Related tutorial :
- Zimbra Tips : Policyd & Rate-Limit Sending Message Implementation On Zimbra 8
- Zimbra Tips : Securing PolicyD Web Admin
- Zimbra Tips : Rate-Limit Sending Message With PolicyD
- Zimbra Tips : Enabling Accounting Module On PolicyD
On previous tutorial, we’ve done the installation and configuration to restrict email sending per user by using the quota module, enabling accounting module and securing web admin access. Here we will discuss another PolicyD modules to increase Zimbra mail security by using Access Control module. Access control module is used to perform the control of the user/domain rights, such as preventing user from receiving emails, sending emails and others restriction policy.
On the production server, I’m using Access control module to determine which user is allowed to send an email to distribution list. By default, Zimbra distribution list or group list can receive email from anywhere. This can be dangerous because it could be a target of spam attacks.
Actually, the restriction on the distribution list can be done by doing a little bit of tuning on Postfix configuration. By using PolicyD, those settings can be done easily, considering the presence of Policyd Web Admin for configuration.
List of user/domain that allowed to send email to distribution list :
email@example.com firstname.lastname@example.org vavai.net
Distribution List :
POLICYD WEB ADMIN CONFIGURATION
Log in to the Web Admin PolicyD : http://IpAddressZimbra:7780/webui/index.php. if you can not accessing PolicyD web admin, make sure Apache services is running on Zimbra. if apache service status in the stop state, start it by using the following command :
su - zimbra zmapachectl restart
Once you logged in into web admin, select the Policy menu | Groups and then create a User_Allow group and Distribution_List and tall its members :
User_Allow Group Member
Distribution List Group Member
after all the group and its members is made,, create a Policy for the group. Select the Policies menu | Main then create a rule/policy with the same name distributionlist_allow and distributionlist_deny along with its members
See that on the above example, Priority is zero (0) and one (1). Priority is influential as well as the MX records in the DNS. The smaller priority means the most preferred usage in policy.
Members of Main distributionlist_allow
Members of distributionlist_deny
The final stage is to control the policies that already been made. Select the Access Control | Configure and create 2 pieces of control like the example below :
Test the policies by sending an email to distribution list using the banned user and the allowed user and check the result. Good luck and hopely this can be useful 😀