Previously, i have been explain how to restrict users to send mails to certain users/domains using CBPolicyd. This article have same aims with previous article, but in this case, we must do some modification on Postfix to get it works. This is how to apply it
Do the following command as user Zimbra
1. Open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line at the top
check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders
2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system
POSTCONF smtpd_restriction_classes local_only POSTCONF local_only FILE postfix_check_recipient_access.cf RESTART mta
3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line
check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject
4. Create a file “/opt/zimbra/postfix/conf/restricted_senders” and list all the users, whom you want to restrict. Follow this syntax:
user@yourdomain.com local_only
5. Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:
yourdomain.com OK otheralloweddomain.com OK
6. Run following commands
postmap /opt/zimbra/postfix/conf/restricted_senders postmap /opt/zimbra/postfix/conf/local_domains zmmtactl stop zmmtactl start
Please try to sending email to allowed domain and not allowed domain. If you insert new user on number 4 or new domain on number 5, don’t forget to running again number 6.
Good luck and hopefully useful 😀
Let’s See the Video on Youtube
Source : http://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain
Hi iman.
I want to restrict some users receive mail from lan only. Scripts or cbpolicyd can do this?
I restrict users can’t send mail from WAN by cbpolicyd,but I don’t khow how to restrict users receive mail from WAN.
How to block users receive mail from WAN.
Hi phphy,
If using scripts, i have not testing previously. But if using CBPolicyd, i can do it with example on this article : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/. For Example, user@imanudin.net cannot receive from any domain except local domain @imanudin.net
You just need to create Policy and Access Control.
On Policy, this is my example :
Source : !@imanudin.net
Destination : user@imanudin.net
On Access Control, this is my example :
Policy link to Policy on above
Action : reject or discard
With the example above, user@imanudin.net will receive from domain imanudin.net only
I want restrict some users send and receive mail from LAN only, server deployed on Lan, not permited internal user can’t send or recive mail from WAN.These users are in same domain.
lan:192.168.1.0/24
wan:!192.168.1.0/24
how to use force tls on zimbra 8.5 and later ? i researched that we had to add domains too. can you share some instructions for it ?
Hi Ahmed,
Did you mean TLS for incoming and outgoing email?
Yes,
You can do it with follows my guidance on comment previously. If you are using IP Address, i am worry some users not listed on internal only cannot receive from WAN
Thank you for the tip
I do have a multi server install where MTA is on his own, there’s NO file zmconfigd.cf
[zimbra@mta ~]$ rpm -V zimbra-core-8.5.1_GA_3056.RHEL7_64-20141103151708.x86_64|grep zmconfigd.cf
missing /opt/zimbra/conf/zmconfigd.cf
any idea ???
Sorry guys, it was my fault :$
I did this: mv /opt/zimbra/conf/zmconfigd.cf /opt/zimbra/conf/zmconfigd.cf.original
and forgot it 🙁
Hi Zydoon,
Is this mean your problem has been solved?
hey iman please tell me where should i put this configuration in mail server or MTA server..
Hi Mahesh,
You should put configuration on MTA server
Works only for users in Web client. Why isn’t working for Thunderbird or Outlooks ?
Hi Adriano,
I am still working and find solution why using email clients not working properly
Hi Adriano,
I’ve updated the articles for working with email clients. Please see the point of no 1
Hello i have followed all the instructions for restrict 2 external domains for one user but after I have applied postmap commands, i tried send emails to the restricted domains declared on Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:
yourdomain.com OK
otheralloweddomain.com OK
but now i cant send any emails the error is this one
‘admin@hilasal.sv’ on 6/16/2015 11:46 AM
Server error: ‘451 4.3.5 : Sender address rejected: Server configuration error’
I have Zimbra 8.0.1 could please someone help me thanks
Hi Frank,
If using Zimbra 8.0.x, please change lmdb become hash. So that from lmdb:/opt/zimbra/postfix/conf/local_domains become hash:/opt/zimbra/postfix/conf/local_domains
sorry for allowed only 2 external domains for one user
Is it possible to do this by class of service instead of by user? We have hundreds of users who need to be restricted.
Hi Phil,
For this time. I am not yet found about how to do that 😀
Great article. Thanks.
Same article can be found here:
https://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain
Hi Lokra,
I also refer to the article 😀
Hello!
Can I use a regexp to restricted_senders?
How?
Hi Kirill,
I am not yet try to use regexp 😀
Hi, thanks for the blog.
is possible restrict COS (class of service) or “dl” (distribution list) using this way ?
Hi Jorgemop,
For restrict DL maybe yes. But for COS, i have not yet try 😀
Hi, Thanks for the article, it helped me a lot do you have an article to block all incoming mails from outside and only accept mails from some listed domains.
