Access control to distribution lists in Zimbra 7.

[millerdc]

I have been playing with the CLI tools to manage access control to distribution lists. Hopefully this thread will help others and maybe get a list of all the commands to view and grant rights. So far I have been able to disable expansion/viewing and sending to distribution lists per individual email addresses. However, changes to deny sending do not take affect right away. So my questions are..

Is there a way to make the ACL changes take affect right away?

Is there a command to view all ACL's associated with a list? Not just individual email address rights?

Just for reference here are the commands I have used to grant and check rights.

Disable an address from sending to a list.

zmprov grr dl listname@domain usr user@domain -sendToDistList

Disable expansion/viewing an address to a list.

zmprov grr dl listname@domain usr user@domain -viewDistList

To check send access to a list for an address

zmprov ckr dl listname@domain user@domain sendToDistList

To check expand/view access to a list for an address

zmprov ckr dl listname@domain user@domain viewDistList

To grant send rights to only allow addresses in the list.

zmprov grr dl listname@domain grp listname@domain sendToDistList

To grant expansion/view rights to only allow addresses in the list.

zmprov grr dl listname@domain grp listname@domain viewDistList

[millerdc]

Just a quick bump. Hopefully someone can give me a quick anwer to making grant rights changes take affect right away when removing sendToDistList access?

[millerdc]

Still trying to get an answer to this. I'm now thinking that this is really a bug. Can someone confirm this for me? Here are the steps I used to test this.

1. Create a new distribution list and add a few addresses to the list.

2. Use the grant rights(grr) in zmprov to grant send rights to the list using said list. Check the rights of some other users who are not in the list to confirm they are denied.

3. Try to send to said list with user not on the list. They can send to the list.

4. Create a new user account and attempt to send to the list. They can send to the list.

Like I said before. The viewDistList grant right takes affect right away. The sendToDistList does not. The only way I have found to make the changes take affect is to use zmcontrol to stop and start.

[millerdc]

Well, since no one is willing to help me confirm this I have gone ahead and submitted a bug for it.

https://bugzilla.zimbra.com/show_bug.cgi?id=56704

[millerdc]

I opened a support case for this Feb 16th. The next day I got a reply that they would look into it. I asked for a status update via email on the 28th but I have not heard anything. I see Zimbra employee's answering questions for users of the FOSS version on these forums. Why can't I get any help as a paying customer? This feature had the most votes for this release. All I want to know is how to make the changes take effect right away or get this problem confirmed so it will be fixed in 7.0.1.

[pixelplumber]

Hi millerdc, I've only just upgraded to 7.0.1 and I think I'm having a similar class of problem, just that its the opposite problem to you.

I've successfully granted the sendToDistList rights for internal users, and blocked public users and that took effect straight away (once the milter server was enabled after a zmcontrol restart), but I cannot seem to get viewDistList expansion working.

Tried checking rights, and restarting zimbra, no luck. Did you do anything special to get expansion working in the ZWC?

Thanks by the way for your command listing here (especially ckr); I found the cli arguments confusing.

[pixelplumber]

hmmmm....ok part of it is perhaps my impatience. Looking at the replies in your bug, they say there is a 15min TTL on milter? I have a few expansions working now, so my rights must be correct.

But yes, a way to force refresh on ACLs faster would be nice.

[millerdc]

The viewDistList has always taken affect right away. You may need to check the distribution list and make sure you do not have fide in GAL checked. You also may need to have use GAL for autocomplete checked in the admin console. I remember another settings to use email bubbles that may affect this too. You sendToDistList worked because you started the milter server after the fact. So far the only real way to have sendToDistList take affect right away is to use the "zmmtactl reload" command which restarts the milter server and loads the config.

[pixelplumber]

Thanks, you're right hide in GAL was checked on a few dlists. sorry for thread hijack, you seem to be the only person on the forums playing with dlist permissions though!

[wbukhari]

Hi millerdc
though its more than a year old thread, but even today with Zimbra7.2 I still am stuck with the same issue, distribution list access control. I did everything that you mentioned here and followed all the comments in bugzila too, but when i create a new DL no matter what i do, everybody inthe world has the right to send email to it
I refresh the milter, shutdown and startup zmcontrol, wiat for 20 minutes but nothing, even gmail and yahoo can still send emails.
Though on ckr command it shows selected people as ALLOWED and rest DENIED, but still allows to send email.
My questions:
when creating a new DL, do you check mark on "Can receive mail" and "hide GAL"
i guess as soon as we create a new DL it is open to all, but as we give a single access right (ALLOWED) it turns everybody as DENIED and keeps only the selected person allowed (only for displaying status level).

Please suggest somethiing for me