Related tutorial :
- Zimbra Tips : Policyd & Rate-Limit Sending Message Implementation On Zimbra 8
- Zimbra Tips : Securing PolicyD Web Admin
- Zimbra Tips : Rate-Limit Sending Message With PolicyD
- Zimbra Tips : Enabling Accounting Module On PolicyD
On previous tutorial, we’ve done the installation and configuration to restrict email sending per user by using the quota module, enabling accounting module and securing web admin access. Here we will discuss another PolicyD modules to increase Zimbra mail security by using Access Control module. Access control module is used to perform the control of the user/domain rights, such as preventing user from receiving emails, sending emails and others restriction policy.
On the production server, I’m using Access control module to determine which user is allowed to send an email to distribution list. By default, Zimbra distribution list or group list can receive email from anywhere. This can be dangerous because it could be a target of spam attacks.
Actually, the restriction on the distribution list can be done by doing a little bit of tuning on Postfix configuration. By using PolicyD, those settings can be done easily, considering the presence of Policyd Web Admin for configuration.
EXAMPLE SETTING
List of user/domain that allowed to send email to distribution list :
vivianchow@excellent.co.id
zezevavai@excellent.co.id
vavai.net
Distribution List :
team-support@excellent.co.id
team-sales@excellent.co.id
POLICYD WEB ADMIN CONFIGURATION
Log in to the Web Admin PolicyD : http://IpAddressZimbra:7780/webui/index.php. if you can not accessing PolicyD web admin, make sure Apache services is running on Zimbra. if apache service status in the stop state, start it by using the following command :
su - zimbra
zmapachectl restart
Once you logged in into web admin, select the Policy menu | Groups and then create a User_Allow group and Distribution_List and tall its members :
Policy Group
User_Allow Group Member
Distribution List Group Member
after all the group and its members is made,, create a Policy for the group. Select the Policies menu | Main then create a rule/policy with the same name distributionlist_allow and distributionlist_deny along with its members
Main Policy
See that on the above example, Priority is zero (0) and one (1). Priority is influential as well as the MX records in the DNS. The smaller priority means the most preferred usage in policy.
Members of Main distributionlist_allow
Members of distributionlist_deny
The final stage is to control the policies that already been made. Select the Access Control | Configure and create 2 pieces of control like the example below :
Test the policies by sending an email to distribution list using the banned user and the allowed user and check the result. Good luck and hopely this can be useful 😀
8 Comments
Hellou Vavai. I did all the steps of this articule and unfortunaly it dosen’t work on complete performance, what I trying to say is, that the policies are working, but for everyone: for the users that are not allowed and for the user that is really allowed to send emails.
I really check the steps over and over again and shut the same results.
What do you think its happening?? I’m using zimbra 8.0.7.
Waiting for your reponse…
Hi,
Did you check all the “disabled” status as no? Because PolicyD default settings are disabled=yes.
Also, check the defined distribution list and it’s members status.
Hi Vavai,
I followed the steps and it worked perfectly fine.
Thanks and regards
booker
Zimbra Distribution List restriction process
Dear All,
We have done this restriction on our server, it is working fine for internal email id or domain. But when we are trying to grant access to a external email id or domain – it showing below given error. Can you help us in this case.
Error:
zimbra@XXX:~$ zmprov grr dl diademdltest@xxx.in dom emamigroup.com sendToDistList
ERROR: account.NO_SUCH_DOMAIN (no such domain: emamigroup.com)
zimbra@XXX:~$ zmprov grr dl diademdltest@xxx.in usr anirban@gmail.com sendToDistList
ERROR: account.NO_SUCH_ACCOUNT (no such account: anirban@gmail.com)
dear mas vavai,
thanks for your sharing. its works for me
Dear Vavai,
Thank you very much for very good article, i successfully implement in zimbra version 8.6 and was working fine until recently when we changed our domain name.
Please let me know what might be the problem.
Thanks.
Hello Vavai,
I’d implemented policyd secure setting. But i do not know how to log-out after complete the task.
when i access the policyd webui that time username and password pop up came up but log out button is not showing.
Please suggest the solution.
any idea to unblock send receipt from accounting module?