Revision as of 21:23, 3 November 2006 by Jdell (talk | contribs) (New page)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Restrict Postfix Recipients

  • This will show how you can modify postfix to restrict who can send to certain addresses in your domain such as distribution lists like
  • These changes will most likely not persist between upgrades!
  • This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs.


  • Create a 'permitted senders' list (as user zimbra) - This is your list of domains and/or users who can email your protected email addresses:
vi /opt/zimbra/postfix/conf/permitted_senders

[paste in contents below editing as required]

localhost               OK            OK     OK  OK
  • Create a 'protected recipients' list (as user zimbra) - This is your list of email addresses that may only receive email from 'permitted senders'
vi /opt/zimbra/postfix/conf/protected_recipients

[paste in contents below editing as required]         permitted_senders_list         permitted_senders_list 
  • Create a simple bash script to create postfix DB files (as user zimbra):
vi /opt/zimbra/postfix/conf/update_protected_recipients

[paste in contents below editing as required]

echo "rebuild permitted_senders..."
postmap /opt/zimbra/postfix/conf/permitted_senders
echo "rebuild protected_recipients..."
postmap /opt/zimbra/postfix/conf/protected_recipients
  • You should see permitted_senders.db and protected_recipients.db in the directory now
  • Add necessary settings to /opt/zimbra/postfix/conf/
vi /opt/zimbra/postfix/conf/

[add these items to the file - note permitted_senders_list must match value in protected_recipients]

permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject
smtpd_restriction_classes = permitted_senders_list
  • Now add your new restriction to
vi /opt/zimbra/conf/

[paste this into the first line of the file above any other settings]

  • Reload postfix to activate settings:
postfix reload
  • Test your settings via telnet:
telnet 25

You will see...

Connected to
Escape character is '^]'.
220 ESMTP Postfix

You will see...


You will see...

250 Ok

You will see that it works!

554 <>: Recipient address rejected: Access denied
221 Bye
Connection closed by foreign host.
  • That's it. If you need to protect new distribution lists or emails, or add new senders, just edit and re-run the update script, then reload postfix.
Jump to: navigation, search