How to restrict outgoing email as well as external web access for certain users?

[kingcu]

In our use case, we need to block outgoing email for some users, meaning that these users can only send email within the company, they can't send email to an external domain.

Another requirement is to restrict external web access to the Zimbra server, only a few users is allowed to log onto Zimbra server from external IPs, while all the other users can only access Zimbra from within our company LAN.

Are those two configurations possible with Zimbra? If yes, it'll be highly appreciated if someone can provide a how-to guide.

[Cine]

Hello Kingcu,

as far as I know it's not possible to restrict web access directly from Zimbra, while restricting outgoing emails is pretty easy by customizing Postfix's configuration:
[al commands must be ran as 'root']

1 - Create a file called "postfix_restricted_senders" in /opt/zimbra/conf/
2 - Populate the file using the following syntax (one entry per line):

Code:

restricted_user1@domain.tld  insider_only
restricted_user2@domain.tld  insider_only
restricted_user3@domain.tld  insider_only

3 - Use postmap to prepare the .db file that postfix will use:

Code:

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_restricted_senders

4 - Insert the following Keys in "/opt/zimbra/conf/localconfig.xml"

Code:

<key name="postfix_insider_only">
   <value>check_recipient_access hash:/opt/zimbra/conf/postfix_local_domains,reject</value>
 </key>

 <key name="postfix_smtpd_restriction_classes">
   <value>insider_only</value>
 </key>

5 - Insert the following lines in "/opt/zimbra/conf/zmmta.cf" in the "MTA" section just before the "RESTART mta" line [In Zimbra 8+ edit the zmconfigd.cf file instead]

Code:

POSTCONF smtpd_restriction_classes       LOCAL   postfix_smtpd_restriction_classes
POSTCONF insider_only     LOCAL   postfix_insider_only

6 - Create the /opt/zimbra/conf/postfix_local_domains file listing all your domains.

Code:

mylocaldomain.com    OK
myseconddomain.com    OK

7- Postmap the file running:

Code:

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_local_domains

8 - Finally, add the following line in "/opt/zimbra/conf/postfix_recipient_restrictions.cf" (after the "reject_non_fqdn_recipient" line)

Code:

check_sender_access hash:/opt/zimbra/conf/postfix_restricted_senders

9 - The MTA should restart itself after step 8, check your logs and restart it manually if it doesn't restart automatically.

To add new restricted senders edit the "/opt/zimbra/conf/postfix_restricted_senders" file and execute the command in step 3 to finalize the changes.

Remember that this procedure must be applied again after each Zimbra update (only need to repeat steps 4,5 and 6)


As usual, try this configuration on a test environment before applying it in production

Hope this helps,
Cine

[fredmdl]

Hi Cine,
Please can you help me with this steps?
I´m use Release zimbra 8.0.2.GA.5569.UBUNTU12.64 UBUNTU12_64 FOSS edition.
It´s possible to work this configuration in my release?
Because the files "/opt/zimbra/conf/postfix_local_domains" and "/opt/zimbra/conf/zmmta.cf" (steps 4 and 5) don´t exist in my zimbra server.
We are on a testing environment to validate a block to external domain, block webmail and ZeXtras Suite...
Sry my bad English.

[INNOVOT]

In ZCS 8 you will need to update zmconfigd.cf instead of zmmta.cf.

[fredmdl]

INNOVOT tkx for reply...

"/opt/zimbra/conf/zmmta.cf" is now -->> "/opt/zimbra/conf/zmconfigd.cf" OK

but "/opt/zimbra/conf/postfix_local_domains" refer in Step 4 - Insert the following Keys in "/opt/zimbra/conf/localconfig.xml" I don´t find it

And don´t have a step to create it... I need to create a file or its a file that change too?

regards

[d0s0n]

Hi fredmdl,
you're rigth that file is missing from Cine's example. You need to create that file with all your local domains:

Code:

cat /opt/zimbra/conf/postfix_local_domains
mylocaldomain.com	OK
myseconddomain.com	OK

and then you need to "postmap" this file with this command:

Code:

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_local_domains

D0s0n

[fredmdl]

Hi fredmdl,
you're rigth that file is missing from Cine's example. You need to create that file with all your local domains:

Code:

cat /opt/zimbra/conf/postfix_local_domains
mylocaldomain.com	OK
myseconddomain.com	OK

and then you need to "postmap" this file with this command:

Code:

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_local_domains

D0s0n

Tank you very much for help!
Working now!!!

Just to help someone else:

If you try the steps show by Cine in Zimbra 8 change the files paths:
"/opt/zimbra/conf/zmmta.cf" is now -->> "/opt/zimbra/conf/zmconfigd.cf"
"/opt/zimbra/conf/postfix_recipient_restrictions.cf" is now -->> "/opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf"

Create:

Code:

vi /opt/zimbra/conf/postfix_local_domains
mylocaldomain.com	OK
myseconddomain.com	OK

Postmap:

Code:

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_local_domains

[fredmdl]

Guys, just another question with the same subject...

It´s possible to restrict users that is a member of the distribution list put the distribution list in "/opt/zimbra/conf/postfix_restricted_senders" ??

ex.
internal_dis_list@domain.eco.br insider_only

I test this but not work... Need more configurations?

If its possible i will turn off my Exchange LOL

Tks

[d0s0n]

Hi fredmdl,

I think that could be very difficult... maybe you could automate the update of the postfix_restricted_senders file with a script that extract needed data.

D0s0n

[INNOVOT]

You would need to use zmprov and extract the members of the DL.