Restricting Users to Send mails to Certain Domains on Zimbra 8.5

Posted by

Previously, i have been explain how to restrict users to send mails to certain users/domains using CBPolicyd. This article have same aims with previous article, but in this case, we must do some modification on Postfix to get it works. This is how to apply it

Do the following command as user Zimbra

1. Open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line at the top

check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders

2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system

POSTCONF    smtpd_restriction_classes  local_only
POSTCONF    local_only  FILE  postfix_check_recipient_access.cf
RESTART mta

3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line

check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject

4. Create a file “/opt/zimbra/postfix/conf/restricted_senders” and list all the users, whom you want to restrict. Follow this syntax:

user@yourdomain.com            local_only

5. Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:

yourdomain.com              OK 
otheralloweddomain.com      OK

6. Run following commands

postmap /opt/zimbra/postfix/conf/restricted_senders
postmap /opt/zimbra/postfix/conf/local_domains 
zmmtactl stop 
zmmtactl start

Please try to sending email to allowed domain and not allowed domain. If you insert new user on number 4 or new domain on number 5, don’t forget to running again number 6.

Good luck and hopefully useful 😀

Let’s See the Video on Youtube


Source : http://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain

93 comments

    1. I restrict users can’t send mail from WAN by cbpolicyd,but I don’t khow how to restrict users receive mail from WAN.

  1. Hi phphy,

    If using scripts, i have not testing previously. But if using CBPolicyd, i can do it with example on this article : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/. For Example, user@imanudin.net cannot receive from any domain except local domain @imanudin.net

    You just need to create Policy and Access Control.

    On Policy, this is my example :
    Source : !@imanudin.net
    Destination : user@imanudin.net

    On Access Control, this is my example :
    Policy link to Policy on above
    Action : reject or discard

    With the example above, user@imanudin.net will receive from domain imanudin.net only

    1. I want restrict some users send and receive mail from LAN only, server deployed on Lan, not permited internal user can’t send or recive mail from WAN.These users are in same domain.

      lan:192.168.1.0/24
      wan:!192.168.1.0/24

    2. how to use force tls on zimbra 8.5 and later ? i researched that we had to add domains too. can you share some instructions for it ?

  2. Yes,

    You can do it with follows my guidance on comment previously. If you are using IP Address, i am worry some users not listed on internal only cannot receive from WAN

  3. Thank you for the tip

    I do have a multi server install where MTA is on his own, there’s NO file zmconfigd.cf
    [zimbra@mta ~]$ rpm -V zimbra-core-8.5.1_GA_3056.RHEL7_64-20141103151708.x86_64|grep zmconfigd.cf
    missing /opt/zimbra/conf/zmconfigd.cf

    any idea ???

    1. Sorry guys, it was my fault :$
      I did this: mv /opt/zimbra/conf/zmconfigd.cf /opt/zimbra/conf/zmconfigd.cf.original
      and forgot it 🙁

  4. hey iman please tell me where should i put this configuration in mail server or MTA server..

    1. Hi Adriano,

      I’ve updated the articles for working with email clients. Please see the point of no 1

  5. Hello i have followed all the instructions for restrict 2 external domains for one user but after I have applied postmap commands, i tried send emails to the restricted domains declared on Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:
    yourdomain.com OK
    otheralloweddomain.com OK

    but now i cant send any emails the error is this one
    ‘admin@hilasal.sv’ on 6/16/2015 11:46 AM
    Server error: ‘451 4.3.5 : Sender address rejected: Server configuration error’
    I have Zimbra 8.0.1 could please someone help me thanks

    1. Hi Frank,

      If using Zimbra 8.0.x, please change lmdb become hash. So that from lmdb:/opt/zimbra/postfix/conf/local_domains become hash:/opt/zimbra/postfix/conf/local_domains

  6. Is it possible to do this by class of service instead of by user? We have hundreds of users who need to be restricted.

  7. Hi, thanks for the blog.

    is possible restrict COS (class of service) or “dl” (distribution list) using this way ?

  8. Hi, Thanks for the article, it helped me a lot do you have an article to block all incoming mails from outside and only accept mails from some listed domains.

