How To Restrict Users Sending to Certain Users/Domains With Policyd

Posted by

Policyd has module access control. This module can use for some aims as improving anti spam reject unlisted domain like article has been wrote before. Module access control also can use for restrict users sending to certain users/domains and this article will explain how to apply.

Assume you have been install and configure policyd like the following article How To Install PolicyD on Zimbra 8.5. For information, i have user with name user1@imanudin.net. This user can sending to domain local only (imanudin.net) and deny to other domain.

Open policyd webui on http://ZimbraServer:7780/webui/index.php. First, create users and domains group.

Select Groups. Add new group and given name users_local_only. Add member users to group users_local_only. Don’t forget to change status disable yes become no. Add new group and given name list_domain. Add member domains to group list_domain. Don’t forget to change status disable yes become no. See the following pictures

policyd-members-users

policyd-members-groups

policyd-groups-info

Select Policies | Main. Create new policy and given name Sending Local Only. Give priority 30 and fill description with information about your policy. Add member to new policy and fill on source with group users_local_only and on destination with group list_domain but with reverse status.Don’t forget to change status disable yes become no. See the following pictures

policy-local-only

Now, you must define access to new policy has been created. Select Access Control | Configure. Add new access control and given name Sending Local Only. Select Sending Local Only on link to policy and reject on verdict. Give information about why email cannot sending on data like “Sorry, you cannot sending to outside”. See the following pictures

access-control-policy

Don’t forget to change status disable yes become no

Enable policyd accesscontrol and restart policyd service

su - zimbra
zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
zmcbpolicydctl restart

Please try to sending email from user1@imanudin.net to outside and see the log information on /opt/zimbra/log/cbpolicyd.log and /var/log/zimbra.log to debug.

Good luck and hopefully useful 😀

168 comments

    1. Hi Mani,

      You can create another rule like rule in this guide. You only need to define source and destination and reject rule on Access Control

  1. Hi Iman,
    I have tried the same for blocking incoming mails but in my case it’s not working. I have to allow 4 domains to send mails to my domain(Zimbra mail server) when i configure the same all the domains are getting blocked. please help me on this.

  2. Hi Iman,
    In Groups i have created 2 groups names owndomain (Members local domain,zimbra)and owndomain1(my company domain,@abc.com). In Main i have created a policy named owndomain only.in that source %owndomain and in destination i mentioned !%owndomain1.In configure i have linked the policy and verdict as Reject. Also i have changed all the disable policy as no. But I am receiving mails from all the domains. PLease help me on this.

  3. Hi Iman,
    Yes, I have done and also did Zmcontrol restart. But its not working… Please suggest me on this. Thanks in advance..

    1. Hi Mani,

      Please make sure this command have been executed

      su - zimbra
      zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
      zmcbpolicydctl restart
      
  4. Hi Iman,
    Yes, This is enabled and outgoing mails are getting blocked.I would like to block incoming mails. Please suggest,If possible please create like outgoing block article for incoming block. Thanks in advance.

      1. Hi Iman,

        This is what i am getting while running this cmd.

        smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
        smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
        smtpd_sender_restrictions = check_policy_service inet:localhost:10031, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re

        Thank you!!!

        1. Hi Mani,

          Please send me cbpolicyd database so that i can check in my lab. You can found database on /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb

  5. Hi Iman,
    Hope you are doing good… the same way i entered the domain names(5 Domains) from those domain my zimbra domain not receiving any mails. But what i expect was opposite to that would like to receive mails from only 5 particular domains. Anyhow its implemented and working partially.. Thank you for your valuable time and support… Keep Rocking,…

  6. Hi Iman,

    Have you already test Zimbra conf in smtp level to restrict a specific user to reject messages from external domains ?

