Zimbra

gtdaqua · #1 (**permalink**) 02-03-2008, 11:12 PM

I have just implemented Zimbra 5 in my company. Its great. One problem I encountered was there are multiple distribution lists with different groups having access to it.

For e.g. Sales users alone should send email to Sales distribution list. Others cant. Likewise, Accounts users can send to Accounts distribution list.

I found this wiki
on Zimbra Wiki page.

- but this talks about several distribution lists but with SINGLE set of users having access to it. I researched the net and have found easy ways for GRANULAR control:

Here is how you do it. Lets take Sales and Accounts for with respective rights. Execute the commands as 'zimbra' user. Use sudo where necessary.

*******
Create a file called sales-senders: "/opt/zimbra/postfix/conf/sales-senders"
This file has sales group who can send to sales@domain.com. The content shoud be like this (add emails as necessary):

Code:

user1@domain.com		OK
user2@domain.com		OK

Create a 2nd file: "/opt/zimbra/postfix/conf/accounts-senders"
This file has accounts group which can send to accounts@domain.com. The content shoud be like this (add emails as necessary):

Code:

user3@domain.com		OK
user4@domain.com		OK

Create the access-list file: "/opt/zimbra/postfix/conf/protected_recipients"
This is the access-list file defining who can send to particular lists. Add the following content: (add as necessary)

Code:

accounts@domain.com		accounts-senders-list
sales@domain.com		  sales-senders-list

Create a script file to update and execute the access-list: "/opt/zimbra/postfix/conf/update-sec-list"

Code:

#!/bin/bash

echo "rebuild authorised sales-list senders..."
postmap /opt/zimbra/postfix/conf/sales-senders

echo "rebuild authorised accounts-list senders..."
postmap /opt/zimbra/postfix/conf/accounts-senders

echo "REBUILD protected_recipeints..."
postmap /opt/zimbra/postfix/conf/protected_recipients

Now, update the main configuration file: "/opt/zimbra/postfix/conf/main.cf"
Here you are actually restricting access by groups you defined.
And add the following code in the last section.

Code:

sales-senders-list = check_sender_access hash:/opt/zimbra/postfix/conf/sales-senders, reject
accounts-senders-list = check_sender_access hash:/opt/zimbra/postfix/conf/accounts-senders, reject

smtpd_restriction_classes = sales-senders-list, accounts-list

Now, edit this file: "/opt/zimbra/conf/postfix_recipient_restrictions.cf"
Add the following line the FIRST LINE of the file above all else

Code:

hash:/opt/zimbra/postfix/conf/protected_recipients

Now reload postfix from the command line.

Code:

postfix reload

That's it! You are done. Now sales cant send to accounts and vice versa. You can create as many access-lists you want.

Thanks to Zimbra and the Postfix group for making such features possible.

echoadisan · #2 (**permalink**) 02-04-2008, 12:09 AM

better if zimbra has builtin this feature by default

gtdaqua · #3 (**permalink**) 02-04-2008, 12:23 AM

hmm...yeah! it should appear in the WebUI. I think there is a vote going on in bugzilla or somewhere - hope it comes in the next major update. But for now, this guide shud be good enough.