  9. hi iman, can zimbra restrict some user can acces web from external dan restrict some can’t acces from external
    thanks

  10. Thanks Iman.
    Applying no.1 needs to restart “whole zimbra” to update postfix/main.cf. – “zmcontrol restart”.
    Otherwise, you will get Adriano’s problem. – external clients can send email to not-allowed domains.

    1. Hi,

      Are you has been checked the sample configuration and testing on Video? please make sure your email client use SMTP SSL/TLS (465/587)

  11. Hello,i want to do this Restricting Users to Send mails to Certain Domains on Zimbra 8.5 , but instead of send, i want to restrict to recieve local only

  12. i want that my domain send and recieve only local mail, i did what you post about sending and it is working perfectly, we are able only to send local mail, but now i need to restrict the incoming mail to only local.. pls if you can help me

  13. If I want to apply the domain restrictions to all users, is there an easier way to do that? I’ve tried:

    * local_only
    *@example.com local_only
    “*”@example.com local_only

    They all didn’t work.

  14. Hello,
    I followed same steps as mentioned in blog. But still that email can send email to other domain.
    Can you please let me know if need to any changes to check it.

  15. I have restarted service and server too. And i followed both guidance and update it my server
    but still that users sending mail on other domain.
    Do i have check specific thing on it?

      1. He Iman,
        Thanks for helping us here….
        Can you please give some tips to resolve the issue on same setup. So it would be easy work on it..

          1. Hello Iman,

            Have you get chance to look into this issue…
            or this will not support with 8.6.??

  16. Hi iman,

    My policyd does not work. i am able to send mails to outside domain even when i have onfigured the policyd as per the tutorial. My version is 8.6

    1. Hello Gul Khan,

      Please try to restart Policyd services and try again. Please make sure all configuration on access control has been change from disable = yes become disable = no

      su - zimbra
      zmcbpolicydctl restart
      
  17. Hi Iman,

    I have done that and have checked the access control settings for NO.
    Also I have restarted the cbpolicy as per the above command. Moreover I have tried restarting the Zimbra Server also.
    Zimbra Version:
    8.6.0_GA_1153.FOSS

  18. Hi Iman,
    As I am new to cenos and Zimbra. Very helpful site imanudin.net contains good articles. Keep rocking looking forward…. Thank you

  19. Hi Imanudin,

    Thanks for the article i found this article very helpful,
    i have one more questions on this , can we allow emails to send only internal domain (New email Server hosted in the same network not zimbra )

  20. Hi i configured the above settings it worked !!! thanks a lot

    but do we have GUI version of this ?? so next time if we need to add users no need to go for command line ..

  21. but i applied the above postfix settings can i use this link ? or i need to remove this postfix settings ??

  22. ok just delete all the settings applied and restart the below services
    postmap /opt/zimbra/postfix/conf/restricted_senders
    postmap /opt/zimbra/postfix/conf/local_domains
    zmmtactl stop
    zmmtactl start

  23. hi Mas Iman,

    I cant create the file of step 4. 4. Create a file “/opt/zimbra/postfix/conf/restricted_senders”
    and get this error when save it to the file

    “postfix/conf/restricted_senders”
    “postfix/conf/restricted_senders” E212: Can’t open file for writing

    So I decide to exit zimbra and using root access but when I start the command to rewrite the configuration..its says permission denied..please Help Mas Iman

      1. Iman,

        I am facing the same problem as faced by the Made Hartadi,
        My Zimbra Version is Version 8.8.15_GA_4257.FOSS Mar 24, 2022

        Please guide us solving it instead of recommending policyd as I am comfortable with it.

        Thanks.

  24. Hello iman,
    above instructions are applied for restricting single users send mails to external domain domains..and we can mention allowed domians.

    but we have the scenario need to restrict all the zimbra user send mails to the particularly entire gmail.com. is’t possible kindly guide us.

