How to block incoming users or domains

  • in Blog Posts
  • by
  • September 9, 2017
  • Comments Off on How to block incoming users or domains

Hello everyone, Zimbra Collaboration includes anti-SPAM and antivirus technologies such as Postscreen, Spamassasin, Amavis, ClamAV, etc. But sometimes, for legal reasons, etc., we need to block certain senders or even entire domains from sending unsolicited email.

To do this, we will use the tools that come native to Zimbra Collaboration, and with a few simple commands, we can granularly protect our email users. Here’s how…

Create a file called /opt/zimbra/postfix/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

user@domain.com REJECT
domainX.com REJECT

As Zimbra user, execute the zimbraMtaSmtpdSenderRestrictions command:

zmprov ms 'yourzimbraservername' +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender"

Then we will need to postmap it:

/opt/zimbra/common/sbin/postmap /opt/zimbra/postfix/conf/postfix_reject_sender

We can wait around 60 seconds until the Zimbra MTA pick up the changes, or force the changes with a restart to the MTA services with:

zmmtactl restart

You will see an output similar to this:

Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system

If one of the blocked users or domains tries to send us an email, on the zimbra.log you will see something similar to this, (mind the error saying “Sender address rejected: Access denied”):

Sep 7 14:19:57 mail postfix/postscreen[13755]: CONNECT from [74.125.82.45]:32831 to [178.62.48.7]:25
Sep 7 14:20:01 mail zimbramon[15143]: 15143:info: 2017-09-07 14:20:01, QUEUE: 0 0
Sep 7 14:20:03 mail postfix/postscreen[13755]: PASS NEW [74.125.82.45]:32831
Sep 7 14:20:03 mail postfix/smtpd[13756]: connect from mail-wm0-f45.google.com[74.125.82.45]
Sep 7 14:20:03 mail postfix/smtpd[13756]: Anonymous TLS connection established from mail-wm0-f45.google.com[74.125.82.45]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 14:20:03 mail postfix/smtpd[13756]: NOQUEUE: filter: RCPT from mail-wm0-f45.google.com[74.125.82.45]: : Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from= to= proto=ESMTP helo=
Sep 7 14:20:03 mail postfix/smtpd[13756]: NOQUEUE: reject: RCPT from mail-wm0-f45.google.com[74.125.82.45]: 554 5.7.1 : Sender address rejected: Access denied; from= to= proto=ESMTP helo=
Sep 7 14:20:03 mail postfix/smtpd[13756]: disconnect from mail-wm0-f45.google.com[74.125.82.45] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

The blocked sender will see the next error:
And that’s it for today’s How-To. In future blog entries, we’ll show you how to blacklist and whitelist IPs, or a range of IPs.

Additional Links

Jorge de la Cruz

About Jorge de la Cruz

Hi everyone, my name is Jorge de la Cruz and I’m a passionate Zimbra fan. VMware vExpert ’14-’17 and Veeam Vanguard ’15-17, writing about Zimbra in a Technical manner since 2011, now part of the Product team as a Product Manager, thrilled to be part of the Synacor Team.

Comments are closed.