Smtpd recipient restrictions: Difference between revisions

(To allow a user to receive emails specific users/domains. Example: user2@recipient.com will receive emails only from @recipient.com, @example.com and usera@domain.com)
 
No edit summary
 
(39 intermediate revisions by one other user not shown)
Line 1: Line 1:
=Smtpd recipient restrictions=
__FORCETOC__
=Restrict Users from receiving emails from certain external domains only=
<hr>
{{KB|{{Unsupported}}|{{ZCS 8.8}}|{{ZCS 9.0}}}}
<hr>
<hr>
{{WIP}}


====Problem====
Sometimes a need arise when a user need to be restricted from receiving external emails. In a broad way, the user can receive emails from certain external domains only.


====Requirement====  
====Solution====
: Restrict a user to receiving emails from all the all and allow from mentioned domains/users only. This can be done per user or domain.
'''NOTE: This is a customization and needs to be tested first on the test environment before implementing on production. Also these changes may not survive an upgrade.'''
 
Steps need to be performed for the same,
====Steps to follow====
'''Step 1:''' Edit <code>/opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf</code> as below. Add below line right after <code>%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%</code>
<pre>check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients</pre>
=====Setp-1=====
Example:
: Edit "/opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf"
<pre>%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%&#10;check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients</pre>
: Add below line right after "%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%"
 
:: <pre>check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients</pre>
'''Step 2:''' Create a recipients file.
<pre>$ touch /opt/zimbra/conf/protected_recipients</pre>
=====Step-2=====
 
: Create empty fille
'''Step 3:''' Add the entry like below in the <code>/opt/zimbra/conf/protected_recipients</code>, whom you want to protect.
:: <pre>touch /opt/zimbra/conf/protected_recipients</pre>
<pre>usera@recipient.com      permitted_senders_list</pre>
=====Step-3=====
: Add the entry like below to the "/opt/zimbra/conf/protected_recipients", for whom you want to protect.
:: <pre>usera@recipient.com      permitted_senders_list</pre>
     
     
: Notes:  
Notes:  
:: If the domain (i.e.: recipient.com) mentioned then this rule will apply to all the users of recipient.
: If the domain (i.e.: recipient.com) mentioned then this rule will apply to all the recipients.
:: permitted_senders_list is a class name we use this in main.cf file.
: permitted_senders_list is a class name, and we use this in the main.cf file.


=====Step-4=====
'''Step 4:''' Create a permitted senders file
: Create empty file
<pre>$ touch /opt/zimbra/conf/permitted_senders</pre>
:: <pre>touch /opt/zimbra/conf/permitted_senders</pre>


=====Step-5=====
'''Step 5:''' Add the entry like below in the <code>/opt/zimbra/conf/permitted_senders</code>, whom you want to allow to send an email to protected recipients.
: Add the entry like below to the "/opt/zimbra/conf/permitted_senders", whom you want to allow to send an email to protected recipients.
<pre>user@sender.com ok&#10;sender2.com ok</pre>
:: <pre>user@sender.com ok&#10;sender2.com ok</pre>


: Notes:  
Notes:  
:: Add the home domain to accept emails from the same domain(i.e.: recipient.com).
: Add the home domain to accept emails from the same domain(i.e.: recipient.com).
:: If a domain mentioned then entire domain will be allowed.
: If a domain mentioned then entire domain will be allowed.


=====Step-6=====
'''Step 6:''' Generate lmdb files for permitted sender & recipients by running below commands.
: Generate lmdb files for permitted sender & recipients by running below commands.
<pre>$ postmap lmdb:/opt/zimbra/conf/permitted_senders&#10;$ postmap lmdb:/opt/zimbra/conf/protected_recipients</pre>
:: <pre>postmap lmdb:/opt/zimbra/conf/permitted_senders&#10;postmap lmdb:/opt/zimbra/conf/protected_recipients</pre>


: Note:  
Note:  
:: To keep lmdb files updated, postmap should be executed whenever protected sender/recipients modified.
: To keep lmdb files updated, postmap should be executed whenever <code>/opt/zimbra/conf/permitted_senders</code>, <code>/opt/zimbra/conf/protected_recipients</code> modified.
 
