Smtpd recipient restrictions

Restrict Users from receiving emails from certain external domains only


   KB 24163        Last updated on 2023-06-13  




0.00
(0 votes)

Problem

Sometimes a need arise when a user need to be restricted from receiving external emails. In a broad way, the user can receive emails from certain external domains only.

Solution

NOTE: This is a customization and needs to be tested first on the test environment before implementing on production. Also these changes may not survive an upgrade.

Steps need to be performed for the same,

Step 1: Edit /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf as below. Add below line right after %%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%

check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients

Example:

%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
check_recipient_access lmdb:/opt/zimbra/conf/protected_recipients

Step 2: Create a recipients file.

$ touch /opt/zimbra/conf/protected_recipients

Step 3: Add the entry like below in the /opt/zimbra/conf/protected_recipients, whom you want to protect.

usera@recipient.com       permitted_senders_list

Notes:

If the domain (i.e.: recipient.com) mentioned then this rule will apply to all the recipients.
permitted_senders_list is a class name, and we use this in the main.cf file.

Step 4: Create a permitted senders file

$ touch /opt/zimbra/conf/permitted_senders

Step 5: Add the entry like below in the /opt/zimbra/conf/permitted_senders, whom you want to allow to send an email to protected recipients.

user@sender.com ok
sender2.com ok

Notes:

Add the home domain to accept emails from the same domain(i.e.: recipient.com).
If a domain mentioned then entire domain will be allowed.

Step 6: Generate lmdb files for permitted sender & recipients by running below commands.

$ postmap lmdb:/opt/zimbra/conf/permitted_senders
$ postmap lmdb:/opt/zimbra/conf/protected_recipients

Note:

To keep lmdb files updated, postmap should be executed whenever /opt/zimbra/conf/permitted_senders, /opt/zimbra/conf/protected_recipients modified.

Step 7: Edit /opt/zimbra/common/conf/main.cf and add below lines at the end.

smtpd_restriction_classes = permitted_senders_list
permitted_senders_list = check_sender_access lmdb:/opt/zimbra/conf/permitted_senders, reject

Step 8: Restart Configd, MTA.

$ zmconfigdctl restart
$ zmmtactl restart

Notes:

Run all the commands as Zimbra user (su - zimbra).
Take a backup of respective files before the edit.
This is a customization, and it will not survive any upgrade.

Verify the changes have taken into effect

  • Send an email to protected recipient from unallowed sender, and check MTA logs.
  • If protected recipient received a message from unallowed sender then that message will be rejected, and respective log entry can be found in the MTA log file /var/log/zimbra.log.
postfix/smtpd[19610]: NOQUEUE: reject: RCPT from unknown[Sender IP address]: 554 5.7.1 <user@recipient.com>: Recipient address rejected: Access denied; from=<user@sender.com> to=<user@recipient.com> proto=ESMTP helo=<Sender hostname>


Submitted by: Raghu Noti
Verified Against: ZCS 8.8.15, ZCS 9.0 Date Created: 2020-09-27
Article ID: https://wiki.zimbra.com/index.php?title=Smtpd_recipient_restrictions Date Modified: 2023-06-13



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search