|
|
(22 intermediate revisions by the same user not shown) |
Line 2: |
Line 2: |
| {{WIP}} | | {{WIP}} |
|
| |
|
| <strong>The contents of this article are not yet complete and should be considered highly experimental.</strong>
| | ==Scenario I== |
|
| |
|
| Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.
| | You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages. |
|
| |
|
| ==Section I - Edit smtpd_sender_restrictions.cf==
| | Create a <strong>internal_restrict</strong> group, and a <strong>Access Control</strong> name called <strong>DenySendAccess</strong>. |
| Backup the original file
| |
| <code><pre> | |
| cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf
| |
| </pre></code> | |
|
| |
|
| Edit smtpd_sender_restrictions.cf to contain only the following.
| |
| <code><pre> | | <code><pre> |
| check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);" |
| reject
| |
| </pre></code>
| |
|
| |
|
| Make sure to review zimbraMtaSmtpdSenderRestrictions as well.
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);" |
| <code><pre>
| |
| zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions
| |
|
| |
|
| **OR**
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');" |
|
| |
|
| zmprov gs zimbra-mta.example.com | grep zimbraMtaSmtpdSenderRestrictions
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);" |
| </pre></code> | | </pre></code> |
|
| |
|
| Should see this.
| | This should work as well if you need to prevent the user from sending messages to any accounts. |
| <code><pre> | | <code><pre> |
| zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);" |
| </pre></code> | | </pre></code> |
|
| |
|
| If needed...
| |
| <code><pre>
| |
| zmprov mcf +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject"
| |
| </pre></code>
| |
|
| |
|
| ==Section II - Edit allowed_domains file==
| | Now it's time to add a couple of internal accounts to prevent sending messages. <br> |
| The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.
| |
| <code><pre> | | <code><pre> |
| for dom in `zmprov gad`; do echo "$dom OK" >> /opt/zimbra/conf/allowed_domains; done
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');" |
| </pre></code>
| |
|
| |
|
| Should look something like this; as an example
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');" |
| <code><pre>
| |
| abcdcompany.com OK
| |
| example.net OK
| |
| </pre></code> | | </pre></code> |
|
| |
|
| Don't forget to run postmap against the allowed_domains file
| | ==Scenario II== |
| | Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain <br> |
| | Another cbpolicyd solution |
| <code><pre> | | <code><pre> |
| postmap /opt/zimbra/conf/allowed_domains
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);" |
| </pre></code>
| |
|
| |
|
| If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);" |
| <code><pre>
| |
| yahoo.com OK
| |
| zimbra.com OK
| |
| </pre></code>
| |
| Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.
| |
| <code><pre>
| |
| postmap /opt/zimbra/conf/allowed_domains
| |
| </pre></code>
| |
|
| |
|
| ==Section III - Edit smtpd_recipient_restrictions.cf==
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);" |
| Backup the original file
| |
| <code><pre>
| |
| cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf
| |
| </pre></code> | | </pre></code> |
|
| |
|
| Edit smtpd_recipient_restrictions.cf to contain only the following.
| | ==Scenario III== |
| <code><pre> | | Quota Policy, contributed by Karl Buchner <br> |
| check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains
| |
| reject
| |
| </pre></code>
| |
|
| |
|
| ==Section IV - Restart MTA to pick up the changes==
| | As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds). <br> |
| <code><pre>
| |
| zmmtactl restart
| |
| </pre></code>
| |
|
| |
|
| ==Section V - Sample Logs==
| |
| Local zimbra user sending to an external address
| |
| <code><pre> | | <code><pre> |
| Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');" |
| Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
| |
| </pre></code>
| |
| Most likely, the zimbra end user would see the error message of, <strong>Message not sent; one or more addresses were not accepted</strong>
| |
| | |
| External account sending to a zimbra address
| |
| <code><pre>
| |
| Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
| |
| Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
| |
| Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
| |
| Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
| |
| </pre></code>
| |
| Most likely the external account will get a bounce message, <strong>Sender address rejected: Access denied</strong>
| |
| | |
| ==Section VI - FAQ==
| |
| <strong>Will I need to be root to make these changes?</strong><br>
| |
| No, just use the zimbra account
| |
| | |
| <strong>Will these changes survive upgrades?</strong><br>
| |
| No
| |
| | |
| <strong>I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e. freeipad.com REJECT</strong><br>
| |
| There's no need. Domains that are <strong>NOT</strong> in the allowed_domains file will be rejected.
