Restrict sending to certain domains
Requirement "users in the sender.allowed.com domain must be
allowed to email only users in the sender.allowed.com or another.allowed.com
domains."
Here is how to implement that requirement in postfix. If using this elsewhere, be sure to change the domain name!
After implementing this, the sender.allowed.com user gets an error dialog in the web UI when trying to email an outside address:
At least one address is not valid. Invalid addresses: joe@example.com
Postfix generates this error message on rcpt to (clearly we are not propogating the exact error up, but not a big deal):
Sender address rejected: Access denied
Solution is to add a sender restriction, and then define that restriction to be that only some recipients are OK. This has to be done on every MTA box.
a) Populate the sender check table so a recipient restriction is applied on senders from the domain.
cd /opt/zimbra/conf echo "sender.allowed.com restrict_tpmail" > tpmail_senders postmap tpmail_senders
b) Populate a table which lists who they are allowed to send to
cd /opt/zimbra/conf echo "another.allowed.com OK" > tpmail_recipients echo "sender.allowed.com OK" >> tpmail_recipients postmap tpmail_recipients
this step is obsolete in newer zimbras c) add these three line to postfix main.cf:
smtpd_sender_restrictions = check_sender_access hash:/opt/zimbra/conf/tpmail_senders smtpd_restriction_classes = restrict_tpmail restrict_tpmail = check_recipient_access hash:/opt/zimbra/conf/tpmail_recipients, reject
c) newer versions of Zimbra edit main.cf every restart, so its better to modify zmmta.cf. add this lines to zmmta.cf:
Remark: For ZCS 8.x, should edit the file in /opt/zimbra/conf/zmconfigd.cf
POSTCONF smtpd_sender_restrictions FILE postfix_sender_restrictions.cf POSTCONF smtpd_restriction_classes restrict_tpmail POSTCONF restrict_tpmail FILE postfix_restrict_tpmail.cf
after this line:
POSTCONF virtual_transport LOCAL postfix_virtual_transport
d) create two files with the restriction definition inside:
Note: ZCS 8.5 and later use lmdb databases, not hash databases
cd /opt/zimbra/conf echo "check_sender_access lmdb:/opt/zimbra/conf/tpmail_senders" > postfix_sender_restrictions.cf echo "check_recipient_access lmdb:/opt/zimbra/conf/tpmail_recipients, reject" >> postfix_restrict_tpmail.cf
done.
Related Articles