      1. Hi Iman,

        I already tried this solution to prevent an account from sending messages to external domains, and it`s ok.
        Now i need to prevent that same account from receive messages from external domains. I was tried to revert that configuration, but with no success (I want an account that can only send and receive messages to and from local domain).
        I made that restriction by amavis, and it`s work fine.
        I think it`s possible through smtp level too, but no success yet.

        1. Hi Fabiano,

          I think you can define on restricted_sender domain that you accept and define on local_domain user that receive email from outside

  7. Hi Imam,
    I have distribution list which i want to restrict for sending emails on that from all external domains but at the same time want to allow for some external domains like, e.g. want to block *@gmail.com, *@hotmail.com, but wan to allow *@partnercompaniesdomain.com , please let me know we could get this done?

  8. Hi pak Iman.

    sy sudah melakukan setting seperti di atas. namun blm menjalankan script
    ===========
    su – zimbra
    zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
    zmcbpolicydctl restart
    ===========
    saat ini user yg di restrict masih dapat mengirim email ke DL yg tidak seharusnya.
    Apakah harus menjalankan script tsb setiap setting restrict atau hanya sekali saja. krn sy hanya admin di sisi webUI.
    Terima kasih

      1. apakah setiap buat rule restricted baru harus jalankan script “zmcbpolicydctl restart” ini Pak ?
        terima kasih sebelumnya.

          1. rule restricted ini ttp tidak berfungsi, namun rule rate limit berfungsi. bagaimana solusinya pak ? terima kasih

  9. Hi,

    I’am finish install policyd, but when access to link policyd in server. I don’t success submit policyd group member corresponding in article

  10. Hi Sir,
    How to allow the user in zimbra webmail to send to anywhere using his external account if the user has been restricted using policyd to send to local only?

    1. Hi Ken,
      AFAIK. External users that configure in Zimbra still use SMTP on Zimbra (on behalf). So that, user still use your internal users. CMIIW

  11. Hi Iman,
    thanks for the article.
    do you know if there is a way to get a list of “Policy group members” users from AD windows/LDAP group?

  12. Hai Mas Iman, Saya telah mencoba cara menggunakan artiket ini dan semua berjalan dengan baik, itu hanya jika saya mengirim email ke domain external menggunakan Zimbra Web Client langsung, namun jika saya coba mengirim menggunakan email yang sudah saya atur pada Thunderbird dan coba saya kirim ke email domain external email saya masih tetap terkirim dan di terima oleh domain external, namun di bagian email footer penerima terdapat status seperti ini = (null).
    Bagaimana saya bisa mengatur juga terjadi penolakan ketika mengirim email ke domain external menggunakan Thunderbird dan sejenisnya, tolong saya membutuhkan saran dan masukan anda.
    Terimakasih.

        1. Hi mas,
          Untuk versi tersebut seharusnya panduan yang ini sesuai. Kebetulan saya juga pakai dan ter-apply dengan baik. Dari webmail maupun dari email klien

  13. URGENT
    Hi, iman
    My ZCS 8.6 server is acting as an open relay, Is restricting unlisted domain will make my server not being open relay? Will it act as a close relay? If not then what more setting should I do to make it close relay? My server is in production. I need your help as soon as possible.

  14. Excellent tuto, you can create a rule that only allows certain users to send and receive emails from the domain, that is, they cannot send or receive mails that are not from domain1.com.

  15. What if a genuine mail user trying to send mass mail to all user is blocked ? what kind of solution can be applied once quota is exceeded?

  16. Dear Mr Iman,

    how when a user sends an email that exceeds the specified limit, the account is immediately locked.

    thanks

  17. Good night,
    I followed the article and managed to restrict sending, I still receive email
    could policyd block sending and receiving domains outside the group?

    1. Hi Diego,
      If your server for internal only, you can block port 25 incoming. So, you will not receive email from outside. If your server should receive email from outside, you can configure ACL and adjust source and destination with your rule

  18. Hello Iman,

    This is for a single user right?

