Restrict Users from receiving emails from certain external domains only

KB 24163	Last updated on 2022-04-06	Last updated by Rnoti	0.00 (0 votes)	Verified in: ZCS 8.8 ZCS 9.0
- This article is a Work in Progress, and may be unfinished or missing sections.

KB 24163	Last updated on 2022-04-6
0.00 (0 votes)
- This article is a Work in Progress, and may be unfinished or missing sections.

Problem

Sometimes a need arise when a user need to be restricted from receiving external emails. In a broad way, the user can receive emails from certain external domains only.

Solution

Steps need to be performed for the same,

Step 1: Edit /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf as below. Add below line right after %%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%

check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients

Example:

%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients

Step 2: Create a recipients file.

$ touch /opt/zimbra/conf/protected_recipients

Step 3: Add the entry like below in the /opt/zimbra/conf/protected_recipients, whom you want to protect.

usera@recipient.com       permitted_senders_list

Notes:

If the domain (i.e.: recipient.com) mentioned then this rule will apply to all the recipients.

permitted_senders_list is a class name, and we use this in the main.cf file.

Step 4: Create a permitted senders file

$ touch /opt/zimbra/conf/permitted_senders

Step 5: Add the entry like below in the /opt/zimbra/conf/permitted_senders, whom you want to allow to send an email to protected recipients.

user@sender.com ok
sender2.com ok

Notes:

Add the home domain to accept emails from the same domain(i.e.: recipient.com).

If a domain mentioned then entire domain will be allowed.

Step 6: Generate lmdb files for permitted sender & recipients by running below commands.

$ postmap lmdb:/opt/zimbra/conf/permitted_senders
$ postmap lmdb:/opt/zimbra/conf/protected_recipients

Note:

To keep lmdb files updated, postmap should be executed whenever /opt/zimbra/conf/permitted_senders, /opt/zimbra/conf/protected_recipients modified.

Step 7: Edit /opt/zimbra/common/conf/main.cf and add below lines at the end.

smtpd_restriction_classes = permitted_senders_list
permitted_senders_list = check_sender_access lmdb:/opt/zimbra/conf/permitted_senders, reject

Step 8: Restart Configd, MTA.

$ zmconfigdctl restart
$ zmmtactl restart

Notes:

Run all the commands as Zimbra user (su - zimbra).

Take a backup of respective files before the edit.

This is a customization, and it will not survive any upgrade.

Verify the changes have taken into effect

• Send an email to protected recipient from unallowed sender, and check MTA logs.
• If protected recipient received a message from unallowed sender then that message will be rejected, and respective log entry can be found in the MTA log file /var/log/zimbra.log.

postfix/smtpd[19610]: NOQUEUE: reject: RCPT from unknown[Sender IP address]: 554 5.7.1 <user@recipient.com>: Recipient address rejected: Access denied; from=<user@sender.com> to=<user@recipient.com> proto=ESMTP helo=<Sender hostname>

NOTE: This is a customization and needs to be tested first on the test environment before implimenting on production. Also these chages will not survive an upgrade.