Hi Madushan,
You can install and configure PolicyD in your Zimbra server. Please take a look an example how to use PolicyD : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
Thanks Iman, I did the policyD configuration and it worked fine. Thanks a lot. keep it up 🙂
hi iman, can zimbra restrict some user can acces web from external dan restrict some can’t acces from external
thanks
Thanks Iman.
Applying no.1 needs to restart “whole zimbra” to update postfix/main.cf. – “zmcontrol restart”.
Otherwise, you will get Adriano’s problem. – external clients can send email to not-allowed domains.
Hi,
Are you has been checked the sample configuration and testing on Video? please make sure your email client use SMTP SSL/TLS (465/587)
Hello,i want to do this Restricting Users to Send mails to Certain Domains on Zimbra 8.5 , but instead of send, i want to restrict to recieve local only
i want that my domain send and recieve only local mail, i did what you post about sending and it is working perfectly, we are able only to send local mail, but now i need to restrict the incoming mail to only local.. pls if you can help me
Hello Julio,
I will try in my lab your request. But please check the different way to do this : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
You can adjust with your condition (incoming or outgoing)
Ok Iman i will check that out, and wait for your results at your lab.
Thanks a lot.
If I want to apply the domain restrictions to all users, is there an easier way to do that? I’ve tried:
* local_only
*@example.com local_only
“*”@example.com local_only
They all didn’t work.
Hi,
I am haven’t try it. If you try and success, please tell me 😉
Hello,
I followed same steps as mentioned in blog. But still that email can send email to other domain.
Can you please let me know if need to any changes to check it.
Hello Vijay,
Please try to restart your MTA services. Please check also the guidance on Youtube 🙂
I have restarted service and server too. And i followed both guidance and update it my server
but still that users sending mail on other domain.
Do i have check specific thing on it?
Hello Vijay,
Maybe you can try different method to achieve your requirement : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
He Iman,
Thanks for helping us here….
Can you please give some tips to resolve the issue on same setup. So it would be easy work on it..
Can you please update if have any idea?
i Will try in Zimbra 8.6
I have tried with setup as given below link but its mail is going.
Do we required specific change in given link??…
https://wiki.zimbra.com/wiki/Restrict_account_from_sending_emails_to_all_domains
Any update from your side?
Hello Vijay,
i am on duty 2-3 weeks from now and have not yet try this.
Hello Iman,
Have you get chance to look into this issue…
or this will not support with 8.6.??
Hi iman,
My policyd does not work. i am able to send mails to outside domain even when i have onfigured the policyd as per the tutorial. My version is 8.6
Hello Gul Khan,
Please try to restart Policyd services and try again. Please make sure all configuration on access control has been change from disable = yes become disable = no
Hi Iman,
I have done that and have checked the access control settings for NO.
Also I have restarted the cbpolicy as per the above command. Moreover I have tried restarting the Zimbra Server also.
Zimbra Version:
8.6.0_GA_1153.FOSS
Also not working with changes to postfix as described in above tutorial.
I Will try in Zimbra 8.6
Hi Iman,
As I am new to cenos and Zimbra. Very helpful site imanudin.net contains good articles. Keep rocking looking forward…. Thank you
Hi Imanudin,
Thanks for the article i found this article very helpful,
i have one more questions on this , can we allow emails to send only internal domain (New email Server hosted in the same network not zimbra )
Hi i configured the above settings it worked !!! thanks a lot
but do we have GUI version of this ?? so next time if we need to add users no need to go for command line ..
Hello,
You can try this one : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
but i applied the above postfix settings can i use this link ? or i need to remove this postfix settings ??
Hi,
You can select one from two choice 😉 . If you want GUI interfaces, you should choose PolicyD
i need only one PolicyD seems to be very good for GUI but how to remove the postfix settings now..
Hi,
You can revert all configuration to remove Postfix Settings
ok just delete all the settings applied and restart the below services
postmap /opt/zimbra/postfix/conf/restricted_senders
postmap /opt/zimbra/postfix/conf/local_domains
zmmtactl stop
zmmtactl start
thanks bro, switched to PolicyD..
how to remove cbpolicyd ???
hi Mas Iman,
I cant create the file of step 4. 4. Create a file “/opt/zimbra/postfix/conf/restricted_senders”
and get this error when save it to the file
“postfix/conf/restricted_senders”
“postfix/conf/restricted_senders” E212: Can’t open file for writing
So I decide to exit zimbra and using root access but when I start the command to rewrite the configuration..its says permission denied..please Help Mas Iman
Hi Made Hartadi,
Please try to use PolicyD for simple management from web : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
Iman,
I am facing the same problem as faced by the Made Hartadi,
My Zimbra Version is Version 8.8.15_GA_4257.FOSS Mar 24, 2022
Please guide us solving it instead of recommending policyd as I am comfortable with it.
Thanks.
