Reject unlisted domain is one of many method to improve anti spam on email server, especially Zimbra mail server. On Zimbra, we can setup any IP address to listed as trusted network. IP address listed on trusted network, can sending email without authentication or prompt asking. In other words, listed ip address on trusted network can sending email with any domain, although is not listed on Zimbra.
If you have email server with domain example.com, email server should be sending email to outside with example.com domain, if not, then it should be rejected. This article, will describe step by step how to reject unlisted domain on Zimbra with Policyd. Assuming you have install and enable Policyd. If not, you can following this article to enable it : https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/
Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Make sure your Zimbra service apache have been running
Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups
Select Policies | Main. Add new policy and give name or information like the following picture. Then submit query
select new policy have been made and select members on action. Add member and fill on source/destination with group that has previously been made. See the following picture
above configuration is explain source and destination is not from members listed on group. Select Access Control | Configure. Add new ACL and give name or information like this :
Name : Reject Unlisted Domain Link to policy : Reject Unlisted Domain (New policy has previously been made) Verdict : Reject Data : Sorry, you are not authorized to sending email
See the following picture. Then submit query
Make sure disabled status is no of all configuration has been made. Enable policyd accesscontrol and restart policyd service
su - zimbra zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE zmcbpolicydctl restart
Please try to sending email use telnet on Zimbra mail server itself. it is the example result of above configuration
mail:~ # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.xxxxxxx.xxx ESMTP Postfix ehlo mail 250-mail.xxxxxxx.xxx 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:ahmad@gmail.com 250 2.1.0 Ok rcpt to:ahmad@yahoo.com 554 5.7.1 <ahmad@gmail.com>: Sender address rejected: Sorry, you are not authorized to sending email
Good luck and hopefully useful 😀
Let’s See the Video on Youtube
I want to restrict users can only send mail to local domain,can I set the server like this?
Thanks a lot.
I have restricted user send mail to local domains.
Hi phphy,
i am happy to hear that. Good job 😀
I have followed your article about “Reject Unlisted Domain On Zimbra” but my zimbra server restricted all the mails going out saying “‘xxx@yahoo.com’ on 25/07/2015 16:51
Server error: ‘554 5.7.1 : Sender address rejected: Sorry, you are not authorized to sending email’, what is this error?
Hi Gayaliranga,
Are you has been make sure the policy you are created is from !list_domain to !list_domain
list_domain=fill with your domain
Rejected unlisted domain we have way to block other domain. but the local domain i am getting spam by random username with local domain. how to allow only listed email accounts to send mail… how to block unlisted email accounts…
Hi sathish,
You could use this improvement for your problem : https://imanudin.net/2014/09/07/how-to-improvement-sender-must-loginenforcing-a-match-between-from-address-and-sasl-username-on-zimbra-8-5/
Thank you for your article, any question :
after I tried turned out to account reject the sender does not receive an error
“Sender address rejected: Sorry, you are not authorized to sending email”
how can the sender may receive the error?
Thank You
It is possible to lock a compromised account as spam, automatically?
Hi,
It could be handled by COS or preferences in every users.
Thanks a lot for the tutorial. Very usefull.
Hi,
I get an error by executing the following command.
zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
Error : ERROR: account.INVALID_ATTR_NAME (invalid attr name: invalid attr name – unable to modify attributes: zimbraCBPolicydAccessControlEnabled: attribute type undefined)
Hi Mehmet,
What Zimbra version that use? this guidance for Zimbra 8.5 and newer.
helo, i have successully block the other domain but after several days, all blocked domain regain their access.. none of the setting is changing in cbopolicyd, how is this possible?
wierd but it works…
source !%local_domain
destination !local_domain
Hi Nicholas,
Glad to hear that 😀
Can i ask how to block an IP from trying to send spam using our server? This certain IP is trying to access our server thru ssh and trying to log on random account
Hi Christian Kim,
Please change default port SSH from 22 to other port. Example 2254.
Change default port SSH will reduce (or not anymore) access to your server
Hello, is it possible to import automaticly all domain i configur in Zymbra as member of “list_domain” Policy groups?
Hi Zoran,
No, You should make sql file and import them to database. Please see the example at this link : https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd
Using the article I had implemented the policy but it has stopped sending mails among the users of the server within the server domain.
Pl. help.
Hi,
What the log info you are getting when try this configuration? are you has been added your domain to list_domain?
Had implemented rate limit policy prior to this. Had defined my domain there in list_domain. Hence used the same variable here.
The log reads like this:
[2016/04/28-12:50:33 – 61888] [CORE] INFO: module=AccessControl, action=reject, host=, helo=, from=, to=, reason=verdict
Here is the correct version:
[2016/04/28-12:50:33 – 61888] [CORE] INFO: module=AccessControl, action=reject, host=ip_address, helo=server_name, from=user1@domain, to=user2@domain, reason=verdict
Hi,
Please make sure give ! in front of group when configure Policies. If you not give symbol !, the policies will drop all email from internal to internal. But not from internal to external and external to internal
I had placed ! in front of group while configuring policies.
