How To Restrict Users Sending to Certain Users/Domains With Policyd

Posted by

Policyd has module access control. This module can use for some aims as improving anti spam reject unlisted domain like article has been wrote before. Module access control also can use for restrict users sending to certain users/domains and this article will explain how to apply.

Assume you have been install and configure policyd like the following article How To Install PolicyD on Zimbra 8.5. For information, i have user with name user1@imanudin.net. This user can sending to domain local only (imanudin.net) and deny to other domain.

Open policyd webui on http://ZimbraServer:7780/webui/index.php. First, create users and domains group.

Select Groups. Add new group and given name users_local_only. Add member users to group users_local_only. Don’t forget to change status disable yes become no. Add new group and given name list_domain. Add member domains to group list_domain. Don’t forget to change status disable yes become no. See the following pictures

policyd-members-users

policyd-members-groups

policyd-groups-info

Select Policies | Main. Create new policy and given name Sending Local Only. Give priority 30 and fill description with information about your policy. Add member to new policy and fill on source with group users_local_only and on destination with group list_domain but with reverse status.Don’t forget to change status disable yes become no. See the following pictures

policy-local-only

Now, you must define access to new policy has been created. Select Access Control | Configure. Add new access control and given name Sending Local Only. Select Sending Local Only on link to policy and reject on verdict. Give information about why email cannot sending on data like “Sorry, you cannot sending to outside”. See the following pictures

access-control-policy

Don’t forget to change status disable yes become no

Enable policyd accesscontrol and restart policyd service

su - zimbra
zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
zmcbpolicydctl restart

Please try to sending email from user1@imanudin.net to outside and see the log information on /opt/zimbra/log/cbpolicyd.log and /var/log/zimbra.log to debug.

Good luck and hopefully useful 😀

168 comments

  1. for this policy, if i want user1@imanudin.net to only receive email from local domain and other specifit domain, how can it be done? is it will work if i only add 2nd policy member on : Policies | Main Add member to new policy and fill on source with group list_domain and on destination with group users_local_only ?
    my goal is to restrict account email to receive from local domain+specified domain and send only local domain+specified domain.
    thanks in advanced

  2. Hi iman,

    I’ve just configured as this tutorial but policyd seems not get the settings. The emails are sent to restricted domain normally

    These are policyd logs when i send a email:

    [2014/10/18-18:13:46 – 20500] [CORE] INFO: Starting “1” children
    [2014/10/18-18:13:46 – 20503] [CORE] INFO: 2014/10/18-18:13:46 CONNECT TCP Peer: “[127.0.0.1]:44927” Local: “[127.0.0.1]:10031”
    [2014/10/18-18:13:46 – 20503] [CBPOLICYD] INFO: Got request #1
    [2014/10/18-18:13:46 – 20503] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2014/10/18-18:13:46 – 20503] [CBPOLICYD] INFO: Got request #3 (pipelined)

    Can you give me some advices?

  3. My domain : mail.local.unique.com

    Zimbra version : zcs-8.0.8

    after running this cmd : zmprov ms mail.local.unique.com zimbraCBPolicydAccessControlEnabled TRUE

    i am getting below error

    ERROR: account.INVALID_ATTR_NAME (invalid attr name: invalid attr name – unable to modify attributes: zimbraCBPolicydAccessControlEnabled: attribute type undefined)

    Please help me resolve the error

  4. ERROR: account.INVALID_ATTR_NAME (invalid attr name: invalid attr name – unable to modify attributes: zimbraCBPolicydAccessControlEnabled: attribute type undefined)
    displaying above error please help i am running this cmd on mail server not on mta server..

  5. hi iman please help me for this article i really need your help,i want to restrict my some users only to local use which is only in my domain or just can you tell me command for enable access control module for in policyd please i really appreciate your help..

    1. Hi Mahesh,

      For Zimbra 8.0.x, please try this command to enable it

      su – zimbra
      zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
      zmlocalconfig -e postfix_enable_smtpd_policyd=yes
      zmprov mcf +zimbraMtaRestriction “check_policy_service inet:127.0.0.1:10031”

      zmlocalconfig -e cbpolicyd_log_level=4; zmlocalconfig -e cbpolicyd_log_detail=info; zmlocalconfig -e cbpolicyd_module_accesscontrol=1 cbpolicyd_module_checkhelo=1 cbpolicyd_module_checkspf=1 cbpolicyd_module_greylisting=1 cbpolicyd_module_quotas=1

  6. still not working sir, please suggest me my requirement is simple like ,
    Some user could not send mail to outside domains thats it i follow your complete article as it is. Is their any admin

  7. sorry for incomplete comment i need to know is their any configuration available in admin console then please tell me

  8. hey iman that’s working i configure it in MTA server before that i tried it in MAIL server but now its working thanks for sharing your knowledge its tooo good buddy thank you sooooo much thanks…

    1. Hi Shakthi,

      What Zimbra version you are using? are you has been make sure all rule/policy has been change from disable=yes into disable=no?

