Revision as of 05:41, 13 July 2010 by Martinx (talk | contribs) (Creating the "Restrict Postfix Senders" wiki page.)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Restrict Postfix Senders

  • This setup procedure will set up your server to allow outgoing mails from only the domains configured on the server itself.
  • For example, if your mail domains are and, with the configuration presented here, no user registered into the system will be allowed to send mails as if belonging in other domains, as,,, etc....
  • Basically, these modifications "extend" the option "Allow sending email from any address" of the Zimbra, which only works for users in Webmail, to the entire system, including the open RELAY networks and authenticated users.
  • WARNING: The effects of this setting affect the entire system, whether registered users or IP networks declared in zimbraMtaMyNetwork...

Complete procedure

  • Become root:
sudo -i

  • Enter into the directory settings:
cd /opt/zimbra/conf
  • Edit the file:
  • ...and, right below the line:
POSTCONF local_header_rewrite_clients permit_mynetworks,permit_sasl_authenticated

  • Add the following two lines, do not forget the tab at the beginning of each line:
POSTCONF smtpd_sender_restrictions FILE
POSTCONF smtpd_sender_login_maps FILE

  • Save the file.

  • Now make the files declared in the file

  • The file:
echo reject_authenticated_sender_login_mismatch >

  • The file:
echo hash:/opt/zimbra/conf/exceptions-db >
echo ldap:/opt/zimbra/conf/ >>
  • Now make the exceptions file, which you can declare a random e-mail sender address that a user can have, something like a bypass.
touch exceptions-db
/opt/zimbra/postfix/sbin/postmap exceptions-db
  • Examples of exceptions: zimbra_login

  • Now you need to get two pieces of information, its server_host (referring to LDAP) and the bind_pw of the user "uid=zmpostfix,cn=appaccts,cn=zimbra". For that, seek and record the data from the file "/opt/zimbra/conf/", and make the file "/opt/zimbra/conf/" as follows:
grep server_host /opt/zimbra/conf/
grep bind_pw /opt/zimbra/conf/
  • Edit the file:
vim /opt/zimbra/conf/
server_host = ldap://
server_port = 389
search_base =
query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = XXXXXXXXXX
timeout = 30
  • Make some final adjustments:
chown zimbra: postfix_sender_* exceptions-db*
  • Activate the changes:
su - zimbra
zmmtactl restart
  • Well done!
Jump to: navigation, search