Policyd has module access control. This module can use for some aims as improving anti spam reject unlisted domain like article has been wrote before. Module access control also can use for restrict users sending to certain users/domains and this article will explain how to apply.
Assume you have been install and configure policyd like the following article How To Install PolicyD on Zimbra 8.5. For information, i have user with name user1@imanudin.net. This user can sending to domain local only (imanudin.net) and deny to other domain.
Open policyd webui on http://ZimbraServer:7780/webui/index.php. First, create users and domains group.
Select Groups. Add new group and given name users_local_only. Add member users to group users_local_only. Don’t forget to change status disable yes become no. Add new group and given name list_domain. Add member domains to group list_domain. Don’t forget to change status disable yes become no. See the following pictures
Select Policies | Main. Create new policy and given name Sending Local Only. Give priority 30 and fill description with information about your policy. Add member to new policy and fill on source with group users_local_only and on destination with group list_domain but with reverse status.Don’t forget to change status disable yes become no. See the following pictures
Now, you must define access to new policy has been created. Select Access Control | Configure. Add new access control and given name Sending Local Only. Select Sending Local Only on link to policy and reject on verdict. Give information about why email cannot sending on data like “Sorry, you cannot sending to outside”. See the following pictures
Don’t forget to change status disable yes become no
Enable policyd accesscontrol and restart policyd service
su - zimbra zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE zmcbpolicydctl restart
Please try to sending email from user1@imanudin.net to outside and see the log information on /opt/zimbra/log/cbpolicyd.log and /var/log/zimbra.log to debug.
Good luck and hopefully useful 😀
how to remove cbpolicyd ???
Please check my previous comment in here : https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/#comment-16981
Thank u thank u…..
Hi Iman,
I would like to restrict users receiving from other domains kindly suggest me on this…..
Hi Mani,
You can create another rule like rule in this guide. You only need to define source and destination and reject rule on Access Control
managed to solve your case?
I have the same difficulty!
Hi Iman,
I have tried the same for blocking incoming mails but in my case it’s not working. I have to allow 4 domains to send mails to my domain(Zimbra mail server) when i configure the same all the domains are getting blocked. please help me on this.
Hello Mani,
How you do that? can you give me some log/another information?
Hi Iman,
In Groups i have created 2 groups names owndomain (Members local domain,zimbra)and owndomain1(my company domain,@abc.com). In Main i have created a policy named owndomain only.in that source %owndomain and in destination i mentioned !%owndomain1.In configure i have linked the policy and verdict as Reject. Also i have changed all the disable policy as no. But I am receiving mails from all the domains. PLease help me on this.
Hello Mani,
Please try to restart CBPolicyD services
Hi Iman,
Yes, I have done and also did Zmcontrol restart. But its not working… Please suggest me on this. Thanks in advance..
Hi Mani,
Please make sure this command have been executed
Hi Iman,
Yes, This is enabled and outgoing mails are getting blocked.I would like to block incoming mails. Please suggest,If possible please create like outgoing block article for incoming block. Thanks in advance.
Hi Mani,
Please paste the results of following command
Hi Iman,
This is what i am getting while running this cmd.
smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
smtpd_sender_restrictions = check_policy_service inet:localhost:10031, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
Thank you!!!
Hi Mani,
Please send me cbpolicyd database so that i can check in my lab. You can found database on /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
Hi Iman,
Hope you are doing good… the same way i entered the domain names(5 Domains) from those domain my zimbra domain not receiving any mails. But what i expect was opposite to that would like to receive mails from only 5 particular domains. Anyhow its implemented and working partially.. Thank you for your valuable time and support… Keep Rocking,…
Hi Mani,
Can you send to me your database of policyd? so that i can check the rule from your database
Hi Iman,
Please let me know how to grep policyd database.
Hi Mani,
You can send to me this file /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
Hi Iman,
Have you already test Zimbra conf in smtp level to restrict a specific user to reject messages from external domains ?