  25. Dear Imam,

    Could you please guide me, apply sender restriction on zimbra 8.7.11_GA_1854

    Thanks & Regards
    Prasad K

  26. Hi Iman,

    Could you please guide me, how to block outgoing external specific email id sending by zimbra user.
    I am using zimbra 8.5.1_GA_3056. in centos

    Thanks
    Abrar

  27. i am using zimbra 8.7
    Hello i have followed all the instructions for restrict 2 external domains for one user but after I have applied postmap commands, i tried send emails to the restricted domains declared on Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:
    nysofts.com OK

    but now i cant send any emails the error is this one

    Message not sent; one or more addresses were not accepted.
    Rejected addresses: admin
    method: [unknown]
    msg: Invalid address: admin . com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient admin@nysofts.com: 451 4.3.5 : Recipient address rejected: Server configuration error
    code: mail.SEND_ABORTED_ADDRESS_FAILURE
    detail: soap:Sender
    trace: qtp127618319-1770:1507485049713:4c2973ff049eaa7f
    request:
    Body: {
    SendMsgRequest: {
    _jsns: “urn:zimbraMail”,
    m: {
    e: [
    // [0]:
    {
    a: “admin@nysofts.com”,
    p: “admin”,
    t: “t”
    },
    // [1]:
    {
    a: “user@nysofts.com”,
    t: “f”
    }
    ],
    idnt: “b8e5b067-9227-4c69-adf3-42c2b579e3c9”,
    mp: [
    // [0]:
    {
    ct: “multipart/alternative”,
    mp: [
    // [0]:
    {
    content: {
    _content: “”
    },
    ct: “text/plain”
    },
    // [1]:
    {
    content: {
    _content: “<html><body></body></html>”
    },
    ct: “text/html”
    }
    ]
    }
    ],
    su: {
    _content: “test”
    }
    },
    suid: 1507485049865
    }
    },
    Header: {
    context: {
    _jsns: “urn:zimbra”,
    account: {
    _content: “user@nysofts.com”,
    by: “name”
    },
    authToken: “(removed)”,
    csrfToken: “0_3da5c87135cf2a4d762927ba051e4dd823832318”,
    session: {
    _content: 122,
    id: 122
    },
    userAgent: {
    name: “ZimbraWebClient – GC61 (Win)”,
    version: “8.7.11_GA_1854”
    }
    }

    1. Hi,
      If using zimbra 8.7, default configuration are in /opt/zimbra/common/conf/local_domains, not in /opt/zimbra/postfix/conf/local_domains

  28. Tried with this . getting same error in version: “8.7.11_GA_1854”
    @ MAC says:October 8, 2017 at 5:55 pm

    so how to postdrop/ come back to normal

  29. Hi Sir Iman,

    Good day!

    Is it possible to do this by all domain instead of by user? We have hundreds of users who need to be restricted.

    Thank you sir,

  30. Helpful article,

    I have restricted test@internal.com to send mail to internal.com only. But I have configured Persona in same account with test@external.com which don’t have any restriction. Below error is showing while sending a message using persona.

    Message not sent; one or more addresses were not accepted.
    Rejected addresses: someone@gmail.com

    How can we restrict user to local domain but allow to use persona in some accounts to send mail to external world.

  31. hello, iman.
    in my zimbra’s server use mta. not postfix.
    and your configuration use a postfix. there is a configuration in the postfix folder, how do I make it.
    please help me.

    thanks

  32. hi

    i hope you are fine . very nice article . you done a really great job . my question is that ” i want to restrcit my user1@abc.com only send and receive email from internally , i mean not from out side the domain . and my user2@abc.com can send and received emails on both side interal and external . how can we achieve this one.

    moreover it will effect my RATE limit policy yes or no if i have configure in that .
    Looking your good resposne.

    1. Hello Muhammad Khan,
      You can create some policies and access control. For send/receive from internally, you can make members like below :

      source : user1@abc.com  dest : !@abc.com  access control : reject
      source : !@abc.com  dest : user1@abc.com  access control : reject
      

      For another policy, you can adjust with your requirement

  33. Hi Imanudin,

    Thanks for the article i found this article very helpful. Is there any way we can restrict couple of users to send to a specific e-mail (we want to block sending to some gmail addressees but not to all)

    Best,
    Alex

  34. Hi Iman,
    we already configured with domain restrictions and want to restrict attachment per domain level.
    Can you please advise to restrict attachment as domain level ?


    Dilli

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.