      1. Yes. I am using Zimbra Version :8.5_GA_3042.FOSS.
        In cbpolicy.log show

        [2015/08/03-16:18:12 – 61590] [POLICIES] WARNING: [ID:6/Name:Sending Local Only]: – Source ‘users_local_only’ is not a valid specification
        [2015/08/03-16:18:12 – 61590] [CBPOLICYD] INFO: Got request #2 (pipelined)
        [2015/08/03-16:18:12 – 61590] [CBPOLICYD] INFO: Got request #3 (pipelined)
        [2015/08/03-16:18:22 – 61590] [POLICIES] WARNING: [ID:6/Name:Sending Local Only]: – Source ‘users_local_only’ is not a valid specification
        [2015/08/03-16:18:22 – 61590] [CBPOLICYD] INFO: Got request #4 (pipelined)
        [2015/08/03-16:18:22 – 61590] [POLICIES] WARNING: [ID:6/Name:Sending Local Only]: – Source ‘users_local_only’ is not a valid specification
        [2015/08/03-16:18:22 – 61590] [CBPOLICYD] INFO: Got request #5 (pipelined)
        [2015/08/03-16:18:22 – 61590] [CBPOLICYD] INFO: Got request #6 (pipelined)
        [2015/08/03-16:20:03 – 61590] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:57028, Local: 127.0.0.1:10031
        [2015/08/03-16:20:03 – 61588] [CORE] INFO: Killing “1” children

        1. Hi Shakthi,

          It seems you wrong create users_local_only statement. The problem can be found on the error log

          [2015/08/03-16:18:22 – 61590] [POLICIES] WARNING: [ID:6/Name:Sending Local Only]: – Source ‘users_local_only’ is not a valid specification

          Please verify again your configuration

    1. Hi Shakthi,

      Please paste the result of the following command :

      su – zimbra
      zmcontrol status
      zmcontrol -v
      zmprov gs mail.example.com | grep -i policyd

      Note : Please change mail.example.com with your hostname

  9. zimbra@enestextilemills:~$ zmcontrol status
    Host enestextilemills.net
    amavis Running
    antispam Running
    antivirus Running
    cbpolicyd Running
    dnscache Running
    ldap Running
    logger Running
    mailbox Running
    memcached Running
    mta Running
    opendkim Running
    proxy Running
    service webapp Running
    snmp Running
    spell Running
    stats Running
    zimbra webapp Running
    zimbraAdmin webapp Running
    zimlet webapp Running
    zmconfigd Running

    Release 8.5.0.GA.3042.UBUNTU12.64 UBUNTU12_64 FOSS edition.

    zimbraCBPolicydAccessControlEnabled: TRUE
    zimbraCBPolicydAccountingEnabled: FALSE
    zimbraCBPolicydAmavisEnabled: FALSE
    zimbraCBPolicydBindPort: 10031
    zimbraCBPolicydBypassMode: tempfail
    zimbraCBPolicydBypassTimeout: 30
    zimbraCBPolicydCheckHeloEnabled: FALSE
    zimbraCBPolicydCheckSPFEnabled: FALSE
    zimbraCBPolicydGreylistingBlacklistMsg: Greylisting in effect, sending server blacklisted
    zimbraCBPolicydGreylistingDeferMsg: Greylisting in effect, please come back later
    zimbraCBPolicydGreylistingEnabled: FALSE
    zimbraCBPolicydGreylistingTrainingEnabled: FALSE
    zimbraCBPolicydLogLevel: 3
    zimbraCBPolicydMaxRequests: 1000
    zimbraCBPolicydMaxServers: 25
    zimbraCBPolicydMaxSpareServers: 12
    zimbraCBPolicydMinServers: 4
    zimbraCBPolicydMinSpareServers: 4
    zimbraCBPolicydQuotasEnabled: TRUE
    zimbraCBPolicydTimeoutBusy: 120
    zimbraCBPolicydTimeoutIdle: 1020
    zimbraMtaEnableSmtpdPolicyd: FALSE
    zimbraServiceEnabled: cbpolicyd
    zimbraServiceInstalled: cbpolicyd

  10. Thanks Bro.

    I configured like users_local_only. Now i configure as the picture and it’s working fine.

  11. If i use thunderbird or outlook, mail goes to sent folder, but not delivered to the destination. same time i didn’t get any log in cbpolicy.log file.

