King0770-Notes-Ultra-Restrictive-Sending-And-Receiving: Difference between revisions
Line 106: | Line 106: | ||
This is a customization, and as such, Zimbra will <strong>not</strong> Support any custom changes. If you need to revert your changes, Zimbra Support can help. | This is a customization, and as such, Zimbra will <strong>not</strong> Support any custom changes. If you need to revert your changes, Zimbra Support can help. | ||
<strong>I want my users to be able to receive messages from external domains, but still restrict what domains | <strong>I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?</strong><br> | ||
Correct. | Correct. |
Revision as of 16:10, 29 November 2017
The contents of this article are not yet, complete and should be considered highly experimental.
Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.
Section I - Edit smtpd_sender_restrictions.cf
Backup the original file
cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf
Edit smtpd_sender_restrictions.cf to contain only the following.
check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
reject
Make sure to review zimbraMtaSmtpdSenderRestrictions as well.
zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions
**OR**
zmprov gs zimbra-mta.example.com | grep zimbraMtaSmtpdSenderRestrictions
Should see this.
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject
Section II - Edit allowed_domains file
The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.
for dom in `zmprov gad`; do echo "$dom OK" >> /opt/zimbra/conf/allowed_domains; done
Should look something like this; as an example
abcdcompany.com OK
example.net OK
Don't forget to run postmap against the allowed_domains file
postmap /opt/zimbra/conf/allowed_domains
If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.
yahoo.com OK
zimbra.com OK
Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.
postmap /opt/zimbra/conf/allowed_domains
Section III - Edit smtpd_recipient_restrictions.cf
Backup the original file
cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf
Edit smtpd_recipient_restrictions.cf to contain only the following.
check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains
reject
Section IV - Restart MTA to pick up the changes
zmmtactl restart
Section V - Sample Logs
Local zimbra user sending to an external address
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
Most likely, the zimbra end user would see the error message of, Message not sent; one or more addresses were not accepted
External account sending to a zimbra address
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
Most likely the external account will get a bounce message, Sender address rejected: Access denied
Section VI - FAQ
Will I need to be root to make these changes?
No, just use the zimbra account
Will these changes survive upgrades?
No
I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e. freeipad.com REJECT
There's no need. Domains that are NOT in the allowed_domains file will be rejected.
If I decide to implement these changes, will Zimbra Support help me if I need assistance?
This is a customization, and as such, Zimbra will not Support any custom changes. If you need to revert your changes, Zimbra Support can help.
I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?
Correct.