As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds). <br>
<code><pre>
 
yahoo.com    OK
 
</pre></code>
 
  
d) Create the /opt/zimbra/conf/internal_permitted file with the following
 
 
<code><pre>
 
<code><pre>
abcdcompany.com internal_only
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"
</pre></code>
 
  
e) Create the /opt/zimbra/conf/yahoo_permitted file with the following
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"
<code><pre>
 
boss@abcdcompany.com yahoo_only
 
</pre></code>
 
  
f) Run postmap against the files
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"
<code><pre>
 
postmap  /opt/zimbra/conf/internal_permitted
 
postmap /opt/zimbra/conf/yahoo_permitted
 
</pre></code>
 
  
g) Edit the /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf with the following
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"
<code><pre>
 
check_sender_access lmdb:/opt/zimbra/conf/internal_permitted
 
check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
 
</pre></code>
 
  
h) Edit the /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf with the following
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"
<code><pre>
 
check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted
 
check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
 
</pre></code>
 
 
 
i) Restart MTA
 
<code><pre>
 
zmmtactl restart
 
</pre></code>
 
  
j) Should have the following
+
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"
<code><pre>
 
postconf smtpd_restriction_classes smtpd_sender_restrictions smtpd_recipient_restrictions
 
  
smtpd_restriction_classes = internal_only, yahoo_only
 
smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/internal_permitted, check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
 
smtpd_recipient_restrictions = check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted, check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
 
 
</pre></code>
 
</pre></code>
 +
<strong>Note:</strong> this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.

Latest revision as of 17:20, 6 March 2018

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


Scenario I

You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.

Create a internal_restrict group, and a Access Control name called DenySendAccess.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"

This should work as well if you need to prevent the user from sending messages to any accounts.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"


Now it's time to add a couple of internal accounts to prevent sending messages.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"

Scenario II

Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain
Another cbpolicyd solution

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"

Scenario III

Quota Policy, contributed by Karl Buchner

As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds).

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"

Note: this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.

Jump to: navigation, search