    If I want one xxx.net ,yyy.net , zzz.net domains (I mean all the users in it) not able to send any external domains (like gmail) how I should manipulate this rule?

    Regards,
    Liju

  19. Enabled this service – access control and it was working fine. And also enable SPF check and quota service for controlling number of email send in a hour. After this access control module is not working.
    In log it is observed as follow:
    [2021/04/12-11:16:23 – 23753] [CORE] INFO: module=CheckSPF – Think this is working condition
    [2021/04/12-11:16:23 – 23753] [CORE] INFO: module=Quotas – Think this is working condition
    However for module access control no logs are observed and observed these logs:
    [2021/04/12-11:16:23 – 23753] [CBPOLICYD] INFO: Got request #5 (pipelined)
    [2021/04/12-11:16:45 – 19785] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:36658, Local: 127.0.0.1:10031
    [2021/04/12-11:16:55 – 20887] [CORE] INFO: Killing “1” children
    [2021/04/12-11:16:55 – 24935] [CBPOLICYD] DEBUG: Shutting down caching engine (24935)
    [2021/04/12-11:17:11 – 20887] [CORE] INFO: Starting “1” children
    [2021/04/12-11:17:11 – 23912] [CORE] INFO: 2021/04/12-11:17:11 CONNECT TCP Peer: “[127.0.0.1]:36698” Local: “[127.0.0.1]:10031”
    [2021/04/12-11:17:11 – 25625] [CORE] DEBUG: Child Preforked (25625)
    [2021/04/12-11:17:11 – 25625] [CBPOLICYD] DEBUG: Starting up caching engine
    [2021/04/12-11:17:11 – 23912] [CBPOLICYD] INFO: Got request #1
    [2021/04/12-11:17:18 – 23912] [CBPOLICYD] INFO: Got request #2 (pipelined)

    cbpolicyd detials:
    zimbra@system:~$ zmlocalconfig | grep -i cbpolicy
    cbpolicyd_bind_port = 10031
    cbpolicyd_bypass_mode = tempfail
    cbpolicyd_bypass_timeout = 30
    cbpolicyd_cache_file = ${zimbra_home}/data/cache
    cbpolicyd_db_file = ${zimbra_home}/data/cbpolicyd/db/cbpolicyd.sqlitedb
    cbpolicyd_log_detail = info
    cbpolicyd_log_file = ${zimbra_log_directory}/cbpolicyd.log
    cbpolicyd_log_level = 4
    cbpolicyd_log_mail = main
    cbpolicyd_max_requests = 1000
    cbpolicyd_max_servers = 25
    cbpolicyd_max_spare_servers = 12
    cbpolicyd_min_servers = 4
    cbpolicyd_min_spare_servers = 4
    cbpolicyd_module_accesscontrol = 1
    cbpolicyd_module_accounting = 0
    cbpolicyd_module_amavis = 0
    cbpolicyd_module_checkhelo = 1
    cbpolicyd_module_checkspf = 1
    cbpolicyd_module_greylisting = 1
    cbpolicyd_module_greylisting_blacklist_msg = Greylisting in effect, sending server blacklisted
    cbpolicyd_module_greylisting_defer_msg = Greylisting in effect, please come back later
    cbpolicyd_module_greylisting_training = 0
    cbpolicyd_module_quotas = 1
    cbpolicyd_pid_file = ${zimbra_log_directory}/cbpolicyd.pid
    cbpolicyd_timeout_busy = 120
    cbpolicyd_timeout_idle = 1020

  20. Hi Iman,

    I have applied CBPolicy, but when enable the service in in zimbra 8.8 version getting Nov 11 20:33:39 mail postfix/postscreen[]: warning: cannot connect to service private/smtpd: Resource temporarily unavailable
    Nov 11 20:33:39 mail postfix/postscreen[]: CONNECT from [IP]:33338 to [IP]:25
    Nov 11 20:33:39 mail postfix/postscreen[]: PASS OLD [IP]:33338

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.