Posted by Policyd has module access control. This module can use for some aims as improving anti spam reject unlisted domain like article has been wrote before. Module access control also can use for restrict users sending to certain users/domains and this article will explain how to apply.
Assume you have been install and configure policyd like the following article How To Install PolicyD on Zimbra 8.5. For information, i have user with name user1@imanudin.net. This user can sending to domain local only (imanudin.net) and deny to other domain.
Open policyd webui on http://ZimbraServer:7780/webui/index.php. First, create users and domains group.
Select Groups. Add new group and given name users_local_only. Add member users to group users_local_only. Don’t forget to change status disable yes become no. Add new group and given name list_domain. Add member domains to group list_domain. Don’t forget to change status disable yes become no. See the following pictures
Select Policies | Main. Create new policy and given name Sending Local Only. Give priority 30 and fill description with information about your policy. Add member to new policy and fill on source with group users_local_only and on destination with group list_domain but with reverse status.Don’t forget to change status disable yes become no. See the following pictures
Now, you must define access to new policy has been created. Select Access Control | Configure. Add new access control and given name Sending Local Only. Select Sending Local Only on link to policy and reject on verdict. Give information about why email cannot sending on data like “Sorry, you cannot sending to outside”. See the following pictures
Don’t forget to change status disable yes become no
Enable policyd accesscontrol and restart policyd service
su - zimbra zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE zmcbpolicydctl restart
Please try to sending email from user1@imanudin.net to outside and see the log information on /opt/zimbra/log/cbpolicyd.log and /var/log/zimbra.log to debug.
Good luck and hopefully useful 😀
for this policy, if i want user1@imanudin.net to only receive email from local domain and other specifit domain, how can it be done? is it will work if i only add 2nd policy member on : Policies | Main Add member to new policy and fill on source with group list_domain and on destination with group users_local_only ?
my goal is to restrict account email to receive from local domain+specified domain and send only local domain+specified domain.
thanks in advanced
Hi iman,
I’ve just configured as this tutorial but policyd seems not get the settings. The emails are sent to restricted domain normally
These are policyd logs when i send a email:
[2014/10/18-18:13:46 – 20500] [CORE] INFO: Starting “1” children
[2014/10/18-18:13:46 – 20503] [CORE] INFO: 2014/10/18-18:13:46 CONNECT TCP Peer: “[127.0.0.1]:44927” Local: “[127.0.0.1]:10031”
[2014/10/18-18:13:46 – 20503] [CBPOLICYD] INFO: Got request #1
[2014/10/18-18:13:46 – 20503] [CBPOLICYD] INFO: Got request #2 (pipelined)
[2014/10/18-18:13:46 – 20503] [CBPOLICYD] INFO: Got request #3 (pipelined)
Can you give me some advices?
Hi Vuha.Nguyen,
are you has been make sure status on disable become no to all groups or Policy you are create?
@iman
Oh yes, cant belive that I have missed some enabled button 🙁 It works now!
Thank you so much!
My domain : mail.local.unique.com
Zimbra version : zcs-8.0.8
after running this cmd : zmprov ms mail.local.unique.com zimbraCBPolicydAccessControlEnabled TRUE
i am getting below error
ERROR: account.INVALID_ATTR_NAME (invalid attr name: invalid attr name – unable to modify attributes: zimbraCBPolicydAccessControlEnabled: attribute type undefined)
Please help me resolve the error
Hi Manikandan,
The following command is for Zimbra 8.5.x
zmprov ms mail.local.unique.com zimbraCBPolicydAccessControlEnabled TRUE
If using Zimbra 8.0.x and single server, you can use simple script on this guidance with Bahasa Indonesia 😀 : http://ahmad.imanudin.com/2014/08/17/script-otomatisasi-konfigurasi-policyd/
ERROR: account.INVALID_ATTR_NAME (invalid attr name: invalid attr name – unable to modify attributes: zimbraCBPolicydAccessControlEnabled: attribute type undefined)
displaying above error please help i am running this cmd on mail server not on mta server..
Hi Mahesh,
This guidance is for Zimbra 8.5 and latest. What Zimbra version are you using?
Zimbra Version:
8.0.5_GA_5839.FOSS
hi iman please help me for this article i really need your help,i want to restrict my some users only to local use which is only in my domain or just can you tell me command for enable access control module for in policyd please i really appreciate your help..