Hi Fabiano,
You can try this one and adjust with your environment : https://imanudin.net/2014/10/13/restricting-users-to-send-mails-to-certain-domains-on-zimbra-8-5/
Hi Iman,
I already tried this solution to prevent an account from sending messages to external domains, and it`s ok.
Now i need to prevent that same account from receive messages from external domains. I was tried to revert that configuration, but with no success (I want an account that can only send and receive messages to and from local domain).
I made that restriction by amavis, and it`s work fine.
I think it`s possible through smtp level too, but no success yet.
Hi Fabiano,
I think you can define on restricted_sender domain that you accept and define on local_domain user that receive email from outside
Hi Imam,
I have distribution list which i want to restrict for sending emails on that from all external domains but at the same time want to allow for some external domains like, e.g. want to block *@gmail.com, *@hotmail.com, but wan to allow *@partnercompaniesdomain.com , please let me know we could get this done?
Hi Nishant,
Please try this guidance : https://imanudin.net/2016/02/09/zimbra-tips-how-to-restrict-sending-to-distribution-list/
Hi pak Iman.
sy sudah melakukan setting seperti di atas. namun blm menjalankan script
===========
su – zimbra
zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
zmcbpolicydctl restart
===========
saat ini user yg di restrict masih dapat mengirim email ke DL yg tidak seharusnya.
Apakah harus menjalankan script tsb setiap setting restrict atau hanya sekali saja. krn sy hanya admin di sisi webUI.
Terima kasih
Hi mas Wisnu,
Jika command tersebut sudah dijalankan sebelumnya, maka command tersebut tidak perlu dijalankan kembali
apakah setiap buat rule restricted baru harus jalankan script “zmcbpolicydctl restart” ini Pak ?
terima kasih sebelumnya.
Hi mas Wisnu,
Jika rule nya tidak jalan, baru restart manual dengan perintah tersebut
rule restricted ini ttp tidak berfungsi, namun rule rate limit berfungsi. bagaimana solusinya pak ? terima kasih
Hi mas Wisnu,
Apakah feature access control nya sudah di enable? jika sudah, coba restart service Policyd-nya
Hi,
I’am finish install policyd, but when access to link policyd in server. I don’t success submit policyd group member corresponding in article
Hi Afif,
Can you give me more information like screenshot about your problem?
I want block user account to another local domain, after setting article http://linux-sys-adm.com/how-to-restrict-users-sending-to-certain-usersdomains-zimbra-8.6-on-ubuntu-server-14.04-lts-step-by-step/ . I have success block with webmail server, but I don’t have success block with mail client. Please help me.
What this article can be block account send e-mail to another domain with mail client ?
Hi,
Please try this guidance : https://imanudin.net/2014/10/13/restricting-users-to-send-mails-to-certain-domains-on-zimbra-8-5/
hi Iman,
after configuring the policyd , emails are not receiving to the local domain.
ex: user1@mymail.com trying to send mail to user2@mymail.com it showing mail sent successfully but user2 not receiving any mail from User1
Hi Kumar,
You can check on the queue. It can be caused policyd services stopped
Hi Sir,
How to allow the user in zimbra webmail to send to anywhere using his external account if the user has been restricted using policyd to send to local only?
Hi Ken,
AFAIK. External users that configure in Zimbra still use SMTP on Zimbra (on behalf). So that, user still use your internal users. CMIIW
Hi Iman,
thanks for the article.
do you know if there is a way to get a list of “Policy group members” users from AD windows/LDAP group?
Hello,
I usually perform a query to AD and insert manually (using SQL syntax) into SQLite database
Hello,
I wanted to create a mail id in zimbra called noreply@domain.com. Only outgoing should be enabled and disable incoming for this particular mail id using Policyd.
Hello Santosh,
You can create policy to do that.
Source : any
Destination : noreply@domain.com
Action : Reject or DROP
good tutorial. please post tutorial how to restrict policy web administration website with password
Hello,
Please take a look this one : https://imanudin.net/2014/09/12/zimbra-tips-how-to-protect-policyd-webui/
Hi Iman
This guidelines used to work in previous versions. It stopped working on 8.8.11.
