How to block incoming users or domains

Hello everyone, Zimbra Collaboration includes anti-SPAM and antivirus technologies such as Postscreen, Spamassasin, Amavis, ClamAV, etc. But sometimes, for legal reasons, etc., we need to block certain senders or even entire domains from sending unsolicited email.

To do this, we will use the tools that come native to Zimbra Collaboration, and with a few simple commands, we can granularly protect our email users. Here’s how…

Create a file called /opt/zimbra/common/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

user@domain.com REJECT
domainX.com REJECT

As Zimbra user, execute the zimbraMtaSmtpdSenderRestrictions command:

zmprov ms 'yourzimbraservername' +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/common/conf/postfix_reject_sender"

Then we will need to postmap it:

/opt/zimbra/common/sbin/postmap /opt/zimbra/common/conf/postfix_reject_sender

We can wait around 60 seconds until the Zimbra MTA pick up the changes, or force the changes with a restart to the MTA services with:

zmmtactl restart

You will see an output similar to this:

Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system

If one of the blocked users or domains tries to send us an email, on the zimbra.log you will see something similar to this, (mind the error saying “Sender address rejected: Access denied”):

Sep 7 14:19:57 mail postfix/postscreen[13755]: CONNECT from [74.125.82.45]:32831 to [178.62.48.7]:25
Sep 7 14:20:01 mail zimbramon[15143]: 15143:info: 2017-09-07 14:20:01, QUEUE: 0 0
Sep 7 14:20:03 mail postfix/postscreen[13755]: PASS NEW [74.125.82.45]:32831
Sep 7 14:20:03 mail postfix/smtpd[13756]: connect from mail-wm0-f45.google.com[74.125.82.45]
Sep 7 14:20:03 mail postfix/smtpd[13756]: Anonymous TLS connection established from mail-wm0-f45.google.com[74.125.82.45]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 14:20:03 mail postfix/smtpd[13756]: NOQUEUE: filter: RCPT from mail-wm0-f45.google.com[74.125.82.45]: <user1@gmail.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<user1@gmail.com> to=<jdelacruz@zimbra.io> proto=ESMTP helo=<mail-wm0-f45.google.com>
Sep 7 14:20:03 mail postfix/smtpd[13756]: NOQUEUE: reject: RCPT from mail-wm0-f45.google.com[74.125.82.45]: 554 5.7.1 <user1@gmail.com>: Sender address rejected: Access denied; from=<user1@gmail.com> to=<jdelacruz@zimbra.io> proto=ESMTP helo=<mail-wm0-f45.google.com>
Sep 7 14:20:03 mail postfix/smtpd[13756]: disconnect from mail-wm0-f45.google.com[74.125.82.45] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

The blocked sender will see the next error:
And that’s it for today’s How-To. In future blog entries, we’ll show you how to blacklist and whitelist IPs, or a range of IPs.

Additional Links

, , , ,

10 Responses to How to block incoming users or domains

  1. Rio Prayoga September 8, 2017 at 5:10 AM #

    Great. I was posted alternative to block incoming users or domains using bahasa :)

    https://www.ilmuzimbra.com/tips-blacklists-dan-whitelists-zimbra

  2. Alex September 8, 2017 at 11:07 AM #

    Hello,

    Is this working for blocking outgoing emails also, to certain domains or users?
    I want to block some internal users from sending email to certain domains or email addreses. Is this possible with Zimbra?

    Thank you!

  3. Arlsam September 8, 2017 at 11:10 AM #

    i have done with same command on zimbra 8.6 open source edition, but my zimbra stop working, no send no receive from any domain.

    • Jorge de la Cruz
      Jorge de la Cruz September 8, 2017 at 4:22 PM #

      Hello Arlsam,
      For 8.6 is different, and the steps are on the wiki, you can remove it from the next document:

      vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

      And remove the next line

      %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender%%

      Then restart the services

  4. Fernando September 12, 2017 at 4:23 PM #

    Configuration dont save parameter (Release 8.7.5_GA_1764.RHEL6_64_20170314032533 RHEL6_64 FOSS edition.):

    [zimbra@zimbra ~]$ zmprov ms zimbra.******.com.br +zimbraMtaSmtpdSenderRestrictions “check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender”
    [zimbra@zimbra ~]$ zmmtactl restart
    Rewriting configuration files…done.
    Stopping saslauthd…done.
    Starting saslauthd…done.
    /postfix-script: refreshing the Postfix mail system
    [zimbra@zimbra ~]$ postconf | grep postfix_reject_sender
    [zimbra@zimbra ~]$

  5. Barry de Graaff September 13, 2017 at 6:53 PM #

    Hello Everybody,

    There is also a Zimlet that allows users to block/allow senders and domains, that is based on the amavis in Zimbra, its over here:

    https://zimbra.org/extend/items/view/whitelist-blacklist-sender

  6. phu kien song phat November 6, 2017 at 3:10 AM #

    zimbra can see all log event all user send out or comming mail content on log file ?

Trackbacks/Pingbacks

  1. How to block incoming users or domains for Postfix  - Charming Cloud Blog - September 8, 2017

    […] Source: How to block incoming users or domains | Zimbra : Blog […]

  2. Tips Blacklists dan Whitelists Zimbra - IlmuZimbra.Com - September 12, 2017

    […] Untuk alternatif lainnya dapat mengikuti panduan berikut https://blog.zimbra.com/2017/09/block-incoming-users-domains  […]

Leave a Reply