|
|
(15 intermediate revisions by 10 users not shown) |
Line 1: |
Line 1: |
| =Restrict Postfix Recipients=
| | #REDIRECT [[Enabling_and_administering_the_Zimbra_milter]] |
| * This will show how you can modify postfix to restrict who can send to certain addresses in your domain such as distribution lists like all@mydomain.com
| |
| * These changes will most likely not persist between upgrades! (UPDATE: Just updated to 4.0.4 and the only thing that was wiped out was the change to /opt/zimbra/conf/postfix_recipient_restrictions.cf. Also, permissions on files created in /opt/zimbra/postfix/conf got changed.)
| |
| * This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs.
| |
| | |
| ===Steps===
| |
| * Create a 'permitted senders' list (as user zimbra) - This is your list of domains and/or users who can email your protected email addresses:
| |
| vi /opt/zimbra/postfix/conf/permitted_senders
| |
| [paste in contents below editing as required]
| |
| localhost OK
| |
| mydomain.com OK
| |
| zimbra.mydomain.com OK
| |
| okuser@externaldom.com OK
| |
| * Create a 'protected recipients' list (as user zimbra) - This is your list of email addresses that may only receive email from 'permitted senders'
| |
| vi /opt/zimbra/postfix/conf/protected_recipients
| |
| [paste in contents below editing as required]
| |
| test-dist-list@mydomain.com permitted_senders_list
| |
| protected-user@mydomain.com permitted_senders_list
| |
| * Create a simple bash script to create postfix DB files (as user zimbra):
| |
| vi /opt/zimbra/postfix/conf/update_protected_recipients
| |
| [paste in contents below editing as required]
| |
| #!/bin/bash
| |
| echo "rebuild permitted_senders..."
| |
| postmap /opt/zimbra/postfix/conf/permitted_senders
| |
| echo "rebuild protected_recipients..."
| |
| postmap /opt/zimbra/postfix/conf/protected_recipients
| |
| * Make new script executable, then run it
| |
| chmod 755 /opt/zimbra/postfix/conf/update_protected_recipients
| |
| /opt/zimbra/postfix/conf/update_protected_recipients
| |
| * You should now see permitted_senders.db and protected_recipients.db in the directory
| |
| * Add necessary settings to /opt/zimbra/postfix/conf/main.cf
| |
| vi /opt/zimbra/postfix/conf/main.cf
| |
| [add these items to the file - note permitted_senders_list must match value in protected_recipients] | |
| permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject
| |
| smtpd_restriction_classes = permitted_senders_list
| |
| * Now add your new restriction to postfix_recipient_restrictions.cf
| |
| vi /opt/zimbra/conf/postfix_recipient_restrictions.cf
| |
| [paste this into the first line of the file above any other settings] | |
| hash:/opt/zimbra/postfix/conf/protected_recipients
| |
| | |
| Note 2 from talk: the line to be added to /opt/zimbra/conf/postfix_recipient_restrictions.cf should read:
| |
| | |
| check_recipient_access hash:/opt/zimbra/postfix/conf/protected_recipients
| |
| | |
| * Reload postfix to activate settings:
| |
| postfix reload
| |
| | |
| Note 3 from talk: files ownership should be set to root:postfix before reloading postfix. This avoids annoying warning messages in logfile.
| |
| | |
| ===Test it out===
| |
| * Test your settings via telnet:
| |
| Enter command:
| |
| telnet zimbra.mydomain.com 25
| |
| | |
| You will see:
| |
| Trying 192.168.1.1...
| |
| Connected to zimbra.mydomain.com.
| |
| Escape character is '^]'.
| |
| 220 zimbra.mydomain.com ESMTP Postfix
| |
| | |
| Enter command:
| |
| HELO test.com
| |
| | |
| You will see:
| |
| 250 zimbra.mydomain.com
| |
| | |
| Enter command:
| |
| MAIL FROM: jdoe@test.com
| |
| | |
| You will see:
| |
| 250 Ok
| |
| | |
| Enter command:
| |
| RCPT TO: test-dist-list@mydomain.com
| |
| | |
| You will see:
| |
| 554 <test-dist-list@mydomain.com>: Recipient address rejected: Access denied
| |
| QUIT
| |
| 221 Bye
| |
| Connection closed by foreign host.
| |
| | |
| * That's it. If you need to protect new distribution lists or emails, or add new senders, just edit and re-run the update script, then reload postfix.
| |
| | |
| | |
| Also:
| |
| http://wiki.zimbra.com/index.php?title=Restrict_sending_to_certain_domains
| |