King0770-Notes-Ultra-Restrictive-Sending-And-Receiving: Difference between revisions

No edit summary
No edit summary
 
(17 intermediate revisions by the same user not shown)
Line 2: Line 2:
{{WIP}}
{{WIP}}


==Scenario==
==Scenario I==


You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.  
You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.  
===Use cbpolicyd===


Create a <strong>internal_restrict</strong> group, and a <strong>Access Control</strong> name called <strong>DenySendAccess</strong>.
Create a <strong>internal_restrict</strong> group, and a <strong>Access Control</strong> name called <strong>DenySendAccess</strong>.


<code><pre>
<code><pre>
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(6,'Restrict_Internal',0,'Restrict_Internal',0);"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"


sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6,6,'%internal_restrict','%internal_domains','',0);"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"


sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(3,'internal_restrict',0,'internal_restrict');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"
 
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"
</pre></code>


sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(1,6,'DenySendAccess','REJECT','REJECT','',0);"
This should work as well if you need to prevent the user from sending messages to any accounts.
<code><pre>
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"
</pre></code>
</pre></code>


Now it's time to add a couple of internal accounts to prevent sending messages. <br>
Now it's time to add a couple of internal accounts to prevent sending messages. <br>
<code><pre>
<code><pre>
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(7,3,'rick@example.com.local',0,'Restrict Rick');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"


sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(8,3,'john@example.com',0,'Restrict John');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"
</pre></code>
</pre></code>


===Avoid ID constraints===
==Scenario II==
Getting this error?
Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain <br>
Another cbpolicyd solution
<code><pre>
<code><pre>
Error: UNIQUE constraint failed: policy_group_members.ID
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"
 
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"
 
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"
</pre></code>
</pre></code>


Try this small script <br>
==Scenario III==
Quota Policy, contributed by Karl Buchner  <br>
 
As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds). <br>
 
<code><pre>
<code><pre>
#!/bin/bash
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"
#Description add user to the policy_group_members
 
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"
 
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"
 
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"


TEST=`sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "select * from policy_group_members;" "" | tail -1 | awk -F"|" '{ print $1 }'`
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"


echo $(( $TEST + 1 )) > /dev/null
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"


sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(`echo $(( $TEST + 1 ))`,3,'$1',0,'NULL');"
</pre></code>
</pre></code>
<strong>Note:</strong> this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.

Latest revision as of 17:20, 6 March 2018

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


Scenario I

You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.

Create a internal_restrict group, and a Access Control name called DenySendAccess.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"

This should work as well if you need to prevent the user from sending messages to any accounts.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"


Now it's time to add a couple of internal accounts to prevent sending messages.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"

Scenario II

Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain
Another cbpolicyd solution

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"

Scenario III

Quota Policy, contributed by Karl Buchner

As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds).

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"

Note: this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.

Jump to: navigation, search