|
|
Line 1: |
Line 1: |
| {{Unsupported}}|{{ZCS 8.7}}|{{ZCS 9.0}} | | {{Unsupported}}|{{ZCS 8.7}}|{{ZCS 9.0}} |
| {{WIP}} | | {{WIP}} |
|
| |
| <strong>The contents of this article are not yet complete and should be considered highly experimental.</strong>
| |
|
| |
| Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.
| |
|
| |
| ==Section I - Edit smtpd_sender_restrictions.cf==
| |
| Backup the original file
| |
| <code><pre>
| |
| cp -p /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_sender_restrictions.cf
| |
| </pre></code>
| |
|
| |
| Edit smtpd_sender_restrictions.cf to contain only the following.
| |
| <code><pre>
| |
| check_sender_access lmdb:/opt/zimbra/conf/allowed_domains
| |
| reject
| |
| </pre></code>
| |
|
| |
| Make sure to review zimbraMtaSmtpdSenderRestrictions as well.
| |
| <code><pre>
| |
| zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions
| |
|
| |
| **OR**
| |
|
| |
| zmprov gs zimbra-mta.example.com | grep zimbraMtaSmtpdSenderRestrictions
| |
| </pre></code>
| |
|
| |
| Should see this.
| |
| <code><pre>
| |
| zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject
| |
| </pre></code>
| |
|
| |
| If needed...
| |
| <code><pre>
| |
| zmprov mcf +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject"
| |
| </pre></code>
| |
|
| |
| ==Section II - Edit allowed_domains file==
| |
| The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.
| |
| <code><pre>
| |
| for dom in `zmprov gad`; do echo "$dom OK" >> /opt/zimbra/conf/allowed_domains; done
| |
| </pre></code>
| |
|
| |
| Should look something like this; as an example
| |
| <code><pre>
| |
| abcdcompany.com OK
| |
| example.net OK
| |
| </pre></code>
| |
|
| |
| Don't forget to run postmap against the allowed_domains file
| |
| <code><pre>
| |
| postmap /opt/zimbra/conf/allowed_domains
| |
| </pre></code>
| |
|
| |
| If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.
| |
| <code><pre>
| |
| yahoo.com OK
| |
| zimbra.com OK
| |
| </pre></code>
| |
| Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.
| |
| <code><pre>
| |
| postmap /opt/zimbra/conf/allowed_domains
| |
| </pre></code>
| |
|
| |
| ==Section III - Edit smtpd_recipient_restrictions.cf==
| |
| Backup the original file
| |
| <code><pre>
| |
| cp -p /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf /opt/zimbra/conf/zmconfigd/ORIG_smtpd_recipient_restrictions.cf
| |
| </pre></code>
| |
|
| |
| Edit smtpd_recipient_restrictions.cf to contain only the following.
| |
| <code><pre>
| |
| check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains
| |
| reject
| |
| </pre></code>
| |
|
| |
| ==Section IV - Restart MTA to pick up the changes==
| |
| <code><pre>
| |
| zmmtactl restart
| |
| </pre></code>
| |
|
| |
| ==Section V - Sample Logs==
| |
| Local zimbra user sending to an external address
| |
| <code><pre>
| |
| Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from zimbra-mta.example.com[192.168.1.18]: 554 5.7.1 <smithj@gmail.com>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<smithj@gmail.com> proto=ESMTP helo=<zimbra-mta.example.com>
| |
| Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from zimbra-mta.example.com[192.168.1.18] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
| |
| </pre></code>
| |
| Most likely, the zimbra end user would see the error message of, <strong>Message not sent; one or more addresses were not accepted</strong>
| |
|
| |
| External account sending to a zimbra address
| |
| <code><pre>
| |
| Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from mail.someexternalcompany.com[xx.xx.xx.xx]
| |
| Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from mail.someexternalcompany.com[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
| |
| Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from mail.someexternalcompany.com[xx.xx.xx.xx]: 554 5.7.1 <rick@someexternalcompany.com>: Sender address rejected: Access denied; from=<rick@someexternalcompany.com> to=<rick@rick.local> proto=ESMTP helo=<mail.someexternalcompany.com>
| |
| Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from mail.someexternalcompany.com[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
| |
| </pre></code>
| |
| Most likely the external account will get a bounce message, <strong>Sender address rejected: Access denied</strong>
| |
|
| |
| ==Section VI - FAQ==
| |
| <strong>Will I need to be root to make these changes?</strong><br>
| |
| No, just use the zimbra account
| |
|
| |
| <strong>Will these changes survive upgrades?</strong><br>
| |
| No
| |
|
| |
| <strong>I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e. freeipad.com REJECT</strong><br>
| |
| There's no need. Domains that are <strong>NOT</strong> in the allowed_domains file will be rejected.
