Smtpd recipient restrictions
Restrict Users from receiving emails from certain external domains only
Problem
Sometimes a need arise when a user need to be restricted from receiving external emails. In a broad way, the user can receive emails from certain external domains only.
Solution
NOTE: This is a customization and needs to be tested first on the test environment before implementing on production. Also these changes may not survive an upgrade.
Steps need to be performed for the same,
Step 1: Edit /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
as below. Add below line right after %%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients
Example:
%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%% check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients
Step 2: Create a recipients file.
$ touch /opt/zimbra/conf/protected_recipients
Step 3: Add the entry like below in the /opt/zimbra/conf/protected_recipients
, whom you want to protect.
usera@recipient.com permitted_senders_list
Notes:
- If the domain (i.e.: recipient.com) mentioned then this rule will apply to all the recipients.
- permitted_senders_list is a class name, and we use this in the main.cf file.
Step 4: Create a permitted senders file
$ touch /opt/zimbra/conf/permitted_senders
Step 5: Add the entry like below in the /opt/zimbra/conf/permitted_senders
, whom you want to allow to send an email to protected recipients.
user@sender.com ok sender2.com ok
Notes:
- Add the home domain to accept emails from the same domain(i.e.: recipient.com).
- If a domain mentioned then entire domain will be allowed.
Step 6: Generate lmdb files for permitted sender & recipients by running below commands.
$ postmap lmdb:/opt/zimbra/conf/permitted_senders $ postmap lmdb:/opt/zimbra/conf/protected_recipients
Note:
- To keep lmdb files updated, postmap should be executed whenever
/opt/zimbra/conf/permitted_senders
,/opt/zimbra/conf/protected_recipients
modified.
Step 7: Edit /opt/zimbra/common/conf/main.cf
and add below lines at the end.
smtpd_restriction_classes = permitted_senders_list permitted_senders_list = check_sender_access lmdb:/opt/zimbra/conf/permitted_senders, reject
Step 8: Restart Configd, MTA.
$ zmconfigdctl restart $ zmmtactl restart
Notes:
- Run all the commands as Zimbra user (
su - zimbra
). - Take a backup of respective files before the edit.
- This is a customization, and it will not survive any upgrade.
Verify the changes have taken into effect
- Send an email to protected recipient from unallowed sender, and check MTA logs.
- If protected recipient received a message from unallowed sender then that message will be rejected, and respective log entry can be found in the MTA log file
/var/log/zimbra.log
.
postfix/smtpd[19610]: NOQUEUE: reject: RCPT from unknown[Sender IP address]: 554 5.7.1 <user@recipient.com>: Recipient address rejected: Access denied; from=<user@sender.com> to=<user@recipient.com> proto=ESMTP helo=<Sender hostname>
Submitted by: Raghu Noti |