RestrictPostfixRecipients: Difference between revisions

mNo edit summary
(15 intermediate revisions by 10 users not shown)
Line 1: Line 1:
=Restrict Postfix Recipients=
#REDIRECT [[Enabling_and_administering_the_Zimbra_milter]]
* This will show how you can modify postfix to restrict who can send to certain addresses in your domain such as distribution lists like
* These changes will most likely not persist between upgrades! (UPDATE: Just updated to 4.0.4 and the only thing that was wiped out was the change to /opt/zimbra/conf/ Also, permissions on files created in /opt/zimbra/postfix/conf got changed.)
* This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs.
* Create a 'permitted senders' list (as user zimbra) - This is your list of domains and/or users who can email your protected email addresses:
vi /opt/zimbra/postfix/conf/permitted_senders
[paste in contents below editing as required]
localhost              OK            OK    OK  OK
* Create a 'protected recipients' list (as user zimbra) - This is your list of email addresses that may only receive email from 'permitted senders'
vi /opt/zimbra/postfix/conf/protected_recipients
[paste in contents below editing as required]        permitted_senders_list        permitted_senders_list
* Create a simple bash script to create postfix DB files (as user zimbra):
vi /opt/zimbra/postfix/conf/update_protected_recipients
[paste in contents below editing as required]
echo "rebuild permitted_senders..."
postmap /opt/zimbra/postfix/conf/permitted_senders
echo "rebuild protected_recipients..."
postmap /opt/zimbra/postfix/conf/protected_recipients
* Make new script executable, then run it
chmod 755 /opt/zimbra/postfix/conf/update_protected_recipients
* You should now see permitted_senders.db and protected_recipients.db in the directory
* Add necessary settings to /opt/zimbra/postfix/conf/
vi /opt/zimbra/postfix/conf/
[add these items to the file - note permitted_senders_list must match value in protected_recipients]
permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject
smtpd_restriction_classes = permitted_senders_list
* Now add your new restriction to
vi /opt/zimbra/conf/
[paste this into the first line of the file above any other settings]
Note 2 from talk: the line to be added to /opt/zimbra/conf/ should read:
check_recipient_access hash:/opt/zimbra/postfix/conf/protected_recipients
* Reload postfix to activate settings:
postfix reload
Note 3 from talk: files ownership should be set to root:postfix before reloading postfix. This avoids annoying warning messages in logfile.
===Test it out===
* Test your settings via telnet:
Enter command:
telnet 25
You will see:
Connected to
Escape character is '^]'.
220 ESMTP Postfix
Enter command:
You will see:
Enter command:
You will see:
250 Ok
Enter command:
You will see:
554 <>: Recipient address rejected: Access denied
221 Bye
Connection closed by foreign host.
* That's it.  If you need to protect new distribution lists or emails, or add new senders, just edit and re-run the update script, then reload postfix.

Latest revision as of 16:44, 31 March 2015

Jump to: navigation, search