However, I had got it through by enabling “default inbound” and “default internal” policies using groups “internal_ips” and “internal_domains” which I had disabled earlier. Is it OK doing this.
Thanks for your time
Hi Amit,
I don’t know if there give an effect or not. By default, i am not touch default group 😀
As Salam Iman,
I have followed your article and it is works. But when I received email from someone who need requested to be notified, it rejected that email. The error message as below when I clicked to be notified :
msg : system failure : error while sending read receipt
Thank you.
Waalaikumussalam,
Hi Syafeeq,
I think the problem that sender ask read receipt after he sending email to you.
Dear Iman,
Many thanks for your articles you made on your blog. They helped me a lot to improve the security of my Zimbra servers.
But I need help to fix my problem with this policyd settings in this article. The setting works as escpected but the out-of-office messages stopped. If I disable this then it works.
Error message in mailbox.log:
(Zimbra user: user1@zimbradomain.com,
Other user: other@otherdomain.com)
[name=user1@zimbradomain.com;mid=260;ip=11.22.33.44;] smtp – Failed to send message
com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient other@otherdomain.com: 554 5.7.1 : Sender address rejected: Sorry, you are not authorized to sending email.
I don’t understand why Zimbra wants to identify the sender as Other user and not Zimbra user.
Any help will be appreciated. Thanks.
Hi Andras,
If you configure out of office, all email will known from real sender (not your account/domain)
Hi Iman,
That was I excepted to happen, but it is not happening. I use the latest Zimbra 8.7 OSE. Do you need more info from log file?
Thanks.
Sorry Iman,
Maybe I misunderstood your answer. So is there any way to make exceptions for out-of-office messages in policyd settings?
Hi Andras,
You can make exception by sender/recipient. If you make exception, is not easy because sender is random. I think you should disable the rule for certain period (when you enable Out of Office)
Yes, I disabled it. I really like this restriction but I won’t using it as I hosting ~30 domains and few hundreds of accounts on this server.
Salaam Iman.
Great how-to to secure zimbra servers !
One question. Can we use wildcard too in domain name. Such as @*.example.com (I want to relay mails with @abc.example.com, @xyz.example.com etc)
Thank you.
Hi Imran,
You could not use wildcard on domain name. Domain name should @domainname.tld
I have a question about read receipts. After implementing these rules. When a user gets an email asking for read confirmation. They click on send and get an error in the browser. After digging I found this is cbpolicyd log. It appears the confirmation is sent from email address
[CORE] INFO: module=AccessControl, action=reject, host=X.X.X.12, helo=mail.company.net, from=, to=sanga.c@companyB.care, reason=verdict
How can I correct for this issue?
Hi Sanga,
If you apply this improvement, out of office feature, auto forward and read receipts will rejected
Thanks for the update! I guess we have to make some decisions on whether block the spam or allow the features the users requested.
After some tests I found a solution, in the Policy Group add a new entry in the list_domain group and add the ip of your server in the example X.X.X.12/32. With this new entry you will be able to confirm the read receipt request.
Hi Paulo,
Thanks for your information. Very helpful
Greetings, I have the following query, is it possible to use a tool such as cbpolicyd to reject Zimbra SPAM attacks?
Hi Ariel,
Yes sure. You can configure SPF check as the example : https://imanudin.net/2016/03/11/zimbra-tips-how-to-enable-spf-checking-for-incoming-connection/
Hi Iman, when i select as “Virdict” filter, what type of filter can i do? Where can i find a manual for filer syntax?
Hi Gianmario,
When you are using filter, you can trigger into another process like scanning external antispam, forward into another relay server and etc. I am use filter for relay into another server
Hello,
In the “list_domain” member should I add all the domains I want to release? Is not there a way for it to automatically know which domains are listed in Zimbra, and block everything that is not listed?
Thanks
Hi Rocha Neto,
Currently, CBPolicyd on Zimbra have not integrated with Zimbra LDAP to retrieve information about domain 😉
Please, Is it possible to block email where return-path in header does not match from address?
We get a lot of email with return-path = spam account but From = internal email address and it confuses some of our users and they end up opening spam viruses. If possible to block by policyd, please explain how.
Thanks you are Genius
Hello,
Are you have been tried this method : https://imanudin.net/2014/09/07/how-to-improvement-sender-must-loginenforcing-a-match-between-from-address-and-sasl-username-on-zimbra-8-5/
Thanks, I already have that configured. But my issue is the spammer is not relaying or authenticating via my server. Its spam from account outside my server eg spam@gmail.com, but the from address is configured as user@myserver.com, when it gets to mailbox unless you view orginal email, the spam address is not visible.
Hello,
You can combine with SPF checking : https://imanudin.net/2017/03/23/zimbra-tips-how-to-enforce-spf-checking-for-incoming-email/
Hi imanudin,
Zimbra Server Going to spam folder yahoo gmail and when I Check my spf and dkim dmarc PASS in gmail yahoo but still going spam can you give solution this and You need other information.