| |
|
| |
| <strong>If I decide to implement these changes, will Zimbra Support help me if I need assistance?</strong><br>
| |
| This is a customization, and as such, Zimbra will <strong>not</strong> Support any custom changes. If you need to revert your changes, Zimbra Support can help.
| |
|
| |
| <strong>I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the smtpd_recipient_restrictions.cf file, and leave the smtpd_sender_restrictions.cf file untouched?</strong><br>
| |
| Correct.<br>
| |
|
| |
| ==Section VII - Notable RFE's==
| |
| https://bugzilla.zimbra.com/show_bug.cgi?id=70599<br>
| |
| https://bugzilla.zimbra.com/show_bug.cgi?id=5595<br>
| |
|
| |
| ==Section VIII - Advanced Configuration==
| |
| <strong>NOT COMPLETE!!!</strong><br>
| |
| If you wanted to use a different method, you can use the smtpd_restriction_classes setting.<br>
| |
| For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is <strong>one</strong> account that needs to be able to an external domain, say for example yahoo.com, here's what you can do.
| |
|
| |
| a) Edit /opt/zimbra/conf/zmconfigd.cf with the following
| |
| <code><pre>
| |
| POSTCONF smtpd_restriction_classes internal_only, yahoo_only
| |
| POSTCONF internal_only check_sender_access lmdb:/opt/zimbra/conf/internal_only, reject
| |
| POSTCONF yahoo_only check_sender_access lmdb:/opt/zimbra/conf/yahoo_only, reject
| |
| </pre></code>
| |
|
| |
| Place the lines just above the <strong>RESTART mta</strong>
| |
|
| |
| b) Create the /opt/zimbra/conf/internal_only with your local zimbra domains
| |
| <code><pre>
| |
| abcdcompany.com OK
| |
| </pre></code>
| |
|
| |
| And run postmap against the file
| |
| <code><pre>
| |
| postmap /opt/zimbra/conf/internal_only
| |
| </pre></code>
| |
|
| |
| c) Create the /opt/zimbra/conf/yahoo_only file with the following
| |
| <code><pre>
| |
| yahoo.com OK
| |
| </pre></code>
| |
|
| |
| d) Create the /opt/zimbra/conf/internal_permitted file with the following
| |
| <code><pre>
| |
| abcdcompany.com internal_only
| |
| </pre></code>
| |
|
| |
| e) Create the /opt/zimbra/conf/yahoo_permitted file with the following
| |
| <code><pre>
| |
| boss@abcdcompany.com yahoo_only
| |
| </pre></code>
| |
|
| |
| f) Run postmap against the files
| |
| <code><pre>
| |
| postmap /opt/zimbra/conf/internal_permitted
| |
| postmap /opt/zimbra/conf/yahoo_permitted
| |
| </pre></code>
| |
|
| |
| g) Edit the /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf with the following
| |
| <code><pre>
| |
| check_sender_access lmdb:/opt/zimbra/conf/internal_permitted
| |
| check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
| |
| </pre></code>
| |
|
| |
| h) Edit the /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf with the following
| |
| <code><pre>
| |
| check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted
| |
| check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
| |
| </pre></code>
| |
|
| |
| i) Restart MTA
| |
| <code><pre>
| |
| zmmtactl restart
| |
| </pre></code>
| |
|
| |
| j) Should have the following
| |
| <code><pre>
| |
| postconf smtpd_restriction_classes smtpd_sender_restrictions smtpd_recipient_restrictions
| |
|
| |
| smtpd_restriction_classes = internal_only, yahoo_only
| |
| smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/internal_permitted, check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
| |
| smtpd_recipient_restrictions = check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted, check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
| |
| </pre></code>
| |