Zimbra

Restricting Users to Send mails to Certain Domains on Zimbra 8.5

Previously, i have been explain how to restrict users to send mails to certain users/domains using CBPolicyd. This article have same aims with previous article, but in this case, we must do some modification on Postfix to get it works. This is how to apply it

Do the following command as user Zimbra

1. Open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line at the top

check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders

2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system

POSTCONF    smtpd_restriction_classes  local_only
POSTCONF    local_only  FILE  postfix_check_recipient_access.cf
RESTART mta

3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line

check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject

4. Create a file “/opt/zimbra/postfix/conf/restricted_senders” and list all the users, whom you want to restrict. Follow this syntax:

user@yourdomain.com            local_only

5. Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:

yourdomain.com              OK 
otheralloweddomain.com      OK

6. Run following commands

postmap /opt/zimbra/postfix/conf/restricted_senders
postmap /opt/zimbra/postfix/conf/local_domains 
zmmtactl stop 
zmmtactl start

Please try to sending email to allowed domain and not allowed domain. If you insert new user on number 4 or new domain on number 5, don’t forget to running again number 6.

Good luck and hopefully useful 😀

Let’s See the Video on Youtube


Source : http://wiki.zimbra.com/wiki/Restrict_users_to_certain_domain

84 comments

  1. Hi phphy,

    If using scripts, i have not testing previously. But if using CBPolicyd, i can do it with example on this article : https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/. For Example, user@imanudin.net cannot receive from any domain except local domain @imanudin.net

    You just need to create Policy and Access Control.

    On Policy, this is my example :
    Source : !@imanudin.net
    Destination : user@imanudin.net

    On Access Control, this is my example :
    Policy link to Policy on above
    Action : reject or discard

    With the example above, user@imanudin.net will receive from domain imanudin.net only

    1. I want restrict some users send and receive mail from LAN only, server deployed on Lan, not permited internal user can’t send or recive mail from WAN.These users are in same domain.

      lan:192.168.1.0/24
      wan:!192.168.1.0/24

  2. Yes,

    You can do it with follows my guidance on comment previously. If you are using IP Address, i am worry some users not listed on internal only cannot receive from WAN

  3. Thank you for the tip

    I do have a multi server install where MTA is on his own, there’s NO file zmconfigd.cf
    [zimbra@mta ~]$ rpm -V zimbra-core-8.5.1_GA_3056.RHEL7_64-20141103151708.x86_64|grep zmconfigd.cf
    missing /opt/zimbra/conf/zmconfigd.cf

    any idea ???

    1. Sorry guys, it was my fault :$
      I did this: mv /opt/zimbra/conf/zmconfigd.cf /opt/zimbra/conf/zmconfigd.cf.original
      and forgot it 🙁

  4. Hello i have followed all the instructions for restrict 2 external domains for one user but after I have applied postmap commands, i tried send emails to the restricted domains declared on Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:
    yourdomain.com OK
    otheralloweddomain.com OK

    but now i cant send any emails the error is this one
    ‘admin@hilasal.sv’ on 6/16/2015 11:46 AM
    Server error: ‘451 4.3.5 : Sender address rejected: Server configuration error’
    I have Zimbra 8.0.1 could please someone help me thanks

    1. Hi Frank,

      If using Zimbra 8.0.x, please change lmdb become hash. So that from lmdb:/opt/zimbra/postfix/conf/local_domains become hash:/opt/zimbra/postfix/conf/local_domains

  5. Is it possible to do this by class of service instead of by user? We have hundreds of users who need to be restricted.

  6. Hi, Thanks for the article, it helped me a lot do you have an article to block all incoming mails from outside and only accept mails from some listed domains.

  7. Thanks Iman.
    Applying no.1 needs to restart “whole zimbra” to update postfix/main.cf. – “zmcontrol restart”.
    Otherwise, you will get Adriano’s problem. – external clients can send email to not-allowed domains.

    1. Hi,

      Are you has been checked the sample configuration and testing on Video? please make sure your email client use SMTP SSL/TLS (465/587)

  8. Hello,i want to do this Restricting Users to Send mails to Certain Domains on Zimbra 8.5 , but instead of send, i want to restrict to recieve local only

  9. i want that my domain send and recieve only local mail, i did what you post about sending and it is working perfectly, we are able only to send local mail, but now i need to restrict the incoming mail to only local.. pls if you can help me

  10. If I want to apply the domain restrictions to all users, is there an easier way to do that? I’ve tried:

    * local_only
    *@example.com local_only
    “*”@example.com local_only

    They all didn’t work.

  11. Hello,
    I followed same steps as mentioned in blog. But still that email can send email to other domain.
    Can you please let me know if need to any changes to check it.

  12. I have restarted service and server too. And i followed both guidance and update it my server
    but still that users sending mail on other domain.
    Do i have check specific thing on it?

      1. He Iman,
        Thanks for helping us here….
        Can you please give some tips to resolve the issue on same setup. So it would be easy work on it..

          1. Hello Iman,

            Have you get chance to look into this issue…
            or this will not support with 8.6.??

