Restricting user from sending mails to distribution list-

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Restricting user from sending mails to distribution list-

Post by ask2me0077 »

Iam using zimbra 8.6.0 version . I want to control sending mails to the distribution list. So as noted in the wiki ,I started the Milter service by changing the settings in Global -MTA section and in Server -MTA section. Then I restarted the milter control and found it was running.
Accordingly I executed the command  zmprov grr dl test@xxx.com usr  abc@xxx.com sendToDistList
So, after executing the above command, only the test@xxxx.com user can  send mails to the test@xxx.com  (distribution list).
But when I tried with different user, any body can send mails to the distribution list. I again verified the status of Milter and it was still working,
The wiki says that after starting the Milter server, only permitted users can send mails to the DL. In my case, it is not working.
Please let me know what is wrong with my installation.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Restricting user from sending mails to distribution list-

Post by phoenix »

As you've not given any detailed information on what the problem is, no diagnostic information nor any details of which wiki article you've read it's impossible to tell you what's wrong, the only conclusion I can come to is that you've not followed the instructions correctly. The current wiki article on this subject has details on how to verify the permissions for an entity, have you checked that? I'll also move this thread to the correct forum.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Restricting user from sending mails to distribution list-

Post by ask2me0077 »

Sorry for publishing in the wrong forum.

I followed the following link.
https://wiki.zimbra.com/wiki/Enabling_a ... bra_milter

But I could not accomplish the task

My doubt is whether I should revoke all user rights after starting the Milter. ?? and then grant rights one by one  to the designated user
Please suggest.


ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Restricting user from sending mails to distribution list-

Post by ask2me0077 »

Any body, please help me to resolve this.

Thanks in advance
iamauser
Posts: 29
Joined: Thu Sep 04, 2014 3:43 am

Restricting user from sending mails to distribution list-

Post by iamauser »

do zmprov gdl test@xxx.com and check the zimbraACE.

If you have something in there for dom or pub permissions granted, that's your problem.

You should have only one usr permission in there.
imanudin11
Outstanding Member
Outstanding Member
Posts: 304
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Restricting user from sending mails to distribution list-

Post by imanudin11 »

Hi,



Please try to use CBPolicyD. This article is example for restrict certain user to sending email to certain users/domains : http://imanudin.net/2014/09/29/how-to-r ... h-policyd/



HTH
**

Best Regards,
Ahmad Imanudin - Sharing is Beautiful !
Personal Blog [EN] :http://www.imanudin.net
ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Restricting user from sending mails to distribution list-

Post by ask2me0077 »

Solved

Thanks all of you for supporting me.

I followed the fol.lowing link to enable restriction

https://wiki.zimbra.com/wiki/Enabling_a ... bra_milter



Initially the things are not working fine for me. But after one or two days, I found that its working. Its my problem in checking the issue.This will work if we follow the the link exactly.

Thanks once again for your support.
Zuser
Posts: 17
Joined: Wed Sep 14, 2016 3:54 pm
ZCS/ZD Version: 8.8.x

Re: Restricting user from sending mails to distribution list-

Post by Zuser »

Ran into the same issue with ZCS 8.6, solved it with adding specifically restricting rights using zmprov (which shows up under the ACL section in the web UI):

Normally everyone can send to a mailing list, "zmprov ckr dl list@yourdomain user@somewhere.else sendToDistList" will return "ALLOWED".
As soon as you add a user (zmprov grr dl list@domain usr user@yourdomain sendToDistList), external domains are blocked but not internal ones (user@somewhere.else will return DENIED, but user2@yourdomain will still return ALLOWED, user@yourdomain will also return "ALLOWED Via:" with a couple of lines detailing the specific allow right).

To deny everybody except the specifically allowed users, you need to add a deny right:
$ zmprov grr dl list@yourdomain all -sendToDistList

Note the dash in front of sendToDistList, which is a negation (grants to the all group (both internal/external domains) the negative right to send to this list).
This shows up as "zimbraACE: 00000000-0000-0000-0000-000000000000 all -sendToDistList" in "zmprov gdl list@yourdomain" output. Further zimbraACE lines should be visible which then allow specific users/groups to send.
For the proper syntax and keywords see "zmprov grr help" and "zmprov rvr help". Adding and revoking rights this way doesn't seem to require zmmtactl reload or similar (mail is immediately rejected with a "571 571 Sender is not allowed to email this distribution list", though zmprov ckr dl etc. will still return ALLOWED.
Zuser
Posts: 17
Joined: Wed Sep 14, 2016 3:54 pm
ZCS/ZD Version: 8.8.x

Re: Restricting user from sending mails to distribution list-

Post by Zuser »

Update: take note that if your distribution list has members that are distribution lists themselves, the deny rule for the top list propagates and users who are not whitelisted for that will be denied sending to the member list(s) as well. To work around this add an allow all rule to each member list separately.
Zuser
Posts: 17
Joined: Wed Sep 14, 2016 3:54 pm
ZCS/ZD Version: 8.8.x

Re: Restricting user from sending mails to distribution list-

Post by Zuser »

addendum: where I said "all group (both internal/external domains)" I meant "pub", all means all locally defined domain users, pub is both internal and external domain senders, so replace "all" with "pub" if you want distribution lists to be open to the outside.
Post Reply