Restricting Certain Users from Sending/Receiving External Mails in Zimbra

Restricting Certain Users from Sending/Receiving External Mails in Zimbra

Hello! In this post, I’m going to talk about how to configure a Zimbra server to restrict certain users from sending or receiving mails from external domains. In order to achieve this objective, Zimbra provides two alternatives: one using CBPolicyd (web based) and another using MTA restrictions (cli based). Here I’m covering both methods. First, let’s have a look at CBPolicyd.

Note: The methods mentioned here are tested successfully in ZCS 8.5 and ZCS 8.6. I cannot confirm its validity against other versions.

Installing and Enabling CBPolicyd

Before following this step, you must have CBPolicyd installed and enabled in your zimbra server. So, let’s first install and enable it. To do this, login to your zimbra server and navigate to user zimbra.

[zimbra@mail ~]# zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

Then, we need to host the cbpolicyd website in Zimbra’s Apache server. This we can do by creating a soft link of cbpolicyd’s source code on apache’s root directory. Here’s how we can do this:

[root@mail ~]# ln -s /opt/zimbra/cbpolicyd/share/webui /opt/zimbra/httpd/htdocs/

Now, we need to configure Cbpolicyd’s source code to connect to appropriate database. To do this, we need to open the config file, comment or delete the existing $DB_DSN variable declaration and declare $DB_DSN as follows:

[root@mail ~]# vi /opt/zimbra/cbpolicyd/share/webui/includes/config.php

Finally, we host Cbpolicyd, let’s restart the Zimbra and Apache server.

[zimbra@mail ~]# zmcontrol restart
[zimbra@mail ~]# zmapachectl restart

After both the servers are restarted, we can access the Cbpolicyd by browsing the web url: http://<server-ip>:7780/webui/index.php

Also, if you’ve enforced firewall or iptables in your system to allow only selected service or port in your server, you need to add port 7780 on the allowed port list. If you’ve other firewall between your server and yourself, you need to allow this port on that firewall as well.

[root@mail ~]# firewall-cmd --zone=public --permanent --add-port=7780/tcp
[root@mail ~]# firewall-cmd --reload
[root@mail ~]# firewall-cmd --list-all

Restricting Users from Sending External Mails using CBPolicyd

Now that we’ve got our CBPolicyd server ready, we can start configuring our Zimbra server. Here’s the summary of steps that we need to take:

  • Create a Group of local users and assign members
  • Create a List of local domains and assign members
  • Create a Policy defining source and destination for mail delivery
  • Create an Access Control using policy created above
  • Enable CBpolicyd

From the menu panel on the left-hand side, go to Groups under Policies. To add a group, click on Action and select Add. For local users, I’ve created group named users_local_only and for local domains, I’ve created list_domain. To add members to these groups, select the group and choose Members from Action. After adding members, make sure you enable all the members and the group itself by setting Disabled option to no. My groups list look like this:

CBPolicyd Groups
CBPolicyd Groups

After creating necessary groups, we need to add policies so that we can control mail delivery based on source and destination of mails. To add policy, click on Main under Policies and choose Add from Action. While adding a policy, we need to provide the name and priority of the policy. Then we need to add policy member in that policy, in which we configure the source and destination of mail. My outgoing policy looks like this:

CBPolicyd Outgoing Policy
CBPolicyd Outgoing Policy
CBPolicyd Policy Members
CBPolicyd Policy Members

Here, this policy will work for all mails that originate from users in the group users_local_only and destined to domains that don’t belong to group list_domain (notice !%list_domain which represents inverse selection). Similarly, my incoming policy looks like this:

CBPolicyd Incoming Policy
CBPolicyd Incoming Policy

CBPolicyd Incoming Policy
CBPolicyd Incoming Policy Members

My final policy list is like this:

CBPolicyd Policy List
CBPolicyd Policy List

After my policies are ready, I can utilize these policies and configure my final access control lists. These ACLs will control what action should the server take on matching the mentioned policy. Here’s how my ACLs look like:

CBPolicyd Access Controls
CBPolicyd Access Controls

Note: Don’t forget to enable every entry you add here unless you actually need to disable it. To enable, just set the Disabled option to no.

At last, let’s activate the policies we configured.

[zimbra@mail ~]# zmprov ms `zmhostname` zimbraCBPolicydAccessControlEnabled TRUE
[zimbra@mail ~]# zmcbpolicydctl restart
Error Message for External Mails
Error Message for External Mails

This completes the proposed task using CBPolicyd method. Next, let’s cover other method as well.

Restricting Users from Sending Mails to External Domains

As mentioned earlier, this method is based on command line. We begin this process by modifying the config file called /opt/zimbra/conf/zmconfigd/ Inside this file, we add the following line at the top:

check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders

Next, let’s modify another config file (/opt/zimbra/conf/, in which we define a class representing users who can only send internal mails. While modifying this file, we need to add following lines withing SECTION mta just before RESTART mta.

POSTCONF smtpd_restriction_classes local_only
POSTCONF local_only FILE
[zimbra@mail ~]# vi /opt/zimbra/conf/
check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject

Now, we need to create two files: one for local users and other for local domains.

[zimbra@mail ~]# vi /opt/zimbra/postfix/conf/restricted_senders    local_only    local_only
[zimbra@mail ~]# vi /opt/zimbra/postfix/conf/local_domains            OK

Finally, to implement the changes, we need to map the config files to postifx and then restart the MTA service.

[zimbra@mail ~]# postmap /opt/zimbra/postfix/conf/restricted_senders
[zimbra@mail ~]# postmap /opt/zimbra/postfix/conf/local_domains
[zimbra@mail ~]# zmmtactl restart

This completes this blog post. I hope this is useful. Please let me know of your queries or suggestions in the Comment Section below. Thank you for reading!