Hi Mahesh,
For Zimbra 8.0.x, please try this command to enable it
su – zimbra
zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
zmlocalconfig -e postfix_enable_smtpd_policyd=yes
zmprov mcf +zimbraMtaRestriction “check_policy_service inet:127.0.0.1:10031”
zmlocalconfig -e cbpolicyd_log_level=4; zmlocalconfig -e cbpolicyd_log_detail=info; zmlocalconfig -e cbpolicyd_module_accesscontrol=1 cbpolicyd_module_checkhelo=1 cbpolicyd_module_checkspf=1 cbpolicyd_module_greylisting=1 cbpolicyd_module_quotas=1
still not working sir, please suggest me my requirement is simple like ,
Some user could not send mail to outside domains thats it i follow your complete article as it is. Is their any admin
sorry for incomplete comment i need to know is their any configuration available in admin console then please tell me
hey iman that’s working i configure it in MTA server before that i tried it in MAIL server but now its working thanks for sharing your knowledge its tooo good buddy thank you sooooo much thanks…
hi, has anyone ever had to limit the sending of attachments per user?
need help
Hi Alexandre,
Please take a look at this guidance : http://forums.zextras.com/zimbra-howto/289-zimbra-open-source-7-2-0-per-user-wise-attchment-setting.html
I Have configured as per your guide, and i verified all, but its not working. help me.
Hi Shakthi,
What Zimbra version you are using? are you has been make sure all rule/policy has been change from disable=yes into disable=no?
Yes. I am using Zimbra Version :8.5_GA_3042.FOSS.
In cbpolicy.log show
[2015/08/03-16:18:12 – 61590] [POLICIES] WARNING: [ID:6/Name:Sending Local Only]: – Source ‘users_local_only’ is not a valid specification
[2015/08/03-16:18:12 – 61590] [CBPOLICYD] INFO: Got request #2 (pipelined)
[2015/08/03-16:18:12 – 61590] [CBPOLICYD] INFO: Got request #3 (pipelined)
[2015/08/03-16:18:22 – 61590] [POLICIES] WARNING: [ID:6/Name:Sending Local Only]: – Source ‘users_local_only’ is not a valid specification
[2015/08/03-16:18:22 – 61590] [CBPOLICYD] INFO: Got request #4 (pipelined)
[2015/08/03-16:18:22 – 61590] [POLICIES] WARNING: [ID:6/Name:Sending Local Only]: – Source ‘users_local_only’ is not a valid specification
[2015/08/03-16:18:22 – 61590] [CBPOLICYD] INFO: Got request #5 (pipelined)
[2015/08/03-16:18:22 – 61590] [CBPOLICYD] INFO: Got request #6 (pipelined)
[2015/08/03-16:20:03 – 61590] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:57028, Local: 127.0.0.1:10031
[2015/08/03-16:20:03 – 61588] [CORE] INFO: Killing “1” children
Hi Shakthi,
It seems you wrong create users_local_only statement. The problem can be found on the error log
[2015/08/03-16:18:22 – 61590] [POLICIES] WARNING: [ID:6/Name:Sending Local Only]: – Source ‘users_local_only’ is not a valid specification
Please verify again your configuration
I delete the users_local_only, and create the another one. same error comes.
Hi Shakthi,
Please paste the result of the following command :
su – zimbra
zmcontrol status
zmcontrol -v
zmprov gs mail.example.com | grep -i policyd
Note : Please change mail.example.com with your hostname
zimbra@enestextilemills:~$ zmcontrol status
Host enestextilemills.net
amavis Running
antispam Running
antivirus Running
cbpolicyd Running
dnscache Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
snmp Running
spell Running
stats Running
zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running
zmconfigd Running
Release 8.5.0.GA.3042.UBUNTU12.64 UBUNTU12_64 FOSS edition.