Thank you
Hello Swarn,
The guidance still working on 8.8.11. I’ve tested at the last month
i have list of email accounts to restrict sending emails to outside domain.. how to do that ??
Hello,
You can use this article to do that 🙂
Hai Mas Iman, Saya telah mencoba cara menggunakan artiket ini dan semua berjalan dengan baik, itu hanya jika saya mengirim email ke domain external menggunakan Zimbra Web Client langsung, namun jika saya coba mengirim menggunakan email yang sudah saya atur pada Thunderbird dan coba saya kirim ke email domain external email saya masih tetap terkirim dan di terima oleh domain external, namun di bagian email footer penerima terdapat status seperti ini = (null).
Bagaimana saya bisa mengatur juga terjadi penolakan ketika mengirim email ke domain external menggunakan Thunderbird dan sejenisnya, tolong saya membutuhkan saran dan masukan anda.
Terimakasih.
Hi mas Zainpi,
Zimbra yang digunakan versi berapa? jika menggunakan Zimbra versi sebelumnya, coba panduan yang ada disini : https://imanudin.com/2013/10/06/solved-policyd-not-working-with-email-client-port-465587/
Halo mas Iman, saya menggunakan Zimbra Versi 8.8.15 FOSS, apakah mas Iman bisa membantu saya?
Hi mas,
Untuk versi tersebut seharusnya panduan yang ini sesuai. Kebetulan saya juga pakai dan ter-apply dengan baik. Dari webmail maupun dari email klien
URGENT
Hi, iman
My ZCS 8.6 server is acting as an open relay, Is restricting unlisted domain will make my server not being open relay? Will it act as a close relay? If not then what more setting should I do to make it close relay? My server is in production. I need your help as soon as possible.
Hi Mahi,
Yes Improvements should limit if the sender is not your domain
Excellent tuto, you can create a rule that only allows certain users to send and receive emails from the domain, that is, they cannot send or receive mails that are not from domain1.com.
What if a genuine mail user trying to send mass mail to all user is blocked ? what kind of solution can be applied once quota is exceeded?
Hello,
You can use this one: https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/
Dear Mr Iman,
how when a user sends an email that exceeds the specified limit, the account is immediately locked.
thanks
Hi Imron,
No, the account will receive pop up if the maximum message has been exceeded
Good night,
I followed the article and managed to restrict sending, I still receive email
could policyd block sending and receiving domains outside the group?
Hi Diego,
If your server for internal only, you can block port 25 incoming. So, you will not receive email from outside. If your server should receive email from outside, you can configure ACL and adjust source and destination with your rule
pagi mas iman,
kalo menerapkan smtp relay policyd ini jd ga ngaruh yah mas.
Thanks
Hi mas,
PolicyD tetap berjalan sebagaimana mestinya mas. Pastikan saja aktif dan rule nya memang ada
Hello Iman,
This is for a single user right?
If I want one xxx.net ,yyy.net , zzz.net domains (I mean all the users in it) not able to send any external domains (like gmail) how I should manipulate this rule?
Regards,
Liju
Hi Liju,
You can create a group from the Groups menu. Then, you can insert group name on source instead of single user/domain
Enabled this service – access control and it was working fine. And also enable SPF check and quota service for controlling number of email send in a hour. After this access control module is not working.
