King0770-Notes-Ultra-Restrictive-Sending-And-Receiving: Difference between revisions

No edit summary
 
(22 intermediate revisions by the same user not shown)
Line 2: Line 2:
{{WIP}}
{{WIP}}


<strong>The contents of this article are not yet complete and should be considered highly experimental.</strong>
==Scenario I==


Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.  
You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.  


==Section I - Edit smtpd_sender_restrictions.cf==
Create a <strong>internal_restrict</strong> group, and a <strong>Access Control</strong> name called <strong>DenySendAccess</strong>.
Backup the original file
<code><pre>
cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf
</pre></code>


Edit smtpd_sender_restrictions.cf to contain only the following.
<code><pre>
<code><pre>
check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"
reject
</pre></code>


Make sure to review zimbraMtaSmtpdSenderRestrictions as well.  
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"
<code><pre>
zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions


**OR**
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"


zmprov gs zimbra-mta.example.com | grep zimbraMtaSmtpdSenderRestrictions
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"
</pre></code>
</pre></code>


Should see this.
This should work as well if you need to prevent the user from sending messages to any accounts.  
<code><pre>
<code><pre>
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"
</pre></code>
</pre></code>


If needed...
<code><pre>
zmprov mcf +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject"
</pre></code>


==Section II  - Edit allowed_domains file==
Now it's time to add a couple of internal accounts to prevent sending messages. <br>
The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.  
<code><pre>
<code><pre>
for dom in `zmprov gad`; do echo "$dom  OK" >> /opt/zimbra/conf/allowed_domains; done
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"
</pre></code>


Should look something like this; as an example
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"
<code><pre>
abcdcompany.com   OK
example.net      OK
</pre></code>
</pre></code>


Don't forget to run postmap against the allowed_domains file
==Scenario II==
Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain <br>
Another cbpolicyd solution
<code><pre>
<code><pre>
postmap /opt/zimbra/conf/allowed_domains
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"
</pre></code>


If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"
<code><pre>
yahoo.com  OK
zimbra.com  OK
</pre></code>
Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.
<code><pre>
postmap /opt/zimbra/conf/allowed_domains
</pre></code>


==Section III - Edit smtpd_recipient_restrictions.cf==
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"
Backup the original file
<code><pre>
cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf  /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf
</pre></code>
</pre></code>


Edit smtpd_recipient_restrictions.cf to contain only the following.
==Scenario III==
<code><pre>
Quota Policy, contributed by Karl Buchner  <br>
check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains
reject
</pre></code>


==Section IV - Restart MTA to pick up the changes==
As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds). <br>
<code><pre>
zmmtactl restart
</pre></code>


==Section V - Sample Logs==
Local zimbra user sending to an external address
<code><pre>
<code><pre>
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
</pre></code>
Most likely, the zimbra end user would see the error message of, <strong>Message not sent; one or more addresses were not accepted</strong>
 
External account sending to a zimbra address
<code><pre>
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
</pre></code>
Most likely the external account will get a bounce message, <strong>Sender address rejected: Access denied</strong>
 
==Section VI - FAQ==
<strong>Will I need to be root to make these changes?</strong><br>
No, just use the zimbra account
 
<strong>Will these changes survive upgrades?</strong><br>
No
 
<strong>I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e.  freeipad.com    REJECT</strong><br>
There's no need. Domains that are <strong>NOT</strong> in the allowed_domains file will be rejected.


<strong>If I decide to implement these changes, will Zimbra Support help me if I need assistance?</strong><br>
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"
This is a customization, and as such, Zimbra will <strong>not</strong> Support any custom changes. If you need to revert your changes, Zimbra Support can help.


