How to block incoming users or domains

Hello everyone, Zimbra Collaboration includes anti-SPAM and antivirus technologies such as Postscreen, Spamassasin, Amavis, ClamAV, etc. But sometimes, for legal reasons, etc., we need to block certain senders or even entire domains from sending unsolicited email.

To do this, we will use the tools that come native to Zimbra Collaboration, and with a few simple commands, we can granularly protect our email users. Here’s how…

Create a file called /opt/zimbra/common/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

user@domain.com REJECT
domainX.com REJECT

As Zimbra user, execute the zimbraMtaSmtpdSenderRestrictions command:

zmprov ms 'yourzimbraservername' +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/common/conf/postfix_reject_sender"

Then we will need to postmap it:

/opt/zimbra/common/sbin/postmap /opt/zimbra/common/conf/postfix_reject_sender

We can wait around 60 seconds until the Zimbra MTA pick up the changes, or force the changes with a restart to the MTA services with:

zmmtactl restart

You will see an output similar to this:

Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system

If one of the blocked users or domains tries to send us an email, on the zimbra.log you will see something similar to this, (mind the error saying “Sender address rejected: Access denied”):

Sep 7 14:19:57 mail postfix/postscreen[13755]: CONNECT from [74.125.82.45]:32831 to [178.62.48.7]:25
Sep 7 14:20:01 mail zimbramon[15143]: 15143:info: 2017-09-07 14:20:01, QUEUE: 0 0
Sep 7 14:20:03 mail postfix/postscreen[13755]: PASS NEW [74.125.82.45]:32831
Sep 7 14:20:03 mail postfix/smtpd[13756]: connect from mail-wm0-f45.google.com[74.125.82.45]
Sep 7 14:20:03 mail postfix/smtpd[13756]: Anonymous TLS connection established from mail-wm0-f45.google.com[74.125.82.45]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 14:20:03 mail postfix/smtpd[13756]: NOQUEUE: filter: RCPT from mail-wm0-f45.google.com[74.125.82.45]: <user1@gmail.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<user1@gmail.com> to=<jdelacruz@zimbra.io> proto=ESMTP helo=<mail-wm0-f45.google.com>
Sep 7 14:20:03 mail postfix/smtpd[13756]: NOQUEUE: reject: RCPT from mail-wm0-f45.google.com[74.125.82.45]: 554 5.7.1 <user1@gmail.com>: Sender address rejected: Access denied; from=<user1@gmail.com> to=<jdelacruz@zimbra.io> proto=ESMTP helo=<mail-wm0-f45.google.com>
Sep 7 14:20:03 mail postfix/smtpd[13756]: disconnect from mail-wm0-f45.google.com[74.125.82.45] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

The blocked sender will see the next error:
And that’s it for today’s How-To. In future blog entries, we’ll show you how to blacklist and whitelist IPs, or a range of IPs.

Additional Links

, , , ,

14 Responses to How to block incoming users or domains

  1. Rio Prayoga September 8, 2017 at 5:10 AM #

    Great. I was posted alternative to block incoming users or domains using bahasa :)

    https://www.ilmuzimbra.com/tips-blacklists-dan-whitelists-zimbra

  2. Alex September 8, 2017 at 11:07 AM #

    Hello,

    Is this working for blocking outgoing emails also, to certain domains or users?
    I want to block some internal users from sending email to certain domains or email addreses. Is this possible with Zimbra?

    Thank you!

  3. Arlsam September 8, 2017 at 11:10 AM #

    i have done with same command on zimbra 8.6 open source edition, but my zimbra stop working, no send no receive from any domain.

    • Jorge de la Cruz September 8, 2017 at 4:22 PM #

      Hello Arlsam,
      For 8.6 is different, and the steps are on the wiki, you can remove it from the next document:

      vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

      And remove the next line

      %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender%%

      Then restart the services

  4. Fernando September 12, 2017 at 4:23 PM #

    Configuration dont save parameter (Release 8.7.5_GA_1764.RHEL6_64_20170314032533 RHEL6_64 FOSS edition.):

    [zimbra@zimbra ~]$ zmprov ms zimbra.******.com.br +zimbraMtaSmtpdSenderRestrictions “check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender”
    [zimbra@zimbra ~]$ zmmtactl restart
    Rewriting configuration files…done.
    Stopping saslauthd…done.
    Starting saslauthd…done.
    /postfix-script: refreshing the Postfix mail system
    [zimbra@zimbra ~]$ postconf | grep postfix_reject_sender
    [zimbra@zimbra ~]$

    • Radey April 24, 2018 at 8:52 AM #

      Hi Fernando, Guys,

      i have exactly the same issue on 8.8.8_GA_2009.UBUNTU16_64.20180322150747 Ubuntu Server 16.04.4
      i have this in /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf:
      %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
      but it is not added in main.cf
      Fernando did you succeeded to permanently add the postfix_reject_sender to main.cf?

  5. Barry de Graaff September 13, 2017 at 6:53 PM #

    Hello Everybody,

    There is also a Zimlet that allows users to block/allow senders and domains, that is based on the amavis in Zimbra, its over here:

    https://zimbra.org/extend/items/view/whitelist-blacklist-sender

  6. phu kien song phat November 6, 2017 at 3:10 AM #

    zimbra can see all log event all user send out or comming mail content on log file ?

  7. Luigi Lalonde November 28, 2017 at 10:04 PM #

    Hi,

    Is it still possible with Zimbra 8.7 to specify wildcard entries, like say “*.badsender.com”? Thanks for the help!

    LG

    • Barry de Graaff November 29, 2017 at 5:52 PM #

      @Luigi, I would say yes! Since this blog post is only 2 months old.

      And it can be done with whitelist-blacklist-sender for sure!

  8. Minh January 9, 2018 at 4:19 PM #

    Dear Jorge,
    If we implemented reject_authenticated_sender_login_mismatch and then we can add “check_sender_access lmdb:/opt/zimbra/common/conf/postfix_reject_sender” because attribute ‘zimbraMtaSmtpdSenderRestrictions’ cannot have multiple values. Is it right?
    Regards,
    Minh

Trackbacks/Pingbacks

  1. How to block incoming users or domains for Postfix  - Charming Cloud Blog - September 8, 2017

    […] Source: How to block incoming users or domains | Zimbra : Blog […]

  2. Tips Blacklists dan Whitelists Zimbra - IlmuZimbra.Com - September 12, 2017

    […] Untuk alternatif lainnya dapat mengikuti panduan berikut https://blog.zimbra.com/2017/09/block-incoming-users-domains  […]

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures