Difference between revisions of "RestrictPostfixRecipients"

 
(12 intermediate revisions by 8 users not shown)
Line 1: Line 1:
=Restrict Postfix Recipients=
+
#REDIRECT [[Enabling_and_administering_the_Zimbra_milter]]
* This will show how you can modify postfix to restrict who can send to certain addresses in your domain such as distribution lists like all@mydomain.com
 
* These changes will most likely not persist between upgrades! (UPDATE: Just updated to 4.0.4 and the only thing that was wiped out was the change to /opt/zimbra/conf/postfix_recipient_restrictions.cf. Also, permissions on files created in /opt/zimbra/postfix/conf got changed.)
 
* This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs.
 
 
 
===Steps===
 
* Create a 'permitted senders' list (as user zimbra) - This is your list of domains and/or users who can email your protected email addresses:
 
vi /opt/zimbra/postfix/conf/permitted_senders
 
[paste in contents below editing as required]
 
localhost              OK
 
mydomain.com            OK
 
zimbra.mydomain.com    OK
 
okuser@externaldom.com  OK
 
* Create a 'protected recipients' list (as user zimbra) - This is your list of email addresses that may only receive email from 'permitted senders'
 
vi /opt/zimbra/postfix/conf/protected_recipients
 
[paste in contents below editing as required]
 
test-dist-list@mydomain.com        permitted_senders_list
 
protected-user@mydomain.com        permitted_senders_list
 
* Create a simple bash script to create postfix DB files (as user zimbra):
 
vi /opt/zimbra/postfix/conf/update_protected_recipients
 
[paste in contents below editing as required]
 
#!/bin/bash
 
echo "rebuild permitted_senders..."
 
postmap /opt/zimbra/postfix/conf/permitted_senders
 
echo "rebuild protected_recipients..."
 
postmap /opt/zimbra/postfix/conf/protected_recipients
 
* Make new script executable, then run it
 
chmod 755 /opt/zimbra/postfix/conf/update_protected_recipients
 
/opt/zimbra/postfix/conf/update_protected_recipients
 
* You should now see permitted_senders.db and protected_recipients.db in the directory
 
* Add necessary settings to /opt/zimbra/postfix/conf/main.cf
 
vi /opt/zimbra/postfix/conf/main.cf
 
[add these items to the file - note permitted_senders_list must match value in protected_recipients]
 
permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject
 
smtpd_restriction_classes = permitted_senders_list
 
  **Note this change to the main.cf won't survive upgrades. Be sure to save a copy of your main.cf file**
 
* Now add your new restriction to the '''top''' of postfix_recipient_restrictions.cf
 
vi /opt/zimbra/conf/postfix_recipient_restrictions.cf
 
[paste this into the '''first''' line of the file, above any other settings]
 
check_recipient_access hash:/opt/zimbra/postfix/conf/protected_recipients
 
* Reload postfix to activate settings:
 
postfix reload
 
 
 
Note 3 from talk: files ownership should be set to root:postfix before reloading postfix. This avoids annoying warning messages in logfile.
 
 
 
===Test it out===
 
* Test your settings via telnet:
 
Enter command:
 
telnet zimbra.mydomain.com 25
 
 
 
You will see:
 
Trying 192.168.1.1...
 
Connected to zimbra.mydomain.com.
 
Escape character is '^]'.
 
220 zimbra.mydomain.com ESMTP Postfix
 
 
 
Enter command:
 
HELO test.com
 
 
 
You will see:
 
250 zimbra.mydomain.com
 
 
 
Enter command:
 
MAIL FROM: jdoe@test.com
 
 
 
You will see:
 
250 Ok
 
 
 
Enter command:
 
RCPT TO: test-dist-list@mydomain.com
 
 
 
You will see:
 
554 <test-dist-list@mydomain.com>: Recipient address rejected: Access denied
 
QUIT
 
221 Bye
 
Connection closed by foreign host.
 
 
 
* That's it.  If you need to protect new distribution lists or emails, or add new senders, just edit and re-run the update script, then reload postfix.
 
 
 
=Additional Resources=
 
 
 
Also:
 
http://wiki.zimbra.com/index.php?title=Restrict_sending_to_certain_domains
 
 
 
{{Article_Footer|unknown|11/3/2006}}
 
[[Category:Configuration]]
 
[[Category:MTA]]
 

Latest revision as of 16:44, 31 March 2015

Jump to: navigation, search