zimbraCBPolicydAccessControlEnabled: TRUE
zimbraCBPolicydAccountingEnabled: FALSE
zimbraCBPolicydAmavisEnabled: FALSE
zimbraCBPolicydBindPort: 10031
zimbraCBPolicydBypassMode: tempfail
zimbraCBPolicydBypassTimeout: 30
zimbraCBPolicydCheckHeloEnabled: FALSE
zimbraCBPolicydCheckSPFEnabled: FALSE
zimbraCBPolicydGreylistingBlacklistMsg: Greylisting in effect, sending server blacklisted
zimbraCBPolicydGreylistingDeferMsg: Greylisting in effect, please come back later
zimbraCBPolicydGreylistingEnabled: FALSE
zimbraCBPolicydGreylistingTrainingEnabled: FALSE
zimbraCBPolicydLogLevel: 3
zimbraCBPolicydMaxRequests: 1000
zimbraCBPolicydMaxServers: 25
zimbraCBPolicydMaxSpareServers: 12
zimbraCBPolicydMinServers: 4
zimbraCBPolicydMinSpareServers: 4
zimbraCBPolicydQuotasEnabled: TRUE
zimbraCBPolicydTimeoutBusy: 120
zimbraCBPolicydTimeoutIdle: 1020
zimbraMtaEnableSmtpdPolicyd: FALSE
zimbraServiceEnabled: cbpolicyd
zimbraServiceInstalled: cbpolicyd
Note : I delete the policy which i was created before run the command..
Hi Shakthi,
Please configure again PolicyD and check log /opt/zimbra/log/cbpolicyd.log if still problem.
Please make sure source and destination like configuration in the following picture : https://imanudin.net/wp-content/uploads/2014/09/policy-local-only.jpg
Thanks Bro.
I configured like users_local_only. Now i configure as the picture and it’s working fine.
Hi Shakthi,
Glad to hear that. Finally your PolicyD is working fine as you wish 😉
Bro
If you have the time. pls look at the question in community.
Hi Shakthi,
Did you mean this Community : https://community.zimbra.com/collaboration ? i am also active in the Community. May be the different time between us 😉 . I am in here using GMT+7 for the timezone
If you have the time please look at my another questions.
https://community.zimbra.com/collaboration/f/1886/t/1139582
https://community.zimbra.com/collaboration/f/1886/t/1139446
cbpolicyd will work on zimbra webmail. is this work on email client(outlook,thunderbird,etc.,)
Hi,
Yes, The CBPolicyD will work fine on email clients
If i use thunderbird or outlook, mail goes to sent folder, but not delivered to the destination. same time i didn’t get any log in cbpolicy.log file.
Hi Shakthi,
Please check also any log in zimbra.log.
please suggest me good zimbra mail server to host 100 email ids
Hi Ramesh,
You can build Zimbra with minimum requirement as below :
– 8 GB of RAM
– 150 GB of HDD (Assume 1 user have 1,5 GB quota mailbox)
– Dual Core CPU
Great Tut,, The same way, can i block the incoming mail for certain user. like
user1@domain.com able to receive mail from only hsakthi@gmail.com.
Hi Shakthi,
You could configure reverse. You only need to change Source : from @gmail.com and Destination : to @domain
Pls Help – Not Working as reverse.
I have Created the two group for source and destination(ishakthi_income_grp and ishakthi@user) and members are listed below
ishakthi_income_grp
sakthiugapriyan.s@gmail.com as source
ishakthi@user
ishakthi@enestextilemills.net as destination
Then go to policy and main and click add
name sakthi_gmail_ishakithi_enes
priority : 30
Add member for sakthi_gmail_ishakithi_enes
source %ishakthi_income_grp
destination !%ishakthi@user
Then Go to Access Control and click configure
name sakthi_gmail_ishakithi_enes
link policy to sakthi_gmail_ishakithi_enes
verdict reject
data Income Source Not Allowed
comments Income Source Not Allowed
All disabled are set to No.
Hi,
Please try to make group without @. I think PolicyD recognize the group as email address/domain
I changed the @ to _. and restarted the service. but nothing works.
Hi,
Please try to restart service PolicyD and then try again
yes, but not working
Help me to find out the issue.
mas iman, why this rule cannot function if we using blackberry, user still can sending email to others domain, please help me are there have any idea or tricks how to block sending to others domain, especially client using zimbra in blackberry
mas imam how to make this rule running on blackberry coz i have try to blackberry but still can sending email to others domain, and i also have try using outlook and thunderbird this method running well
Hi mas Jhayari,
It’s caused Blackberry use their domain such as below
Please try to add in file restriction blackberry domain
thanks mas iman, but where is location of file restriction, is it in policyd or where,.. thanks before
Hi mas,
Please add member to users_local_only group on PolicyD
dear mas iman, is it posible between series of blackberry have different domain to send their email? coz with your suggest blackberry series q10 tthis rule running well, but when we try using old blackberry series, still can sending to others mail server, we try this using blackberry bold,.. thanks before mas iman for your kindness and your knowleadge…
Hi mas Jhayari,
Yes, it possible. please add the second, third etc domain in the rule 😉
Hi iman,
First of all I must say that this post is really good and thank you so much sharing your knowledge.