GTS
Hello,
Please try to submit your problem from here : http://postmaster.google.com
Hi Imanudin,
I was tried and my domain google TXT records google-site-verification code but still going spam please can you suggest me what is next i need follow.
GTS
Hello,
1. You can try to use SMTP relay like sendgrid, smtp2go and other
2. You can also try this one : https://support.google.com/mail/contact/msgdelivery
Hi imanudin,
I cound’t understand SMTP relay like sendgrid and smtp2go, because I am totally new
Can you send any document or link, Please help me on this.
GTS
Hello,
You can see from this : https://sendgrid.com/ and this : https://www.smtp2go.com/
Hi imanudin,
Send-grid and smtp2go I can use trail and can I setup domain authentication (TXT records)
Please suggest me
GTS
Hi imanudin,
In send-grid only TXT records and MX records are add my domain or also can add cname also please advise on this and thanks for your quick response.
GTS
Hello,
Please try this one: https://www.jamescoyle.net/how-to/1641-zimbra-mail-server-intergration-with-sendgrid
Hi imanudin,
Please suggest me the previous comments.
GTS
Hi Imanudin,
When I send to gmail going spam folder but When I check the source file here showing all pass
SPF: PASS with IP Adress Learn more
DKIM: ‘PASS’ with domain domain.com Learn more
DMARC: ‘PASS’ Learn more
But Still going spam folder can suggest me
gts
Hello,
I can only give suggestions to follow this instruction: https://support.google.com/mail/contact/msgdelivery. But, if your email still going to spam folder, Sorry, I am cannot help you. All that I know only get here
How to configure and Customizing Spam Assassin..is there any Guidance
pls suggest me
Hello,
Please try this one : https://www.missioncriticalemail.com/2019/03/21/zimbra-anti-spam-best-practices-2019/
hello,
Microsoft mail server is rejecting sent from my Zimbra mail server. so please need your suggestion i have mention that undelivered message detail.
“I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The mail system
: host
outlook-com.olc.protection.outlook.com[104.47.5.33] said: 550 5.7.1
Unfortunately, messages from [ x.x.x.x] weren’t sent. Please contact
your Internet service provider since part of their network is on our block
list (S3150). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[HE1EUR02FT047.eop-EUR02.prod.protection.outlook.com] (in reply to MAIL
FROM command)
Hello,
Please submit your problem in here: https://s.id/5bHX5
Hi ,
I have installed and configured policyd on zimbra-8.5 with mentioned steps in below link.
https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/
https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/
However after completing it i am unable to access Zimbra web UI and after restarting zimbra services as well getting below status.
[zimbra@mail ~]$ zmcontrol status
Host mail.test.net
amavis Running
antispam Running
antivirus Running
cbpolicyd Stopped
policyd is not running.
ldap Running
logger Running
mailbox Stopped
mysql.server is not running.
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Stopped
mysql.server is not running.
snmp Running
spell Running
stats Stopped
zimbra webapp Stopped
mysql.server is not running.
zimbraAdmin webapp Stopped
mysql.server is not running.
zimlet webapp Stopped
mysql.server is not running.
zmconfigd Running
[zimbra@mail ~]$
Could you please help on this to check ?
Hi Sadanand Ukarande,
After restart Zimbra, you should restart Zimbra Apache
Dear Pak Imam,
Artikelnya sangat bagus sekali, sangat berguna apabila email server berada di jaringan kantor atau menggunakan nat firewall, biasanya kalau pc yang kena virus, menyerang outlook kemudian menduplikat email dan mengirim ke alamat email yang berada di kontak outlook
Terimakasih banyak
mas ahmad,
nanya dong. saya dah ikutin step by step. tapi kok emailnya masih nyelonong keluar aja ya? semua udah di ikutin. tak ada yg terlewatkan. knp ya? pake FOSS 8.8.15
Hi mas Dede,
Pastikan port 10031 nya sudah listen jika dicek via perintah berikut :
Pastikan juga service CBPolicyd nya sudah di enable
Hi, how can I block any mail with from fake address domain from a customer who is in the mynetworsk allowed to send mail to local domain and external domain?
Hi Kevin,
You can try reject_unknown_sender_domain and reject_unknown_recipient_domain
Terimakasih banyak atas tutorial yang telah di buat mas. Sangat membantu banyak orang.
Saya sudah mengikuti tata cara install Policyd nya dengan benar dan sudah bisa di akses.
Namun, saat menambahkan Group atau settingan apapun hasilnya tidak tersimpan. Masalahnya dimana y mas kira-kira?
Hi mas,
Bisa coba buat ulang databasenya: https://imanudin.com/2020/03/27/membuat-ulang-database-policyd/
Hi mas,
Konfigurasi ulang database ini tidak berpengaruh ke settingan zimbra utama y?
Saya masih agak ragu untuk eksekusi pembuatan ulang database policyd karena email server nya sudah di gunakan.
Namun jika memang tidak mengganggu, saya akan eksekusi segera.
Terimakasih.
Hi mas,
Seharusnya tidak. Hanya berpengaruh ke database PolicyD saja. Jika ragu, bisa coba testing pada server development terlebih dahulu