    1. Hi Ramesh,

      You can build Zimbra with minimum requirement as below :
      – 8 GB of RAM
      – 150 GB of HDD (Assume 1 user have 1,5 GB quota mailbox)
      – Dual Core CPU

      1. Pls Help – Not Working as reverse.
        I have Created the two group for source and destination(ishakthi_income_grp and ishakthi@user) and members are listed below

        ishakthi_income_grp
        sakthiugapriyan.s@gmail.com as source

        ishakthi@user
        ishakthi@enestextilemills.net as destination

        Then go to policy and main and click add
        name sakthi_gmail_ishakithi_enes
        priority : 30

        Add member for sakthi_gmail_ishakithi_enes
        source %ishakthi_income_grp
        destination !%ishakthi@user

        Then Go to Access Control and click configure

        name sakthi_gmail_ishakithi_enes
        link policy to sakthi_gmail_ishakithi_enes
        verdict reject
        data Income Source Not Allowed
        comments Income Source Not Allowed

        All disabled are set to No.

  12. mas iman, why this rule cannot function if we using blackberry, user still can sending email to others domain, please help me are there have any idea or tricks how to block sending to others domain, especially client using zimbra in blackberry

  13. mas imam how to make this rule running on blackberry coz i have try to blackberry but still can sending email to others domain, and i also have try using outlook and thunderbird this method running well

    1. Hi mas Jhayari,

      It’s caused Blackberry use their domain such as below

      SRS0=OoZuQN=KQ=imanudin.net=iman@srs.bis3.ap.blackberry.com
      

      Please try to add in file restriction blackberry domain

      @srs.bis3.ap.blackberry.com
      
  14. dear mas iman, is it posible between series of blackberry have different domain to send their email? coz with your suggest blackberry series q10 tthis rule running well, but when we try using old blackberry series, still can sending to others mail server, we try this using blackberry bold,.. thanks before mas iman for your kindness and your knowleadge…

  15. Hi iman,
    First of all I must say that this post is really good and thank you so much sharing your knowledge.
    I am using Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
    I have followed above mentioned steps and it worked. I have below questions :

    1. If I want to restrict for local domain as well and only allow one public domain for incoming and outgoing traffic then how to do that.
    I have added only one public domain as per above steps. It worked but it is allowing for local domain as well which I don’t want.
    2. If I select ” Reject OR Discard” under Verdict, then I get “Relay access denied” in zimbra logs which is fine but these restricted mails get stuck in deferred queue. I want them to get drop in these conditions. How to do that ?
    3. If we enable this restriction then, sender user should get bounce back message as a information that he does not have access for the same. How to configure it ?

    Please provide your valuable inputs.

    Thanks and Regards,
    Kanchi

    1. Hi Kanchan,

      1. You can try to make some policy and custom with your condition. The point of all is logic about if source bla bla bla and destination bla bla bla then bla bla bla. This configuration can do by Policies and Access Control. You can start to write in paper about your condition if, and, then

      2. I do not know about that. You can use this simple script to discard all queue from user or domain : https://wiki.zimbra.com/wiki/Delete_Messages

      3. Sorry, i am also do not know how to do that

  16. Please help us to install and configure cbpolicy in zimbra 8.6.0 with multiserver environment (ldap1, ldap2, mta, mbx etc.).

    Helal
    From Islami Bank Bangladesh limited.
    Dhaka, Bangladesh.

  17. Hi Iman,

    I tried to configure exactly the same as yours, but it isn’t working.

    Here’s the results for zmcontrol command:
    amavis Running
    antispam Running
    antivirus Running
    cbpolicyd Running
    ldap Running
    logger Running
    mailbox Running
    memcached Running
    mta Running
    opendkim Running
    proxy Running
    service webapp Running
    snmp Running
    spell Running
    stats Running
    zimbra webapp Running
    zimbraAdmin webapp Running
    zimlet webapp Running
    zmconfigd Running

    Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P6.

    zimbraCBPolicydAccessControlEnabled: TRUE
    zimbraCBPolicydAccountingEnabled: FALSE
    zimbraCBPolicydAmavisEnabled: FALSE
    zimbraCBPolicydBindPort: 10031
    zimbraCBPolicydBypassMode: tempfail
    zimbraCBPolicydBypassTimeout: 30
    zimbraCBPolicydCheckHeloEnabled: FALSE
    zimbraCBPolicydCheckSPFEnabled: FALSE
    zimbraCBPolicydGreylistingBlacklistMsg: Greylisting in effect, sending server blacklisted
    zimbraCBPolicydGreylistingDeferMsg: Greylisting in effect, please come back later
    zimbraCBPolicydGreylistingEnabled: FALSE
    zimbraCBPolicydGreylistingTrainingEnabled: FALSE
    zimbraCBPolicydLogLevel: 3
    zimbraCBPolicydMaxRequests: 1000
    zimbraCBPolicydMaxServers: 25
    zimbraCBPolicydMaxSpareServers: 12
    zimbraCBPolicydMinServers: 4
    zimbraCBPolicydMinSpareServers: 4
    zimbraCBPolicydQuotasEnabled: TRUE
    zimbraCBPolicydTimeoutBusy: 120
    zimbraCBPolicydTimeoutIdle: 1020
    zimbraMtaEnableSmtpdPolicyd: FALSE
    zimbraServiceEnabled: cbpolicyd
    zimbraServiceInstalled: cbpolicyd

    Plus, it doesn’t logged in the zimbra or cbpolicyd log.

