Zimbra

How To Restrict Users Sending to Certain Users/Domains With Policyd

Policyd has module access control. This module can use for some aims as improving anti spam reject unlisted domain like article has been wrote before. Module access control also can use for restrict users sending to certain users/domains and this article will explain how to apply.

Assume you have been install and configure policyd like the following article How To Install PolicyD on Zimbra 8.5. For information, i have user with name user1@imanudin.net. This user can sending to domain local only (imanudin.net) and deny to other domain.

Open policyd webui on http://ZimbraServer:7780/webui/index.php. First, create users and domains group.

Select Groups. Add new group and given name users_local_only. Add member users to group users_local_only. Don’t forget to change status disable yes become no. Add new group and given name list_domain. Add member domains to group list_domain. Don’t forget to change status disable yes become no. See the following pictures

policyd-members-users

policyd-members-groups

policyd-groups-info

Select Policies | Main. Create new policy and given name Sending Local Only. Give priority 30 and fill description with information about your policy. Add member to new policy and fill on source with group users_local_only and on destination with group list_domain but with reverse status.Don’t forget to change status disable yes become no. See the following pictures

policy-local-only

Now, you must define access to new policy has been created. Select Access Control | Configure. Add new access control and given name Sending Local Only. Select Sending Local Only on link to policy and reject on verdict. Give information about why email cannot sending on data like “Sorry, you cannot sending to outside”. See the following pictures

access-control-policy

Don’t forget to change status disable yes become no

Enable policyd accesscontrol and restart policyd service

su - zimbra
zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
zmcbpolicydctl restart

Please try to sending email from user1@imanudin.net to outside and see the log information on /opt/zimbra/log/cbpolicyd.log and /var/log/zimbra.log to debug.

Good luck and hopefully useful 😀

134 comments

    1. Hi Mani,

      You can create another rule like rule in this guide. You only need to define source and destination and reject rule on Access Control

  1. Hi Iman,
    I have tried the same for blocking incoming mails but in my case it’s not working. I have to allow 4 domains to send mails to my domain(Zimbra mail server) when i configure the same all the domains are getting blocked. please help me on this.

  2. Hi Iman,
    In Groups i have created 2 groups names owndomain (Members local domain,zimbra)and owndomain1(my company domain,@abc.com). In Main i have created a policy named owndomain only.in that source %owndomain and in destination i mentioned !%owndomain1.In configure i have linked the policy and verdict as Reject. Also i have changed all the disable policy as no. But I am receiving mails from all the domains. PLease help me on this.

  3. Hi Iman,
    Yes, I have done and also did Zmcontrol restart. But its not working… Please suggest me on this. Thanks in advance..

    1. Hi Mani,

      Please make sure this command have been executed

      su - zimbra
      zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
      zmcbpolicydctl restart
      
  4. Hi Iman,
    Yes, This is enabled and outgoing mails are getting blocked.I would like to block incoming mails. Please suggest,If possible please create like outgoing block article for incoming block. Thanks in advance.

      1. Hi Iman,

        This is what i am getting while running this cmd.

        smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
        smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
        smtpd_sender_restrictions = check_policy_service inet:localhost:10031, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re

        Thank you!!!

        1. Hi Mani,

          Please send me cbpolicyd database so that i can check in my lab. You can found database on /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb

  5. Hi Iman,
    Hope you are doing good… the same way i entered the domain names(5 Domains) from those domain my zimbra domain not receiving any mails. But what i expect was opposite to that would like to receive mails from only 5 particular domains. Anyhow its implemented and working partially.. Thank you for your valuable time and support… Keep Rocking,…

  6. Hi Iman,

    Have you already test Zimbra conf in smtp level to restrict a specific user to reject messages from external domains ?

      1. Hi Iman,

        I already tried this solution to prevent an account from sending messages to external domains, and it`s ok.
        Now i need to prevent that same account from receive messages from external domains. I was tried to revert that configuration, but with no success (I want an account that can only send and receive messages to and from local domain).
        I made that restriction by amavis, and it`s work fine.
        I think it`s possible through smtp level too, but no success yet.

        1. Hi Fabiano,

          I think you can define on restricted_sender domain that you accept and define on local_domain user that receive email from outside

  7. Hi Imam,
    I have distribution list which i want to restrict for sending emails on that from all external domains but at the same time want to allow for some external domains like, e.g. want to block *@gmail.com, *@hotmail.com, but wan to allow *@partnercompaniesdomain.com , please let me know we could get this done?

  8. Hi pak Iman.

    sy sudah melakukan setting seperti di atas. namun blm menjalankan script
    ===========
    su – zimbra
    zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
    zmcbpolicydctl restart
    ===========
    saat ini user yg di restrict masih dapat mengirim email ke DL yg tidak seharusnya.
    Apakah harus menjalankan script tsb setiap setting restrict atau hanya sekali saja. krn sy hanya admin di sisi webUI.
    Terima kasih

      1. apakah setiap buat rule restricted baru harus jalankan script “zmcbpolicydctl restart” ini Pak ?
        terima kasih sebelumnya.

          1. rule restricted ini ttp tidak berfungsi, namun rule rate limit berfungsi. bagaimana solusinya pak ? terima kasih

  9. Hi,

    I’am finish install policyd, but when access to link policyd in server. I don’t success submit policyd group member corresponding in article

  10. Hi Sir,
    How to allow the user in zimbra webmail to send to anywhere using his external account if the user has been restricted using policyd to send to local only?

    1. Hi Ken,
      AFAIK. External users that configure in Zimbra still use SMTP on Zimbra (on behalf). So that, user still use your internal users. CMIIW

  11. Hi Iman,
    thanks for the article.
    do you know if there is a way to get a list of “Policy group members” users from AD windows/LDAP group?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.