  13. Hi iman,

    My policyd does not work. i am able to send mails to outside domain even when i have onfigured the policyd as per the tutorial. My version is 8.6

    1. Hello Gul Khan,

      Please try to restart Policyd services and try again. Please make sure all configuration on access control has been change from disable = yes become disable = no

      su - zimbra
      zmcbpolicydctl restart
      
  14. Hi Iman,

    I have done that and have checked the access control settings for NO.
    Also I have restarted the cbpolicy as per the above command. Moreover I have tried restarting the Zimbra Server also.
    Zimbra Version:
    8.6.0_GA_1153.FOSS

  15. Hi Iman,
    As I am new to cenos and Zimbra. Very helpful site imanudin.net contains good articles. Keep rocking looking forward…. Thank you

  16. Hi Imanudin,

    Thanks for the article i found this article very helpful,
    i have one more questions on this , can we allow emails to send only internal domain (New email Server hosted in the same network not zimbra )

  17. Hi i configured the above settings it worked !!! thanks a lot

    but do we have GUI version of this ?? so next time if we need to add users no need to go for command line ..

  18. ok just delete all the settings applied and restart the below services
    postmap /opt/zimbra/postfix/conf/restricted_senders
    postmap /opt/zimbra/postfix/conf/local_domains
    zmmtactl stop
    zmmtactl start

  19. hi Mas Iman,

    I cant create the file of step 4. 4. Create a file “/opt/zimbra/postfix/conf/restricted_senders”
    and get this error when save it to the file

    “postfix/conf/restricted_senders”
    “postfix/conf/restricted_senders” E212: Can’t open file for writing

    So I decide to exit zimbra and using root access but when I start the command to rewrite the configuration..its says permission denied..please Help Mas Iman

  20. Hello iman,
    above instructions are applied for restricting single users send mails to external domain domains..and we can mention allowed domians.

    but we have the scenario need to restrict all the zimbra user send mails to the particularly entire gmail.com. is’t possible kindly guide us.

  21. Hi Iman,

    Could you please guide me, how to block outgoing external specific email id sending by zimbra user.
    I am using zimbra 8.5.1_GA_3056. in centos

    Thanks
    Abrar

  22. i am using zimbra 8.7
    Hello i have followed all the instructions for restrict 2 external domains for one user but after I have applied postmap commands, i tried send emails to the restricted domains declared on Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:
    nysofts.com OK

    but now i cant send any emails the error is this one

    Message not sent; one or more addresses were not accepted.
    Rejected addresses: admin
    method: [unknown]
    msg: Invalid address: admin . com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient admin@nysofts.com: 451 4.3.5 : Recipient address rejected: Server configuration error
    code: mail.SEND_ABORTED_ADDRESS_FAILURE
    detail: soap:Sender
    trace: qtp127618319-1770:1507485049713:4c2973ff049eaa7f
    request:
    Body: {
    SendMsgRequest: {
    _jsns: “urn:zimbraMail”,
    m: {
    e: [
    // [0]:
    {
    a: “admin@nysofts.com”,
    p: “admin”,
    t: “t”
    },
    // [1]:
    {
    a: “user@nysofts.com”,
    t: “f”
    }
    ],
    idnt: “b8e5b067-9227-4c69-adf3-42c2b579e3c9”,
    mp: [
    // [0]:
    {
    ct: “multipart/alternative”,
    mp: [
    // [0]:
    {
    content: {
    _content: “”
    },
    ct: “text/plain”
    },
    // [1]:
    {
    content: {
    _content: “<html><body></body></html>”
    },
    ct: “text/html”
    }
    ]
    }
    ],
    su: {
    _content: “test”
    }
    },
    suid: 1507485049865
    }
    },
    Header: {
    context: {
    _jsns: “urn:zimbra”,
    account: {
    _content: “user@nysofts.com”,
    by: “name”
    },
    authToken: “(removed)”,
    csrfToken: “0_3da5c87135cf2a4d762927ba051e4dd823832318”,
    session: {
    _content: 122,
    id: 122
    },
    userAgent: {
    name: “ZimbraWebClient – GC61 (Win)”,
    version: “8.7.11_GA_1854”
    }
    }

  23. Tried with this . getting same error in version: “8.7.11_GA_1854”
    @ MAC says:October 8, 2017 at 5:55 pm

    so how to postdrop/ come back to normal

  24. Hi Sir Iman,

    Good day!

    Is it possible to do this by all domain instead of by user? We have hundreds of users who need to be restricted.

    Thank you sir,

  25. Helpful article,

    I have restricted test@internal.com to send mail to internal.com only. But I have configured Persona in same account with test@external.com which don’t have any restriction. Below error is showing while sending a message using persona.

    Message not sent; one or more addresses were not accepted.
    Rejected addresses: someone@gmail.com

    How can we restrict user to local domain but allow to use persona in some accounts to send mail to external world.

  26. hello, iman.
    in my zimbra’s server use mta. not postfix.
    and your configuration use a postfix. there is a configuration in the postfix folder, how do I make it.
    please help me.

    thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.