    1. Hi Shakthi,

      Yes you can. You only need to configure source and destination as do you want. The example in this article could be developed to many aims.

          1. Its not working, so i created a simple case,
            Need to Block sent mails to gmail
            Policy -> Group
            user1_from->user1@domain.com
            user1_restrict->@gmail.com
            Policy -> Main
            Source as user1_from
            Destination as user1_restrict
            priorty -> 30
            Is this ok, or we have to set any other things

  18. Hi Iman,
    i try to send Email from zimbra to gmail,gmail answer me:
    : host gmail-smtp-in.l.google.com[74.125.143.27]
    said: 550-5.7.1 [XXX.XXX.XXX.XXX] The IP address sending this message does
    not have a 550-5.7.1 PTR record setup. As a policy, Gmail does not accept
    messages from 550-5.7.1 IPs with missing PTR records. Please visit
    550-5.7.1 https://support.google.com/mail/answer/81126#authentication for
    more 550 5.7.1 information. m23si3627861wmc.139 – gsmtp (in reply to end of
    DATA command)”
    please help me how i can resolve this problem
    thank you.

    1. Hello Fatimainfo,

      You should configure PTR records for your domain. You can ask to your ISP connection to configure PTR refer into name of your email server. For Example

      123.123.123.123     IN     PTR     mail.imanudin.net
      
  19. HI iman ,
    recently i noticed unwanted emails are flow throught the server with my domain name example
    @abc.com is my domain mane

    mail are flows like zzz@abc.com (sender) fff@123.com ( receiver)

    how to resolve this kind of issue please suggest me

    With Regards
    Amith

  20. Hi Iman,
    First i would like to say for the article. I followed this and implemented as it is. In that i added my own hosted domain and some other few. whenever sending to these i am getting that restricted pop-up but i click ok at first time next time mails are sending normally. please help me on this.

    1. Hi Mani,

      Did you mean user restricted can sending email to another domain? or normal user getting pop up on the first time when sending email?

  21. Hi Iman ,
    after restart the services internal mail is working and we can able to send mail to gmail.com but i am unable to receive mail form gmail.com i check (i check in zimbra.log its say
    from= to= proto=ESMTP helo=
    Nov 26 12:48:42 mail postfix/smtpd[19984]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 450 4.7.1 Client host rejected: cannot find your hostname, [x.x.x.x];

    please help me with this issue

    With regards
    amith

  22. Hi Iman,
    I have blocked for all the users I mentioned in Policy Group Members as @domain name. And for all the users i am getting the popup. But the second try i can able to send allowed domains. Thanks in advance…

    Regards,
    Mani

  23. hi iman ,
    after i changed the mta as you mention above
    i can able to send and receive mail locally at the same time i can able to send mail to other domain but unable to receive mail from other domain please help me on this issue

    MTA (127.0.0.0/8 IP-OF-Server/32)

    from= to= proto=ESMTP helo=
    Nov 26 12:48:42 mail postfix/smtpd[19984]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 450 4.7.1 Client host rejected: cannot find your hostname, [x.x.x.x];

    1. Hi Amithrajc,

      I think you are doing apply PTR check. Please perform this action :

      su - zimbra
      zmprov mcf -zimbraMtaRestriction "reject_unknown_client_hostname"
      zmcontrol restart
      
  24. [2017/01/31-05:40:24 – 9005] [POLICIES] WARNING: [ID:8/Name:Reject Unlisted Domain]: No group members for source group ‘List_domain’
    [2017/01/31-05:40:24 – 9005] [POLICIES] WARNING: [ID:8/Name:Reject Unlisted Domain]: No group members for destination group ‘List_domain’
    [2017/01/31-05:40:24 – 9005] [POLICIES] WARNING: [ID:9/Name:Sending Local Only]: No group members for source group ‘users_local_only’
    [2017/01/31-05:40:24 – 9005] [CBPOLICYD] INFO: Got request #2 (pipelined)

  25. Hi Iman
    I have a urgent requirement for a particular user, he can only receive mails but to restrict him from sending of any mail. How can we do that?

Leave a Reply to Mani Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.