External domain warning

Zimbra External Email warning

In this article you can learn how to add an external email warning message in Zimbra when receiving an email from an external domain. Tested on Zimbra 9 patch 19. The solution is by way of a Sieve filter, it can be enabled per account,cos,domain,server.

Sieve via the Admin Console UI

You can set-up Sieve filter rules for Class of Service (CoS) and Domains in the Admin Console web-ui. The settings can be found in the Advanced section CoS→Advanced→Sieve. and "Domains→Advanced→Sieve.

For more information on the actual Sieve syntax read the section below.

Sieve via the command line using zmprov

Create /tmp/myfilters

  su - zimbra
  nano /tmp/myfilters

With the following contents:

require ["fileinto", "reject", "tag", "flag", "editheader", "variables"];

# add an external domain header to all email not coming from our own domains
if allof(
  not address :domain :is ["from"] ["example.com"],
  not header :contains "Subject" ["[External Email]"]
  addheader "X-External-Domain" "This Message originated outside of mind.";
  # Match the entire subject ...
  if header :matches "Subject" "*" {
     # ... to get it in a match group that can then be stored in a variable:
     set "subject" "${1}";

  # We can't "replace" a header, but we can delete (all instances of) it and
  # re-add (a single instance of) it:
  deleteheader "Subject";
  # Append/prepend as you see fit
  addheader :last "Subject" "[External Email] ${subject}";
  # Note that the header is added ":last" (so it won't appear before possible
  # "Received" headers).


Replace example.com with your Zimbra domain name, you can also add additional trusted domains where you do not want the external email warning to be displayed using:

not address :domain :is ["from"] ["example.com","supermodel.com","gamer.tech"],

Enable it on a test account using

 zmprov mc default zimbraSieveEditHeaderEnabled TRUE
cat /tmp/myfilters |xargs -0 zmprov ma test@example.com zimbraAdminSieveScriptBefore

How to deal with user defined forwarded email

A user can configure Zimbra to forward their email to another user. To be able to make a Sieve filter rule that can tell the difference between a user-configured forwarded email and a mail sent manually by the user you can enable the X-Authenticated-User header:

sudo su zimbra
zmprov mcf zimbraSmtpSendAddAuthenticatedUser TRUE
zmprov mcf zimbraMtaSmtpdSaslAuthenticatedHeader yes
zmcontrol restart

Going forward, manually sent email from the user will have the X-Authenticated-User header, and forwarded email will NOT have the header. You can write a Sieve filter for the existence of a header as follows:

if allof(
  address :is :domain ["from", "sender"] ["example.com","supermodel.com","gamer.tech"],
  not exists ["X-Authenticated-User"]
  # do something here


  1. Modifying the message like this will break DKIM in case the user wants to re-validate DKIM manually after it was verified and the subject was changed, but not many people do this.
  2. This is in itself not a protection against spoofing, you will have to reject email with a FROM domain that comes from untrusted locations, but that should have been done anyway.
  3. In a multi-tenant environment, it would be best to configure this on the domain. Even if domains are on the same environment, they may be external to one another!

Further reading

Jump to: navigation, search