'''Step 7:''' Edit  <code>/opt/zimbra/common/conf/main.cf</code> and add below lines at the end.
<pre>smtpd_restriction_classes = permitted_senders_list&#10;permitted_senders_list = check_sender_access lmdb:/opt/zimbra/conf/permitted_senders, reject</pre>
=====Step-7=====
'''Step 8:''' Restart Configd, MTA.
: Edit  "/opt/zimbra/common/conf/main.cf" and add below lines at the end.
<pre>$ zmconfigdctl restart&#10;$ zmmtactl restart</pre>
:: <pre>smtpd_restriction_classes = permitted_senders_list&#10;permitted_senders_list = check_sender_access lmdb:/opt/zimbra/conf/permitted_senders, reject</pre>
=====Step-8=====  
'''Notes:'''
: Restart Configd, MTA.
: Run all the commands as Zimbra user (<code>su - zimbra</code>).
:: <pre>zmconfigdctl restart&#10;zmmtactl restart</pre>
: Take a backup of respective files before the edit.
: This is a customization, and it will not survive any upgrade.
: Notes:  
 
:: Run all the commands as Zimbra user (su - zimbra).
====Verify the changes have taken into effect====
:: Take backup of respective files before edit.
*Send an email to protected recipient from unallowed sender, and check MTA logs.
*If protected recipient received a message from unallowed sender then that message will be rejected, and respective log entry can be found in the MTA log file <code>/var/log/zimbra.log</code>.
<pre>postfix/smtpd[19610]: NOQUEUE: reject: RCPT from unknown[Sender IP address]: 554 5.7.1 <user@recipient.com>: Recipient address rejected: Access denied; from=<user@sender.com> to=<user@recipient.com> proto=ESMTP helo=<Sender hostname></pre>
 


{{SubmittedBy|Raghu Noti}}
{{SubmittedBy|Raghu Noti}}


{{Article Footer|ZCS 8.8.15, ZCS 9.0|2020-09-27}}
{{Article Footer|ZCS 8.8.15, ZCS 9.0|2020-09-27}}

Latest revision as of 13:28, 13 June 2023

Restrict Users from receiving emails from certain external domains only


   KB 24163        Last updated on 2023-06-13  




0.00
(0 votes)

Problem

Sometimes a need arise when a user need to be restricted from receiving external emails. In a broad way, the user can receive emails from certain external domains only.

Solution

NOTE: This is a customization and needs to be tested first on the test environment before implementing on production. Also these changes may not survive an upgrade.

Steps need to be performed for the same,

Step 1: Edit /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf as below. Add below line right after %%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%

check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients

Example:

%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients

Step 2: Create a recipients file.

$ touch /opt/zimbra/conf/protected_recipients

Step 3: Add the entry like below in the /opt/zimbra/conf/protected_recipients, whom you want to protect.

usera@recipient.com       permitted_senders_list

Notes:

If the domain (i.e.: recipient.com) mentioned then this rule will apply to all the recipients.
permitted_senders_list is a class name, and we use this in the main.cf file.

Step 4: Create a permitted senders file

$ touch /opt/zimbra/conf/permitted_senders

Step 5: Add the entry like below in the /opt/zimbra/conf/permitted_senders, whom you want to allow to send an email to protected recipients.

user@sender.com ok
sender2.com ok

Notes:

Add the home domain to accept emails from the same domain(i.e.: recipient.com).
If a domain mentioned then entire domain will be allowed.

Step 6: Generate lmdb files for permitted sender & recipients by running below commands.

$ postmap lmdb:/opt/zimbra/conf/permitted_senders
$ postmap lmdb:/opt/zimbra/conf/protected_recipients

Note:

To keep lmdb files updated, postmap should be executed whenever /opt/zimbra/conf/permitted_senders, /opt/zimbra/conf/protected_recipients modified.

Step 7: Edit /opt/zimbra/common/conf/main.cf and add below lines at the end.

smtpd_restriction_classes = permitted_senders_list
permitted_senders_list = check_sender_access lmdb:/opt/zimbra/conf/permitted_senders, reject

Step 8: Restart Configd, MTA.

$ zmconfigdctl restart
$ zmmtactl restart

Notes:

Run all the commands as Zimbra user (su - zimbra).
Take a backup of respective files before the edit.
This is a customization, and it will not survive any upgrade.

Verify the changes have taken into effect

  • Send an email to protected recipient from unallowed sender, and check MTA logs.
  • If protected recipient received a message from unallowed sender then that message will be rejected, and respective log entry can be found in the MTA log file /var/log/zimbra.log.
postfix/smtpd[19610]: NOQUEUE: reject: RCPT from unknown[Sender IP address]: 554 5.7.1 <user@recipient.com>: Recipient address rejected: Access denied; from=<user@sender.com> to=<user@recipient.com> proto=ESMTP helo=<Sender hostname>


Submitted by: Raghu Noti
Verified Against: ZCS 8.8.15, ZCS 9.0 Date Created: 2020-09-27
Article ID: https://wiki.zimbra.com/index.php?title=Smtpd_recipient_restrictions Date Modified: 2023-06-13



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search