Enabling and administering the Zimbra milter

(Redirected from RestrictPostfixRecipients)

Enabling and administering the Zimbra milter

   KB 20524        Last updated on 2022-04-6  




0.00
(0 votes)

Getting Started

The Zimbra milter allows for the regulation of distribution list senders on a Global or server level. When the milter server is enabled, only users who have been granted (with steps below) explicit sending permissions will be allowed.

Enabling the Milter Server

Note that the Milter server should only be enabled on servers running the MTA.

Global: Home > Configure > Global Settings > MTA > Milter Server
Server: Home > Configure > Servers > Select Desired Server > MTA > Milter Server 
  • Alternatively using the CLI:
su - zimbra
zmprov modifyConfig zimbraMilterServerEnabled TRUE

For a specific server (say mail.zimbra.lab):

zmprov modifyServer mail.zimbra.lab zimbraMilterServerEnabled TRUE

The above steps will ensure that milter will be automatically started via "zmcontrol start"

To start the milter manually:

zmmilterctl start

To check the status of the milter:

zmmilterctl status 

Usage: zmmilterctl start|stop|restart|reload|refresh|status

Examples using CLI

The following will provide examples for granting sender permissions on the CLI:

  • User - grants a user sending permissions to a distribution list
zmprov grr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList            
  • Group (distribution list) - grants a group sending rights to distribution list
zmprov grr dl distributionlist@zimbra.lab grp groupdl@zimbra.lab sendToDistList
  • All Entities - allows all entities on the server to send to a distribution list
zmprov grr dl distributionlist@zimbra.lab all sendToDistList
  • Domain - grant all users on a domain sending rights
zmprov grr dl distributionlist@zimbra.lab dom zimbra.lab sendToDistList
  • Public - grant all users both internal/external sending rights
zmprov grr dl distributionlist@zimbra.lab pub sendToDistList
  • After granting or revoking rights for the milter, you must reaload the configuration for the changes to take effect.
zmmtactl reload

Examples using the admin interface

The following will provide examples for granting sender permissions on the Web Admin:

Note: Applicable to ZCS 8.7.11 or previous versions. Since ZCS 8.8 NG modules introduced, and enabling NG admin will hides ACL options in admin interface, but ACL permissions can be applied from command line.

  • User - grants a user sending permissions to a distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Group (distribution list) - grants a group sending rights to distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • All Entities - allows all entities on the server to send to a distribution list
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Domain - grant all users on a domain sending rights
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • Public - grant all users both internal/external sending rights
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Add
  • After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.
zmmtactl reload

Verifying permissions for an entity

  • Checking a single user or entity (CLI):
zmprov ckr dl distributionlist@zimbra.lab userorentity@zimbra.lab sendToDistList
ALLOWED
  • Checking a domain (Web Admin):

Global: Home > Configure > Domain > zimbra.lab > Click on the gear > Configure Grant

  • Viewing granted permissions for the distribution list (CLI):

1) Get the users Zimbra ID:

zmprov ga user@zimbra.lab |grep -i "zimbraid: "

2) Check the permissions on the distribution list:

zmprov gdl distributionlist@zimbra.lab |less

3) Find the 'zimbraACE' entries and compare the users' id:

zimbraACE: [zimbraId of user] usr sendToDistList

For example;

zimbraACE: c524877c-e0a6-4255-bb1b-d02b35cc2dd5 dom sendToDistList
zimbraACE: 99999999-9999-9999-9999-999999999999 pub sendToDistList
  • Viewing granted permissions for the distribution list (Web Admin):
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL

Modifying and revoking grants

If you want to remove or modify permissions, you'll need to use 'zmprov rvr' instead of 'zmprov grr'.

  • Example of removing sendToDistList permissions for a user (CLI):
zmprov rvr dl distributionlist@zimbra.lab usr user@zimbra.lab sendToDistList
  • Example of removing sendToDistList permissions for a user (Web admin):
Global: Home > Manage > Distribution List > distributionlist@zimbra.lab > ACL > Select the ACL > Delete
  • After granting or revoking rights for the milter, you must reload the configuration for the changes to take effect.
zmmtactl reload

Disabling grants inheritance from parent distribution list

If nested distribution list configured and public "sendToDistList" permissions granted to a parent distribution list then the same permissions will apply to child distribution list.

Let's assume there is a distribution list called parent-distributionlist@zimbra.lab with public sendToDistList rights. Now if there is a child distribution list (child-distributionlist@zimbra.lab) as a member in parent-distributionlist@zimbra.lab then the sendToDistList righst will be automatically inherited by the child distribution list. To prevent the same, need to be restricted the right of public sendToDistList of parent deistribution list to be inherited by any clild distribution list.

  • Example of removing inheritance sendToDistList permissions for a user (CLI):
zmprov grr dl parent-distributionlist@zimbra.lab pub ^sendToDistList

Note:

{right}: can have the following prefixes:
            - : the right is specifically denied
            + : the same right or part of the right can be delegated(granted) to others
            * : the grant affects sub domains only
            ^ : the grant cannot be inherited by sub-groups on the target side
  • Verifying the same:
zmprov ckr dl child-distributionlist@zimbra.lab user@zimbra.lab sendToDistList

If grants are inheriting from the parent DL, then the output of the above command will be like below.

ALLOWED
Via:
target type : dl
target : parent-distributionlist@zimbra.lab
grantee type : pub
grantee :
right : sendToDistList

Troubleshooting the Zimbra milter

  • Verify the milters settings:
zmmilterctl status 
Milter server is running.
Verified Against: ZCS 7.0, ZCS 8.0, ZCS 8.5, ZCS 8.6, ZCS 8.7, ZCS 8.8, ZCS 9 Date Created: 2013
Article ID: https://wiki.zimbra.com/index.php?title=Enabling_and_administering_the_Zimbra_milter Date Modified: 2022-04-06



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search