I am using Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
I have followed above mentioned steps and it worked. I have below questions :
1. If I want to restrict for local domain as well and only allow one public domain for incoming and outgoing traffic then how to do that.
I have added only one public domain as per above steps. It worked but it is allowing for local domain as well which I don’t want.
2. If I select ” Reject OR Discard” under Verdict, then I get “Relay access denied” in zimbra logs which is fine but these restricted mails get stuck in deferred queue. I want them to get drop in these conditions. How to do that ?
3. If we enable this restriction then, sender user should get bounce back message as a information that he does not have access for the same. How to configure it ?
Please provide your valuable inputs.
Thanks and Regards,
Kanchi
Hi Kanchan,
1. You can try to make some policy and custom with your condition. The point of all is logic about if source bla bla bla and destination bla bla bla then bla bla bla. This configuration can do by Policies and Access Control. You can start to write in paper about your condition if, and, then
2. I do not know about that. You can use this simple script to discard all queue from user or domain : https://wiki.zimbra.com/wiki/Delete_Messages
3. Sorry, i am also do not know how to do that
Please help us to install and configure cbpolicy in zimbra 8.6.0 with multiserver environment (ldap1, ldap2, mta, mbx etc.).
Helal
From Islami Bank Bangladesh limited.
Dhaka, Bangladesh.
Hi Helal,
You only need to enable on MTA server. All the step still same like on single server
Hi Iman,
I tried to configure exactly the same as yours, but it isn’t working.
Here’s the results for zmcontrol command:
amavis Running
antispam Running
antivirus Running
cbpolicyd Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
snmp Running
spell Running
stats Running
zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running
zmconfigd Running
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P6.
zimbraCBPolicydAccessControlEnabled: TRUE
zimbraCBPolicydAccountingEnabled: FALSE
zimbraCBPolicydAmavisEnabled: FALSE
zimbraCBPolicydBindPort: 10031
zimbraCBPolicydBypassMode: tempfail
zimbraCBPolicydBypassTimeout: 30
zimbraCBPolicydCheckHeloEnabled: FALSE
zimbraCBPolicydCheckSPFEnabled: FALSE
zimbraCBPolicydGreylistingBlacklistMsg: Greylisting in effect, sending server blacklisted
zimbraCBPolicydGreylistingDeferMsg: Greylisting in effect, please come back later
zimbraCBPolicydGreylistingEnabled: FALSE
zimbraCBPolicydGreylistingTrainingEnabled: FALSE
zimbraCBPolicydLogLevel: 3
zimbraCBPolicydMaxRequests: 1000
zimbraCBPolicydMaxServers: 25
zimbraCBPolicydMaxSpareServers: 12
zimbraCBPolicydMinServers: 4
zimbraCBPolicydMinSpareServers: 4
zimbraCBPolicydQuotasEnabled: TRUE
zimbraCBPolicydTimeoutBusy: 120
zimbraCBPolicydTimeoutIdle: 1020
zimbraMtaEnableSmtpdPolicyd: FALSE
zimbraServiceEnabled: cbpolicyd
zimbraServiceInstalled: cbpolicyd
Plus, it doesn’t logged in the zimbra or cbpolicyd log.
Hi Bryan,
Please make sure policy that has been created is disabled = No
Can i block sent email to certain email id like, from localdomain to @gmail.com. or user1@domain.com to @gmail.com
Hi Shakthi,
Yes you can. You only need to configure source and destination as do you want. The example in this article could be developed to many aims.
My Case
Dear Iman
Rule 1
From user1@domain.com to @domain.com(Priorty 30) – Completed
Rule 2
From user2@domain.com to @domain.com(Priorty 40) – Completed
Rule 3
From user1 and user2 can’t sent mail to user2@domain.com ?
How to do this..
Hi Shakthi,
You can create another rule same as rule 1 and rule 2. You only need to define source and destination
Its not working, so i created a simple case,
Need to Block sent mails to gmail
Policy -> Group
user1_from->user1@domain.com
user1_restrict->@gmail.com
Policy -> Main
Source as user1_from
Destination as user1_restrict
priorty -> 30
Is this ok, or we have to set any other things
Hi Shakthi,
It’s ok. Please ensure disabled become no on every configuration that you are created
Hi Iman,
Great, its working!!!!!