<strong>I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?</strong><br>
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"
Correct.<br>


==Section VII - Notable RFE's==
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"
https://bugzilla.zimbra.com/show_bug.cgi?id=70599<br>
https://bugzilla.zimbra.com/show_bug.cgi?id=5595<br>


==Section VIII - Advanced Configuration==
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"
<strong>NOT COMPLETE!!!</strong><br>
If you wanted to use a different method, you can use the smtpd_restriction_classes setting.<br>
For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is <strong>one</strong> account that needs to be able to an external domain, say for example yahoo.com, here's what you can do.


a) Edit /opt/zimbra/conf/zmconfigd.cf with the following
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"
<code><pre>
POSTCONF smtpd_restriction_classes  internal_only, yahoo_only
POSTCONF internal_only  check_sender_access lmdb:/opt/zimbra/conf/internal_only, reject
POSTCONF yahoo_only    check_sender_access lmdb:/opt/zimbra/conf/yahoo_only, reject
</pre></code>
 
Place the lines just above the <strong>RESTART mta</strong>
 
b) Create the /opt/zimbra/conf/internal_only with your local zimbra domains
<code><pre>
abcdcompany.com    OK
</pre></code>
 
And run postmap against the file
<code><pre>
postmap /opt/zimbra/conf/internal_only
</pre></code>
 
c) Create the /opt/zimbra/conf/yahoo_only file with the following
<code><pre>
yahoo.com    OK
</pre></code>
 
d) Create the /opt/zimbra/conf/internal_permitted file with the following
<code><pre>
abcdcompany.com internal_only
</pre></code>
 
e) Create the /opt/zimbra/conf/yahoo_permitted file with the following
<code><pre>
boss@abcdcompany.com yahoo_only
</pre></code>
 
f) Run postmap against the files
<code><pre>
postmap  /opt/zimbra/conf/internal_permitted
postmap /opt/zimbra/conf/yahoo_permitted
</pre></code>
 
g) Edit the /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf with the following
<code><pre>
check_sender_access lmdb:/opt/zimbra/conf/internal_permitted
check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
</pre></code>
 
h) Edit the /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf with the following
<code><pre>
check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted
check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
</pre></code>
 
i) Restart MTA
<code><pre>
zmmtactl restart
</pre></code>
 
j) Should have the following
<code><pre>
postconf smtpd_restriction_classes smtpd_sender_restrictions smtpd_recipient_restrictions


smtpd_restriction_classes = internal_only, yahoo_only
smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/internal_permitted, check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
smtpd_recipient_restrictions = check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted, check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
</pre></code>
</pre></code>
<strong>Note:</strong> this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.

Latest revision as of 17:20, 6 March 2018

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0


Scenario I

You have one or two accounts you want to prevent from sending messages to other internal accounts, but still receive messages.

Create a internal_restrict group, and a Access Control name called DenySendAccess.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(NULL,'Restrict_Internal',0,'Restrict_Internal',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','%internal_domains','',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_groups" VALUES(NULL,'internal_restrict',0,'internal_restrict');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(NULL,6,'DenySendAccess','REJECT','REJECT','',0);"

This should work as well if you need to prevent the user from sending messages to any accounts.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(NULL,6,'%internal_restrict','any','',0);"


Now it's time to add a couple of internal accounts to prevent sending messages.

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'rick@example.com.local',0,'Restrict Rick');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_group_members" VALUES(NULL,3,'john@example.com',0,'Restrict John');"

Scenario II

Restrict users to certain domain, as per https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain
Another cbpolicyd solution

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" VALUES(7,'Local_Only',0,'Local_Only',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(8,7,'%internal_domains','!%internal_domains','',0);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "access_control" VALUES(3,7,'LocalSendAccess','REJECT','REJECT','',0);"

Scenario III

Quota Policy, contributed by Karl Buchner

As an example, lets say your Company decides the policy for all traffic (not going through the bulk MTAs) is sending a maximum of 10 messages every 10 minutes (600 seconds), and receiving a maximum of 5 messages in 10 minutes (600 seconds).

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "policy_members" VALUES(6, 'any', 'any');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Sender:user@domain','Sender:user@domain', 600, 'DEFER', 'Deferring: Too many messages from sender in last 10 minutes');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas" VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 600, 'REJECT');"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(3, 'MessageCount', 10);"

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb "INSERT INTO "quotas_limits" VALUES(4, 'MessageCount', 5);"

Note: this assumes you have enabled cbpolicyd and immediately inject these contents, because they are based on the default policies, policy_members, quotas, quota_limits existing already, occupying certain IDs.

Jump to: navigation, search