How to restrict outgoing email as well as external web access for certain users?
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: How to restrict outgoing email as well as external web access for certain users?

  1. #1
    Active Member
    Join Date
    Mar 2012
    Posts
    4

    How to restrict outgoing email as well as external web access for certain users?

    In our use case, we need to block outgoing email for some users, meaning that these users can only send email within the company, they can't send email to an external domain.

    Another requirement is to restrict external web access to the Zimbra server, only a few users is allowed to log onto Zimbra server from external IPs, while all the other users can only access Zimbra from within our company LAN.

    Are those two configurations possible with Zimbra? If yes, it'll be highly appreciated if someone can provide a how-to guide.

  2. #2
    ZeXtras Community Manager ZeXtras Employee Cine's Avatar
    Join Date
    Apr 2011
    Posts
    2,291
    Hello Kingcu,

    as far as I know it's not possible to restrict web access directly from Zimbra, while restricting outgoing emails is pretty easy by customizing Postfix's configuration:
    [al commands must be ran as 'root']

    1 - Create a file called "postfix_restricted_senders" in /opt/zimbra/conf/
    2 - Populate the file using the following syntax (one entry per line):
    Code:
    restricted_user1@domain.tld  insider_only
    restricted_user2@domain.tld  insider_only
    restricted_user3@domain.tld  insider_only
    3 - Use postmap to prepare the .db file that postfix will use:
    Code:
    /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_restricted_senders
    4 - Insert the following Keys in "/opt/zimbra/conf/localconfig.xml"
    Code:
    <key name="postfix_insider_only">
       <value>check_recipient_access hash:/opt/zimbra/conf/postfix_local_domains,reject</value>
     </key>
    
     <key name="postfix_smtpd_restriction_classes">
       <value>insider_only</value>
     </key>
    5 - Insert the following lines in "/opt/zimbra/conf/zmmta.cf" in the "MTA" section just before the "RESTART mta" line [In Zimbra 8+ edit the zmconfigd.cf file instead]
    Code:
    POSTCONF smtpd_restriction_classes       LOCAL   postfix_smtpd_restriction_classes
    POSTCONF insider_only     LOCAL   postfix_insider_only
    6 - Create the /opt/zimbra/conf/postfix_local_domains file listing all your domains.
    Code:
    mylocaldomain.com    OK
    myseconddomain.com    OK
    7- Postmap the file running:
    Code:
    /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_local_domains

    8 - Finally, add the following line in "/opt/zimbra/conf/postfix_recipient_restrictions.cf" (after the "reject_non_fqdn_recipient" line)
    Code:
    check_sender_access hash:/opt/zimbra/conf/postfix_restricted_senders
    9 - The MTA should restart itself after step 8, check your logs and restart it manually if it doesn't restart automatically.

    To add new restricted senders edit the "/opt/zimbra/conf/postfix_restricted_senders" file and execute the command in step 3 to finalize the changes.

    Remember that this procedure must be applied again after each Zimbra update (only need to repeat steps 4,5 and 6)


    As usual, try this configuration on a test environment before applying it in production

    Hope this helps,
    Cine
    Last edited by Cine; 05-12-2016 at 03:13 PM. Reason: Added missing info
    IT Support Team Contact Form
    Sales Team Contact Form

    ZeXtras Website
    # ZeXtras Wiki # ZeXtras Store

    Have ZeXtras Suite or ZeXtras Migration Tool been helpful to you?
    Share your experience in the Zimbra Gallery!

    ZeXtras Suite on the Zimbra Gallery
    ZeXtras Migration Tool on the Zimbra Gallery

  3. #3
    Active Member
    Join Date
    Feb 2013
    Posts
    14
    Hi Cine,
    Please can you help me with this steps?
    Iīm use Release zimbra 8.0.2.GA.5569.UBUNTU12.64 UBUNTU12_64 FOSS edition.
    Itīs possible to work this configuration in my release?
    Because the files "/opt/zimbra/conf/postfix_local_domains" and "/opt/zimbra/conf/zmmta.cf" (steps 4 and 5) donīt exist in my zimbra server.
    We are on a testing environment to validate a block to external domain, block webmail and ZeXtras Suite...
    Sry my bad English.

