Posted by Policyd has module access control. This module can use for some aims as improving anti spam reject unlisted domain like article has been wrote before. Module access control also can use for restrict users sending to certain users/domains and this article will explain how to apply.
Assume you have been install and configure policyd like the following article How To Install PolicyD on Zimbra 8.5. For information, i have user with name user1@imanudin.net. This user can sending to domain local only (imanudin.net) and deny to other domain.
Open policyd webui on http://ZimbraServer:7780/webui/index.php. First, create users and domains group.
Select Groups. Add new group and given name users_local_only. Add member users to group users_local_only. Don’t forget to change status disable yes become no. Add new group and given name list_domain. Add member domains to group list_domain. Don’t forget to change status disable yes become no. See the following pictures
Select Policies | Main. Create new policy and given name Sending Local Only. Give priority 30 and fill description with information about your policy. Add member to new policy and fill on source with group users_local_only and on destination with group list_domain but with reverse status.Don’t forget to change status disable yes become no. See the following pictures
Now, you must define access to new policy has been created. Select Access Control | Configure. Add new access control and given name Sending Local Only. Select Sending Local Only on link to policy and reject on verdict. Give information about why email cannot sending on data like “Sorry, you cannot sending to outside”. See the following pictures
Don’t forget to change status disable yes become no
Enable policyd accesscontrol and restart policyd service
su - zimbra zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE zmcbpolicydctl restart
Please try to sending email from user1@imanudin.net to outside and see the log information on /opt/zimbra/log/cbpolicyd.log and /var/log/zimbra.log to debug.
Good luck and hopefully useful 😀
how to remove cbpolicyd ???
Please check my previous comment in here : https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/#comment-16981
Thank u thank u…..
Hi Iman,
I would like to restrict users receiving from other domains kindly suggest me on this…..
Hi Mani,
You can create another rule like rule in this guide. You only need to define source and destination and reject rule on Access Control
managed to solve your case?
I have the same difficulty!
Hi Iman,
I have tried the same for blocking incoming mails but in my case it’s not working. I have to allow 4 domains to send mails to my domain(Zimbra mail server) when i configure the same all the domains are getting blocked. please help me on this.
Hello Mani,
How you do that? can you give me some log/another information?
Hi Iman,
In Groups i have created 2 groups names owndomain (Members local domain,zimbra)and owndomain1(my company domain,@abc.com). In Main i have created a policy named owndomain only.in that source %owndomain and in destination i mentioned !%owndomain1.In configure i have linked the policy and verdict as Reject. Also i have changed all the disable policy as no. But I am receiving mails from all the domains. PLease help me on this.
Hello Mani,
Please try to restart CBPolicyD services
Hi Iman,
Yes, I have done and also did Zmcontrol restart. But its not working… Please suggest me on this. Thanks in advance..
Hi Mani,
Please make sure this command have been executed
Hi Iman,
Yes, This is enabled and outgoing mails are getting blocked.I would like to block incoming mails. Please suggest,If possible please create like outgoing block article for incoming block. Thanks in advance.
Hi Mani,
Please paste the results of following command
Hi Iman,
This is what i am getting while running this cmd.
smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
smtpd_sender_restrictions = check_policy_service inet:localhost:10031, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
Thank you!!!
Hi Mani,
Please send me cbpolicyd database so that i can check in my lab. You can found database on /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
Hi Iman,
Hope you are doing good… the same way i entered the domain names(5 Domains) from those domain my zimbra domain not receiving any mails. But what i expect was opposite to that would like to receive mails from only 5 particular domains. Anyhow its implemented and working partially.. Thank you for your valuable time and support… Keep Rocking,…
Hi Mani,
Can you send to me your database of policyd? so that i can check the rule from your database
Hi Iman,
Please let me know how to grep policyd database.
Hi Mani,
You can send to me this file /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
Hi Iman,
Have you already test Zimbra conf in smtp level to restrict a specific user to reject messages from external domains ?
Hi Fabiano,
You can try this one and adjust with your environment : https://imanudin.net/2014/10/13/restricting-users-to-send-mails-to-certain-domains-on-zimbra-8-5/
Hi Iman,
I already tried this solution to prevent an account from sending messages to external domains, and it`s ok.
Now i need to prevent that same account from receive messages from external domains. I was tried to revert that configuration, but with no success (I want an account that can only send and receive messages to and from local domain).
I made that restriction by amavis, and it`s work fine.
I think it`s possible through smtp level too, but no success yet.
Hi Fabiano,
I think you can define on restricted_sender domain that you accept and define on local_domain user that receive email from outside
Hi Imam,
I have distribution list which i want to restrict for sending emails on that from all external domains but at the same time want to allow for some external domains like, e.g. want to block *@gmail.com, *@hotmail.com, but wan to allow *@partnercompaniesdomain.com , please let me know we could get this done?
Hi Nishant,
Please try this guidance : https://imanudin.net/2016/02/09/zimbra-tips-how-to-restrict-sending-to-distribution-list/
Hi pak Iman.
sy sudah melakukan setting seperti di atas. namun blm menjalankan script
===========
su – zimbra
zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
zmcbpolicydctl restart
===========
saat ini user yg di restrict masih dapat mengirim email ke DL yg tidak seharusnya.