In log it is observed as follow:
[2021/04/12-11:16:23 – 23753] [CORE] INFO: module=CheckSPF – Think this is working condition
[2021/04/12-11:16:23 – 23753] [CORE] INFO: module=Quotas – Think this is working condition
However for module access control no logs are observed and observed these logs:
[2021/04/12-11:16:23 – 23753] [CBPOLICYD] INFO: Got request #5 (pipelined)
[2021/04/12-11:16:45 – 19785] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:36658, Local: 127.0.0.1:10031
[2021/04/12-11:16:55 – 20887] [CORE] INFO: Killing “1” children
[2021/04/12-11:16:55 – 24935] [CBPOLICYD] DEBUG: Shutting down caching engine (24935)
[2021/04/12-11:17:11 – 20887] [CORE] INFO: Starting “1” children
[2021/04/12-11:17:11 – 23912] [CORE] INFO: 2021/04/12-11:17:11 CONNECT TCP Peer: “[127.0.0.1]:36698” Local: “[127.0.0.1]:10031”
[2021/04/12-11:17:11 – 25625] [CORE] DEBUG: Child Preforked (25625)
[2021/04/12-11:17:11 – 25625] [CBPOLICYD] DEBUG: Starting up caching engine
[2021/04/12-11:17:11 – 23912] [CBPOLICYD] INFO: Got request #1
[2021/04/12-11:17:18 – 23912] [CBPOLICYD] INFO: Got request #2 (pipelined)
cbpolicyd detials:
zimbra@system:~$ zmlocalconfig | grep -i cbpolicy
cbpolicyd_bind_port = 10031
cbpolicyd_bypass_mode = tempfail
cbpolicyd_bypass_timeout = 30
cbpolicyd_cache_file = ${zimbra_home}/data/cache
cbpolicyd_db_file = ${zimbra_home}/data/cbpolicyd/db/cbpolicyd.sqlitedb
cbpolicyd_log_detail = info
cbpolicyd_log_file = ${zimbra_log_directory}/cbpolicyd.log
cbpolicyd_log_level = 4
cbpolicyd_log_mail = main
cbpolicyd_max_requests = 1000
cbpolicyd_max_servers = 25
cbpolicyd_max_spare_servers = 12
cbpolicyd_min_servers = 4
cbpolicyd_min_spare_servers = 4
cbpolicyd_module_accesscontrol = 1
cbpolicyd_module_accounting = 0
cbpolicyd_module_amavis = 0
cbpolicyd_module_checkhelo = 1
cbpolicyd_module_checkspf = 1
cbpolicyd_module_greylisting = 1
cbpolicyd_module_greylisting_blacklist_msg = Greylisting in effect, sending server blacklisted
cbpolicyd_module_greylisting_defer_msg = Greylisting in effect, please come back later
cbpolicyd_module_greylisting_training = 0
cbpolicyd_module_quotas = 1
cbpolicyd_pid_file = ${zimbra_log_directory}/cbpolicyd.pid
cbpolicyd_timeout_busy = 120
cbpolicyd_timeout_idle = 1020
Hi,
Please use zmprov instead of zmlocalconfig if using Zimbra 8.X and latest
how to add bulk users to users_local_only group.. please advise..
Hi,
You can use sqlite command. Please see on the Zimbra Wiki for an example
Hi Iman,
I have applied CBPolicy, but when enable the service in in zimbra 8.8 version getting Nov 11 20:33:39 mail postfix/postscreen[]: warning: cannot connect to service private/smtpd: Resource temporarily unavailable
Nov 11 20:33:39 mail postfix/postscreen[]: CONNECT from [IP]:33338 to [IP]:25
Nov 11 20:33:39 mail postfix/postscreen[]: PASS OLD [IP]:33338
Hi,
Please ensure you have restarted the Zimbra service
Is there a way to block the account after sending x amount of emails for 1 hour?
Hi,
You can create simple script to:
– check if user has been reached limit based on log
– parse that log to get sender
– then perform lock account
Hi Iman,
This is Mohan,
I followed the above cbpolicyd setup steps in my Zimbra 8.8.15, and the Policyd setup process was completed. The cbpolicyd GUI portal is working.
My goal: Email sending restrictions only send email to our local domain,
I have added the email restriction process, But the restriction rules are not working, the emails go to external domains, Can you please help with this?
Hi Mohanjoy,
You can test to block all email (any to any) to ensure the rule is working. If rule any to any is not working, please ensure policyd access control has been active