| |
|
| |
|
| <strong>If I decide to implement these changes, will Zimbra Support help me if I need assistance?</strong><br>
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');" |
| This is a customization, and as such, Zimbra will <strong>not</strong> Support any custom changes. If you need to revert your changes, Zimbra Support can help.
| |
|
| |
|
| <strong>I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?</strong><br>
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');" |
| Correct.<br>
| |
|
| |
|
| ==Section VII - Notable RFE's==
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');" |
| https://bugzilla.zimbra.com/show_bug.cgi?id=70599<br>
| |
| https://bugzilla.zimbra.com/show_bug.cgi?id=5595<br>
| |
|
| |
|
| ==Section VIII - Advanced Configuration==
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);" |
| <strong>NOT COMPLETE!!!</strong><br>
| |
| If you wanted to use a different method, you can use the smtpd_restriction_classes setting.<br>
| |
| For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is <strong>one</strong> account that needs to be able to an external domain, say for example yahoo.com, here's what you can do.
| |
|
| |
|
| a) Edit /opt/zimbra/conf/zmconfigd.cf with the following
| | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);" |
| <code><pre>
| |
| POSTCONF smtpd_restriction_classes internal_only, yahoo_only
| |
| POSTCONF internal_only check_sender_access lmdb:/opt/zimbra/conf/internal_only, reject
| |
| POSTCONF yahoo_only check_sender_access lmdb:/opt/zimbra/conf/yahoo_only, reject
| |
| </pre></code>
| |
| | |
| Place the lines just above the <strong>RESTART mta</strong>
| |
| | |
| b) Create the /opt/zimbra/conf/internal_only with your local zimbra domains
| |
| <code><pre>
| |
| abcdcompany.com OK
| |
| </pre></code>
| |
| | |
| And run postmap against the file
| |
| <code><pre>
| |
| postmap /opt/zimbra/conf/internal_only
| |
| </pre></code>
| |
| | |
| c) Create the /opt/zimbra/conf/yahoo_only file with the following
| |
| <code><pre>
| |
| yahoo.com OK
| |
| </pre></code>
| |
| | |
| d) Create the /opt/zimbra/conf/internal_permitted file with the following
| |
| <code><pre>
| |
| abcdcompany.com internal_only
| |
| </pre></code>
| |
| | |
| e) Create the /opt/zimbra/conf/yahoo_permitted file with the following
| |
| <code><pre>
| |
| boss@abcdcompany.com yahoo_only
| |
| </pre></code>
| |
| | |
| f) Run postmap against the files
| |
| <code><pre>
| |
| postmap /opt/zimbra/conf/internal_permitted
| |
| postmap /opt/zimbra/conf/yahoo_permitted
| |
| </pre></code>
| |
| | |
| g) Edit the /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf with the following
| |
| <code><pre>
| |
| check_sender_access lmdb:/opt/zimbra/conf/internal_permitted
| |
| check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
| |
| </pre></code>
| |
| | |
| h) Edit the /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf with the following
| |
| <code><pre>
| |
| check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted
| |
| check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
| |
| </pre></code>
| |
| | |
| i) Restart MTA
| |
| <code><pre>
| |
| zmmtactl restart
| |
| </pre></code>
| |
| | |
| j) Should have the following
| |
| <code><pre>
| |
| postconf smtpd_restriction_classes smtpd_sender_restrictions smtpd_recipient_restrictions
| |
|
| |
|
| smtpd_restriction_classes = internal_only, yahoo_only
| |
| smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/internal_permitted, check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
| |
| smtpd_recipient_restrictions = check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted, check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
| |
| </pre></code> | | </pre></code> |
| | <strong>Note:</strong> this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs. |
- This article is a Community contribution and may include unsupported customizations.
| ZCS 8.7
| ZCS 9.0
- This article is a Work in Progress, and may be unfinished or missing sections.
Scenario I
You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.
Create a internal_restrict group, and a Access Control name called DenySendAccess.
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"
This should work as well if you need to prevent the user from sending messages to any accounts.
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"
Now it's time to add a couple of internal accounts to prevent sending messages.
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"
Scenario II
Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain
Another cbpolicyd solution
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"
Scenario III
Quota Policy, contributed by Karl Buchner
As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds).
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"
Note: this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.