Hello iman,
above instructions are applied for restricting single users send mails to external domain domains..and we can mention allowed domians.
but we have the scenario need to restrict all the zimbra user send mails to the particularly entire gmail.com. is’t possible kindly guide us.
Hi Maruthu,
You can configure your aim with PolicyD. The following is example configuration on PolicyD : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
Hello iman
Kindly give us any idea for above query
Dear Imam,
Could you please guide me, apply sender restriction on zimbra 8.7.11_GA_1854
Thanks & Regards
Prasad K
Hi Prasad,
You can try this one : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
Hi Iman,
Could you please guide me, how to block outgoing external specific email id sending by zimbra user.
I am using zimbra 8.5.1_GA_3056. in centos
Thanks
Abrar
Hi Abrar Khan,
You can try this guidance : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/ and adjust with your requirement
i am using zimbra 8.7
Hello i have followed all the instructions for restrict 2 external domains for one user but after I have applied postmap commands, i tried send emails to the restricted domains declared on Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:
nysofts.com OK
but now i cant send any emails the error is this one
Message not sent; one or more addresses were not accepted.
Rejected addresses: admin
method: [unknown]
msg: Invalid address: admin . com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient admin@nysofts.com: 451 4.3.5 : Recipient address rejected: Server configuration error
code: mail.SEND_ABORTED_ADDRESS_FAILURE
detail: soap:Sender
trace: qtp127618319-1770:1507485049713:4c2973ff049eaa7f
request:
Body: {
SendMsgRequest: {
_jsns: “urn:zimbraMail”,
m: {
e: [
// [0]:
{
a: “admin@nysofts.com”,
p: “admin”,
t: “t”
},
// [1]:
{
a: “user@nysofts.com”,
t: “f”
}
],
idnt: “b8e5b067-9227-4c69-adf3-42c2b579e3c9”,
mp: [
// [0]:
{
ct: “multipart/alternative”,
mp: [
// [0]:
{
content: {
_content: “”
},
ct: “text/plain”
},
// [1]:
{
content: {
_content: “<html><body></body></html>”
},
ct: “text/html”
}
]
}
],
su: {
_content: “test”
}
},
suid: 1507485049865
}
},
Header: {
context: {
_jsns: “urn:zimbra”,
account: {
_content: “user@nysofts.com”,
by: “name”
},
authToken: “(removed)”,
csrfToken: “0_3da5c87135cf2a4d762927ba051e4dd823832318”,
session: {
_content: 122,
id: 122
},
userAgent: {
name: “ZimbraWebClient – GC61 (Win)”,
version: “8.7.11_GA_1854”
}
}
Hi,
If using zimbra 8.7, default configuration are in /opt/zimbra/common/conf/local_domains, not in /opt/zimbra/postfix/conf/local_domains
Tried with this . getting same error in version: “8.7.11_GA_1854”
@ MAC says:October 8, 2017 at 5:55 pm
so how to postdrop/ come back to normal
Hi,
You can revert all configuration that has been applied
Hi Sir Iman,
Good day!
Is it possible to do this by all domain instead of by user? We have hundreds of users who need to be restricted.
Thank you sir,
Hi,
I recommend you to use this one : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
Helpful article,
I have restricted test@internal.com to send mail to internal.com only. But I have configured Persona in same account with test@external.com which don’t have any restriction. Below error is showing while sending a message using persona.
Message not sent; one or more addresses were not accepted.
Rejected addresses: someone@gmail.com
How can we restrict user to local domain but allow to use persona in some accounts to send mail to external world.
Hi Pankaj,
I think email that sent using persona still use the actual account to sending an email. So that, policyd still assume from test@internal.com
hello, iman.
in my zimbra’s server use mta. not postfix.
and your configuration use a postfix. there is a configuration in the postfix folder, how do I make it.
please help me.
thanks
Hello,
Zimbra using Postfix as MTA engine 🙂 . So, you can follow this guide for your Zimbra
hi
i hope you are fine . very nice article . you done a really great job . my question is that ” i want to restrcit my user1@abc.com only send and receive email from internally , i mean not from out side the domain . and my user2@abc.com can send and received emails on both side interal and external . how can we achieve this one.
moreover it will effect my RATE limit policy yes or no if i have configure in that .
Looking your good resposne.
Hello Muhammad Khan,
You can create some policies and access control. For send/receive from internally, you can make members like below :
For another policy, you can adjust with your requirement
Hi Imanudin,
Thanks for the article i found this article very helpful. Is there any way we can restrict couple of users to send to a specific e-mail (we want to block sending to some gmail addressees but not to all)
Best,
Alex
Hi,
You can try this one: https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
Hi Iman,
we already configured with domain restrictions and want to restrict attachment per domain level.
Can you please advise to restrict attachment as domain level ?
—
Dilli
Hi,
You can try this one: https://blog.zimbra.com/2023/03/per-user-attachment-size-limits/