I have granted sendToDistList right to certain distribution list from another distribution list, in order to manage permission to send to the list by adding and removing users to the second list:
Please note that I've put the administrative list in a separated domain in order to hide them from delegated domain administrators, whose only task will be create new users and add them to distribution lists (as normal "receivers", not as "privileged senders").
$ zmprov grr dl email@example.com grp firstname.lastname@example.org sendToDistList
Some of the users privileged in the administrative list are from external domains, but I've checked they still are ALLOWED to send messages to the list:
But even so, after reloading MTA/milter config, the external user messages are DENIED by postfix, and this denial is logged as milter-mandated:
$ zmprov ckr dl email@example.com firstname.lastname@example.org sendToDistList
target type : dl
target : email@example.com
grantee type : grp
grantee : firstname.lastname@example.org
right : sendToDistList
Our organisation is a non-profit with lots of working groups with external volunteers who don't have an account in our domain, so granting the sendToDistList to each guest for every distribution list she's on is not an option. We're planning on setting some of the list to be open to all members in the list, and this would be as simple as
$ cat /var/log/zimbra.log|grep milter
Jul 13 16:58:54 mx1 postfix/smtpd: NOQUEUE: milter-reject: RCPT from mail.externaldomain.com[x.x.x.x]: 571 571 Sender is not allowed to email this distribution list: email@example.com; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<mail.externaldomain.com>
but it's not viable by adding a grant for each member.
$ zmprov grr dl firstname.lastname@example.org grp email@example.com sendToDistList
Is there anything we're missing, or this discrepancy between zmprov ckr list user@external sendToDistList ALLOWED and milter-rejected is a bug? And if it is so, is it already known? (We've searched the forums and buglists and didn't find references to this behaviour).