Thanks a lot…
Hi Iman,
can i change the group name example instead of users_local_only
Hello Chitra Gurung,
Yes. You can change to another name 😉
This is working for one domain if create one more domain in zimbra so what should i do
Hello Chitra Gurung,
You can add member/another domain to group who has been created
this is working for all now after create policy’s properly thanks iman for your great post
Hi Iman,
i try to send Email from zimbra to gmail,gmail answer me:
: host gmail-smtp-in.l.google.com[74.125.143.27]
said: 550-5.7.1 [XXX.XXX.XXX.XXX] The IP address sending this message does
not have a 550-5.7.1 PTR record setup. As a policy, Gmail does not accept
messages from 550-5.7.1 IPs with missing PTR records. Please visit
550-5.7.1 https://support.google.com/mail/answer/81126#authentication for
more 550 5.7.1 information. m23si3627861wmc.139 – gsmtp (in reply to end of
DATA command)”
please help me how i can resolve this problem
thank you.
Hello Fatimainfo,
You should configure PTR records for your domain. You can ask to your ISP connection to configure PTR refer into name of your email server. For Example
HI iman ,
recently i noticed unwanted emails are flow throught the server with my domain name example
@abc.com is my domain mane
mail are flows like zzz@abc.com (sender) fff@123.com ( receiver)
how to resolve this kind of issue please suggest me
With Regards
Amith
Hi Amithrajc,
I think this guidance have been accordance with your need
hi iman ,
zzz@abc.com is not my user id even its not in the userlist
Hi Amithrajc,
You can apply this method : https://imanudin.net/2014/09/07/how-to-improvement-sender-must-loginenforcing-a-match-between-from-address-and-sasl-username-on-zimbra-8-5/
Hi Amithrajc,
Please make sure in your MTA trusted network had been configured like this
127.0.0.0/8 IP-OF-Server/32
Hi iman ,
still problem is persists unknow user able to send mail
With regards
Amith
Hi Iman,
First i would like to say for the article. I followed this and implemented as it is. In that i added my own hosted domain and some other few. whenever sending to these i am getting that restricted pop-up but i click ok at first time next time mails are sending normally. please help me on this.
Hi Mani,
Did you mean user restricted can sending email to another domain? or normal user getting pop up on the first time when sending email?
hi iman ,
yes MTA trust network is configured as you mentioned
Hi Iman ,
after restart the services internal mail is working and we can able to send mail to gmail.com but i am unable to receive mail form gmail.com i check (i check in zimbra.log its say
from= to= proto=ESMTP helo=
Nov 26 12:48:42 mail postfix/smtpd[19984]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 450 4.7.1 Client host rejected: cannot find your hostname, [x.x.x.x];
please help me with this issue
With regards
amith
Hi Iman,
I have blocked for all the users I mentioned in Policy Group Members as @domain name. And for all the users i am getting the popup. But the second try i can able to send allowed domains. Thanks in advance…
Regards,
Mani
hi iman ,
after i changed the mta as you mention above
i can able to send and receive mail locally at the same time i can able to send mail to other domain but unable to receive mail from other domain please help me on this issue
MTA (127.0.0.0/8 IP-OF-Server/32)
from= to= proto=ESMTP helo=
Nov 26 12:48:42 mail postfix/smtpd[19984]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 450 4.7.1 Client host rejected: cannot find your hostname, [x.x.x.x];
Hi Amithrajc,
I think you are doing apply PTR check. Please perform this action :
iman,
need your help to resolve this above issue
Amith
Hi iman ,
after doing the above setting still problem is persists
kindly help me to resolve this issue iman
[2017/01/31-05:40:24 – 9005] [POLICIES] WARNING: [ID:8/Name:Reject Unlisted Domain]: No group members for source group ‘List_domain’
[2017/01/31-05:40:24 – 9005] [POLICIES] WARNING: [ID:8/Name:Reject Unlisted Domain]: No group members for destination group ‘List_domain’
[2017/01/31-05:40:24 – 9005] [POLICIES] WARNING: [ID:9/Name:Sending Local Only]: No group members for source group ‘users_local_only’
[2017/01/31-05:40:24 – 9005] [CBPOLICYD] INFO: Got request #2 (pipelined)
Hi Iman,
I would like to restrict users receiving from other domains kindly suggest me on this…..
Hi Iman
I have a urgent requirement for a particular user, he can only receive mails but to restrict him from sending of any mail. How can we do that?