Revision as of 01:50, 1 December 2017 by King0770 (talk | contribs)

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0

The contents of this article are not yet complete and should be considered highly experimental.

Scenario: Restrict users from sending messages externally, and only receive messages from their local domain.

Section I - Edit

Backup the original file

cp -p /opt/zimbra/conf/zmconfigd/ /opt/zimbra/conf/zmconfigd/

Edit to contain only the following.

check_sender_access lmdb:/opt/zimbra/conf/allowed_domains

Make sure to review zimbraMtaSmtpdSenderRestrictions as well.

zmprov gacf | grep zimbraMtaSmtpdSenderRestrictions


zmprov gs | grep zimbraMtaSmtpdSenderRestrictions

Should see this.

zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zimbra/conf/allowed_domains, reject

Section II - Edit allowed_domains file

The /opt/zimbra/conf/allowed_domains should contain your local domains within your Zimbra setup.

for dom in `zmprov gad`; do echo "$dom  OK" >> /opt/zimbra/conf/allowed_domains; done

Should look something like this; as an example    OK       OK

Don't forget to run postmap against the allowed_domains file

postmap /opt/zimbra/conf/allowed_domains

If you need to add a friendly domain that is external to your setup, you can use the editor of your choice, and add the external domain.   OK  OK

Any time the allowed_domains file is updated, don't forget to run postmap against the allowed_domains file.

postmap /opt/zimbra/conf/allowed_domains

Section III - Edit

Backup the original file

cp -p /opt/zimbra/conf/zmconfigd/  /opt/zimbra/conf/zmconfigd/

Edit to contain only the following.

check_recipient_access lmdb:/opt/zimbra/conf/allowed_domains

Section IV - Restart MTA to pick up the changes

zmmtactl restart

Section V - Sample Logs

Local zimbra user sending to an external address

Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: NOQUEUE: reject: RCPT from[]: 554 5.7.1 <>: Recipient address rejected: Access denied; from=<rick@rick.local> to=<> proto=ESMTP helo=<>
Nov 28 15:04:34 zimbra-mta postfix/smtpd[12022]: disconnect from[] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

Most likely, the zimbra end user would see the error message of, Message not sent; one or more addresses were not accepted

External account sending to a zimbra address

Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: connect from[xx.xx.xx.xx]
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: Anonymous TLS connection established from[xx.xx.xx.xx]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: NOQUEUE: reject: RCPT from[xx.xx.xx.xx]: 554 5.7.1 <>: Sender address rejected: Access denied; from=<> to=<rick@rick.local> proto=ESMTP helo=<>
Nov 28 15:12:47 zimbra-mta postfix/smtpd[15371]: disconnect from[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Most likely the external account will get a bounce message, Sender address rejected: Access denied

Section VI - FAQ

Will I need to be root to make these changes?
No, just use the zimbra account

Will these changes survive upgrades?

I have a domain that I need to blacklist, should I add it to the allowed_domains file? i.e. REJECT
There's no need. Domains that are NOT in the allowed_domains file will be rejected.

If I decide to implement these changes, will Zimbra Support help me if I need assistance?
This is a customization, and as such, Zimbra will not Support any custom changes. If you need to revert your changes, Zimbra Support can help.

I want my users to be able to receive messages from external domains, but still restrict what domains my users can send to, can I just edit the file, and leave the file untouched?

Section VII - Notable RFE's

Section VIII - Advanced Configuration

If you wanted to different, you can use the smtpd_restriction_classes setting.
For example, if you have just one domain in your zimbra setup, and you want all your internal users to be able to send messages to; however, there is one account that needs to be able to an external domain, say for example, here's what you can do.

a) Edit /opt/zimbra/conf/ with the following

POSTCONF smtpd_restriction_classes  internal_only, yahoo_only
POSTCONF internal_only   check_sender_access lmdb:/opt/zimbra/conf/internal_only, reject
POSTCONF yahoo_only     check_sender_access lmdb:/opt/zimbra/conf/yahoo_only, reject

Place the lines just above the RESTART mta

b) Create the /opt/zimbra/conf/internal_only with your local zimbra domains    OK

And run postmap against the file

postmap /opt/zimbra/conf/internal_only

c) Create the /opt/zimbra/conf/yahoo_only file with the following    OK

d) Create the /opt/zimbra/conf/internal_permitted file with the following	internal_only

e) Create the /opt/zimbra/conf/yahoo_permitted file with the following	yahoo_only

f) Run postmap against the files

postmap  /opt/zimbra/conf/internal_permitted
postmap /opt/zimbra/conf/yahoo_permitted

g) Edit the /opt/zimbra/conf/zmconfigd/ with the following

check_sender_access lmdb:/opt/zimbra/conf/internal_permitted
check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject

h) Edit the /opt/zimbra/conf/zmconfigd/ with the following

check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted
check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject

i) Restart MTA

zmmtactl restart

j) Should have the following

postconf smtpd_restriction_classes smtpd_sender_restrictions smtpd_recipient_restrictions

smtpd_restriction_classes = internal_only, yahoo_only
smtpd_sender_restrictions = check_sender_access lmdb:/opt/zimbra/conf/internal_permitted, check_sender_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
smtpd_recipient_restrictions = check_recipient_access lmdb:/opt/zimbra/conf/internal_permitted, check_recipient_access lmdb:/opt/zimbra/conf/yahoo_permitted, reject
Jump to: navigation, search