Apakah harus menjalankan script tsb setiap setting restrict atau hanya sekali saja. krn sy hanya admin di sisi webUI.
Terima kasih
Hi mas Wisnu,
Jika command tersebut sudah dijalankan sebelumnya, maka command tersebut tidak perlu dijalankan kembali
apakah setiap buat rule restricted baru harus jalankan script “zmcbpolicydctl restart” ini Pak ?
terima kasih sebelumnya.
Hi mas Wisnu,
Jika rule nya tidak jalan, baru restart manual dengan perintah tersebut
rule restricted ini ttp tidak berfungsi, namun rule rate limit berfungsi. bagaimana solusinya pak ? terima kasih
Hi mas Wisnu,
Apakah feature access control nya sudah di enable? jika sudah, coba restart service Policyd-nya
Hi,
I’am finish install policyd, but when access to link policyd in server. I don’t success submit policyd group member corresponding in article
Hi Afif,
Can you give me more information like screenshot about your problem?
I want block user account to another local domain, after setting article http://linux-sys-adm.com/how-to-restrict-users-sending-to-certain-usersdomains-zimbra-8.6-on-ubuntu-server-14.04-lts-step-by-step/ . I have success block with webmail server, but I don’t have success block with mail client. Please help me.
What this article can be block account send e-mail to another domain with mail client ?
Hi,
Please try this guidance : https://imanudin.net/2014/10/13/restricting-users-to-send-mails-to-certain-domains-on-zimbra-8-5/
hi Iman,
after configuring the policyd , emails are not receiving to the local domain.
ex: user1@mymail.com trying to send mail to user2@mymail.com it showing mail sent successfully but user2 not receiving any mail from User1
Hi Kumar,
You can check on the queue. It can be caused policyd services stopped
Hi Sir,
How to allow the user in zimbra webmail to send to anywhere using his external account if the user has been restricted using policyd to send to local only?
Hi Ken,
AFAIK. External users that configure in Zimbra still use SMTP on Zimbra (on behalf). So that, user still use your internal users. CMIIW
Hi Iman,
thanks for the article.
do you know if there is a way to get a list of “Policy group members” users from AD windows/LDAP group?
Hello,
I usually perform a query to AD and insert manually (using SQL syntax) into SQLite database
Hello,
I wanted to create a mail id in zimbra called noreply@domain.com. Only outgoing should be enabled and disable incoming for this particular mail id using Policyd.
Hello Santosh,
You can create policy to do that.
Source : any
Destination : noreply@domain.com
Action : Reject or DROP
good tutorial. please post tutorial how to restrict policy web administration website with password
Hello,
Please take a look this one : https://imanudin.net/2014/09/12/zimbra-tips-how-to-protect-policyd-webui/
Hi Iman
This guidelines used to work in previous versions. It stopped working on 8.8.11.
Thank you
Hello Swarn,
The guidance still working on 8.8.11. I’ve tested at the last month
i have list of email accounts to restrict sending emails to outside domain.. how to do that ??
Hello,
You can use this article to do that 🙂
Hai Mas Iman, Saya telah mencoba cara menggunakan artiket ini dan semua berjalan dengan baik, itu hanya jika saya mengirim email ke domain external menggunakan Zimbra Web Client langsung, namun jika saya coba mengirim menggunakan email yang sudah saya atur pada Thunderbird dan coba saya kirim ke email domain external email saya masih tetap terkirim dan di terima oleh domain external, namun di bagian email footer penerima terdapat status seperti ini = (null).
Bagaimana saya bisa mengatur juga terjadi penolakan ketika mengirim email ke domain external menggunakan Thunderbird dan sejenisnya, tolong saya membutuhkan saran dan masukan anda.
Terimakasih.
Hi mas Zainpi,
Zimbra yang digunakan versi berapa? jika menggunakan Zimbra versi sebelumnya, coba panduan yang ada disini : https://imanudin.com/2013/10/06/solved-policyd-not-working-with-email-client-port-465587/
Halo mas Iman, saya menggunakan Zimbra Versi 8.8.15 FOSS, apakah mas Iman bisa membantu saya?
Hi mas,
Untuk versi tersebut seharusnya panduan yang ini sesuai. Kebetulan saya juga pakai dan ter-apply dengan baik. Dari webmail maupun dari email klien
URGENT
Hi, iman
My ZCS 8.6 server is acting as an open relay, Is restricting unlisted domain will make my server not being open relay? Will it act as a close relay? If not then what more setting should I do to make it close relay? My server is in production. I need your help as soon as possible.
Hi Mahi,
Yes Improvements should limit if the sender is not your domain
Excellent tuto, you can create a rule that only allows certain users to send and receive emails from the domain, that is, they cannot send or receive mails that are not from domain1.com.
What if a genuine mail user trying to send mass mail to all user is blocked ? what kind of solution can be applied once quota is exceeded?
Hello,
You can use this one: https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/
Dear Mr Iman,
how when a user sends an email that exceeds the specified limit, the account is immediately locked.
thanks
Hi Imron,
No, the account will receive pop up if the maximum message has been exceeded
Good night,
I followed the article and managed to restrict sending, I still receive email
could policyd block sending and receiving domains outside the group?
Hi Diego,
If your server for internal only, you can block port 25 incoming. So, you will not receive email from outside. If your server should receive email from outside, you can configure ACL and adjust source and destination with your rule