Zimbra Tips : Delivery Restriction to Specific User/Distribution List With PolicyD

February 12, 2014

Related tutorial :

  1. Zimbra Tips : Policyd & Rate-Limit Sending Message Implementation On Zimbra 8
  2. Zimbra Tips : Securing PolicyD Web Admin
  3. Zimbra Tips : Rate-Limit Sending Message With PolicyD
  4. Zimbra Tips : Enabling Accounting Module On PolicyD

On previous tutorial, we’ve done the installation and configuration to restrict email sending per user by using the quota module, enabling accounting module and securing web admin access. Here we will discuss another PolicyD modules to increase Zimbra mail security by using Access Control module. Access control module is used to perform the control of the user/domain rights, such as preventing user from receiving emails, sending emails and others restriction policy.

policyd_logoOn the production server, I’m using Access control module to determine which user is allowed to send an email to distribution list. By default, Zimbra distribution list or group list can receive email from anywhere. This can be dangerous because it could be a target  of spam attacks.

Actually, the restriction on the distribution list can be done by doing a little bit of tuning on Postfix configuration. By using PolicyD, those settings can be done easily, considering the presence of Policyd Web Admin for configuration.

EXAMPLE SETTING

List of user/domain that allowed to send email to distribution list :

vivianchow@excellent.co.id
zezevavai@excellent.co.id
vavai.net

Distribution List :

team-support@excellent.co.id
team-sales@excellent.co.id

POLICYD WEB ADMIN CONFIGURATION

Log in to the Web Admin PolicyD  : http://IpAddressZimbra:7780/webui/index.php. if you can not accessing PolicyD web admin, make sure Apache services is running on Zimbra. if apache service status in the stop state, start it by using the following command :

su - zimbra
zmapachectl restart

Once you logged in into web admin, select the Policy menu | Groups and then create a User_Allow group and Distribution_List and tall its members :

Policy Group

vavai-zimbra-restrict-recipient-by-using-policyd1

User_Allow Group Member

vavai-zimbra-restrict-recipient-by-using-policyd2

Distribution List Group Member

vavai-zimbra-restrict-recipient-by-using-policyd3

after all the group and its members is made,, create a Policy for the group. Select the Policies menu | Main then create a rule/policy with the same name distributionlist_allow and distributionlist_deny along with its members

Main Policy

vavai-zimbra-restrict-recipient-by-using-policyd4

See that on  the above example, Priority is zero (0) and one (1). Priority is influential as well as the MX records in the DNS. The smaller priority means the most preferred usage in policy.

Members of Main distributionlist_allow

vavai-zimbra-restrict-recipient-by-using-policyd5

Members of distributionlist_deny

vavai-zimbra-restrict-recipient-by-using-policyd6

The final stage is to control the policies that already been made. Select the Access Control | Configure and create 2 pieces of control like the example below :

vavai-zimbra-restrict-recipient-by-using-policyd7

Test the policies by  sending an email to distribution list using the banned user and the allowed user and check the result. Good luck and hopely this can be useful 😀


Share

Linux

Masim "Vavai" Sugianto
Traveller, Open Source Enthusiast & Book Lover. Works as Independent Worker & Self-Employer.

8 Comments


Dariel Barroso Tallart
October 31, 2014 at 21:13
Reply

Hellou Vavai. I did all the steps of this articule and unfortunaly it dosen’t work on complete performance, what I trying to say is, that the policies are working, but for everyone: for the users that are not allowed and for the user that is really allowed to send emails.
I really check the steps over and over again and shut the same results.
What do you think its happening?? I’m using zimbra 8.0.7.
Waiting for your reponse…


Masim "Vavai" Sugianto
November 1, 2014 at 05:00
Reply

Hi,

Did you check all the “disabled” status as no? Because PolicyD default settings are disabled=yes.

Also, check the defined distribution list and it’s members status.


Booker Masambaji
July 13, 2015 at 21:35
Reply

Hi Vavai,

I followed the steps and it worked perfectly fine.

Thanks and regards

booker


Anirban Das
February 11, 2016 at 15:02
Reply

Zimbra Distribution List restriction process

Dear All,

We have done this restriction on our server, it is working fine for internal email id or domain. But when we are trying to grant access to a external email id or domain – it showing below given error. Can you help us in this case.

Error:
zimbra@XXX:~$ zmprov grr dl diademdltest@xxx.in dom emamigroup.com sendToDistList
ERROR: account.NO_SUCH_DOMAIN (no such domain: emamigroup.com)

zimbra@XXX:~$ zmprov grr dl diademdltest@xxx.in usr anirban@gmail.com sendToDistList
ERROR: account.NO_SUCH_ACCOUNT (no such account: anirban@gmail.com)


jhayari
February 22, 2016 at 14:45
Reply

dear mas vavai,
thanks for your sharing. its works for me


Mabule
May 25, 2016 at 18:55
Reply

Dear Vavai,
Thank you very much for very good article, i successfully implement in zimbra version 8.6 and was working fine until recently when we changed our domain name.
Please let me know what might be the problem.
Thanks.


kalpak
June 18, 2016 at 20:12
Reply

Hello Vavai,

I’d implemented policyd secure setting. But i do not know how to log-out after complete the task.
when i access the policyd webui that time username and password pop up came up but log out button is not showing.
Please suggest the solution.


Andrea
June 24, 2016 at 18:22
Reply

any idea to unblock send receipt from accounting module?


Leave a Reply

Your email address will not be published. Required fields are marked *