  4. #4
    Senior Member Known ZeXtras Reseller
    Join Date
    Feb 2013
    Posts
    79
    In ZCS 8 you will need to update zmconfigd.cf instead of zmmta.cf.

  5. #5
    Active Member
    Join Date
    Feb 2013
    Posts
    14
    INNOVOT tkx for reply...

    "/opt/zimbra/conf/zmmta.cf" is now -->> "/opt/zimbra/conf/zmconfigd.cf" OK

    but "/opt/zimbra/conf/postfix_local_domains" refer in Step 4 - Insert the following Keys in "/opt/zimbra/conf/localconfig.xml" I donīt find it

    And donīt have a step to create it... I need to create a file or its a file that change too?

    regards

  6. #6
    CTO ZeXtras Employee d0s0n's Avatar
    Join Date
    Apr 2011
    Posts
    549
    Hi fredmdl,
    you're rigth that file is missing from Cine's example. You need to create that file with all your local domains:
    Code:
    cat /opt/zimbra/conf/postfix_local_domains
    mylocaldomain.com	OK
    myseconddomain.com	OK
    and then you need to "postmap" this file with this command:
    Code:
    /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_local_domains
    D0s0n
    ZeXtras Website # ZeXtras Wiki # ZeXtras Store

    Head of ZeXtras System Administrators

  7. #7
    Active Member
    Join Date
    Feb 2013
    Posts
    14
    Quote Originally Posted by d0s0n View Post
    Hi fredmdl,
    you're rigth that file is missing from Cine's example. You need to create that file with all your local domains:
    Code:
    cat /opt/zimbra/conf/postfix_local_domains
    mylocaldomain.com	OK
    myseconddomain.com	OK
    and then you need to "postmap" this file with this command:
    Code:
    /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_local_domains
    D0s0n
    Tank you very much for help!
    Working now!!!

    Just to help someone else:

    If you try the steps show by Cine in Zimbra 8 change the files paths:
    "/opt/zimbra/conf/zmmta.cf" is now -->> "/opt/zimbra/conf/zmconfigd.cf"
    "/opt/zimbra/conf/postfix_recipient_restrictions.cf" is now -->> "/opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf"

    Create:
    Code:
    vi /opt/zimbra/conf/postfix_local_domains
    mylocaldomain.com	OK
    myseconddomain.com	OK
    Postmap:
    Code:
    /opt/zimbra/postfix/sbin/postmap /opt/zimbra/conf/postfix_local_domains

  8. #8
    Active Member
    Join Date
    Feb 2013
    Posts
    14
    Guys, just another question with the same subject...

    Itīs possible to restrict users that is a member of the distribution list put the distribution list in "/opt/zimbra/conf/postfix_restricted_senders" ??

    ex.
    internal_dis_list@domain.eco.br insider_only

    I test this but not work... Need more configurations?

    If its possible i will turn off my Exchange LOL

    Tks

  9. #9
    CTO ZeXtras Employee d0s0n's Avatar
    Join Date
    Apr 2011
    Posts
    549
    Hi fredmdl,

    I think that could be very difficult... maybe you could automate the update of the postfix_restricted_senders file with a script that extract needed data.

    D0s0n
    ZeXtras Website # ZeXtras Wiki # ZeXtras Store

    Head of ZeXtras System Administrators

  10. #10
    Senior Member Known ZeXtras Reseller
    Join Date
    Feb 2013
    Posts
    79
    You would need to use zmprov and extract the members of the DL.

Page 1 of 3 123 LastLast

LinkBacks (?)

  1. 08-02-2013, 01:49 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •