Smtpd recipient restrictions: Difference between revisions
Line 57: | Line 57: | ||
*If protected recipient received a message from unallowed sender then that message will be rejected, and respective log entry can be found in the MTA log file <code>/var/log/zimbra.log</code>. | *If protected recipient received a message from unallowed sender then that message will be rejected, and respective log entry can be found in the MTA log file <code>/var/log/zimbra.log</code>. | ||
<pre>postfix/smtpd[19610]: NOQUEUE: reject: RCPT from unknown[Sender IP address]: 554 5.7.1 <user@recipient.com>: Recipient address rejected: Access denied; from=<user@sender.com> to=<user@recipient.com> proto=ESMTP helo=<Sender hostname></pre> | <pre>postfix/smtpd[19610]: NOQUEUE: reject: RCPT from unknown[Sender IP address]: 554 5.7.1 <user@recipient.com>: Recipient address rejected: Access denied; from=<user@sender.com> to=<user@recipient.com> proto=ESMTP helo=<Sender hostname></pre> | ||
'''NOTE: This is a customization and needs to be tested first on the test environment before implimenting on production. Also these chages will not survive an upgrade.''' | |||
{{SubmittedBy|Raghu Noti}} | {{SubmittedBy|Raghu Noti}} | ||
{{Article Footer|ZCS 8.8.15, ZCS 9.0|2020-09-27}} | {{Article Footer|ZCS 8.8.15, ZCS 9.0|2020-09-27}} |
Revision as of 03:51, 6 April 2022
Restrict Users from receiving emails from certain external domains only
Problem
Sometimes a need arise when a user need to be restricted from receiving external emails. In a broad way, the user can receive emails from certain external domains only.
Solution
Steps need to be performed for the same,
Step 1: Edit /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
as below. Add below line right after %%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients
Example:
%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%% check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients
Step 2: Create a recipients file.
$ touch /opt/zimbra/conf/protected_recipients
Step 3: Add the entry like below in the /opt/zimbra/conf/protected_recipients
, whom you want to protect.
usera@recipient.com permitted_senders_list
Notes:
- If the domain (i.e.: recipient.com) mentioned then this rule will apply to all the recipients.
- permitted_senders_list is a class name, and we use this in the main.cf file.
Step 4: Create a permitted senders file
$ touch /opt/zimbra/conf/permitted_senders
Step 5: Add the entry like below in the /opt/zimbra/conf/permitted_senders
, whom you want to allow to send an email to protected recipients.
user@sender.com ok sender2.com ok
Notes:
- Add the home domain to accept emails from the same domain(i.e.: recipient.com).
- If a domain mentioned then entire domain will be allowed.
Step 6: Generate lmdb files for permitted sender & recipients by running below commands.
$ postmap lmdb:/opt/zimbra/conf/permitted_senders $ postmap lmdb:/opt/zimbra/conf/protected_recipients
Note:
- To keep lmdb files updated, postmap should be executed whenever
/opt/zimbra/conf/permitted_senders
,/opt/zimbra/conf/protected_recipients
modified.
Step 7: Edit /opt/zimbra/common/conf/main.cf
and add below lines at the end.
smtpd_restriction_classes = permitted_senders_list permitted_senders_list = check_sender_access lmdb:/opt/zimbra/conf/permitted_senders, reject
Step 8: Restart Configd, MTA.
$ zmconfigdctl restart $ zmmtactl restart
Notes:
- Run all the commands as Zimbra user (
su - zimbra
). - Take a backup of respective files before the edit.
- This is a customization, and it will not survive any upgrade.
Verify the changes have taken into effect
- Send an email to protected recipient from unallowed sender, and check MTA logs.
- If protected recipient received a message from unallowed sender then that message will be rejected, and respective log entry can be found in the MTA log file
/var/log/zimbra.log
.
postfix/smtpd[19610]: NOQUEUE: reject: RCPT from unknown[Sender IP address]: 554 5.7.1 <user@recipient.com>: Recipient address rejected: Access denied; from=<user@sender.com> to=<user@recipient.com> proto=ESMTP helo=<Sender hostname>
NOTE: This is a customization and needs to be tested first on the test environment before implimenting on production. Also these chages will not survive an upgrade.
Submitted by: Raghu Noti |