Controlling sender domain in Postfix/Zimbra 5

A client has asked that mail through his Zimbra MTA only be allowed from or to valid domains within their organization. This is particularly applicable to Zimbra as Zimbra will only archive mail if it’s from or to a domain for which it is authoritative. The idea is to archive all mail through their Zimbra environment.. If it is not one of their domains, refuse it.

If this were my organization it would look like this:
mail from to any domain would work
mail from to any domain would work
mail from any domain to would work
mail from any domain to would work
of course mail from and to or will work
all other mail will be considered relaying.

One thing we did not do that I might want to do is force authentication. The problem with this configuration is it does open up to spamming as it only validates from or to domain.

This is really a discussion about Postfix configuration but I did the work in Zimbra so I might as well add the additional steps to configure it in Zimbra.. These instructions will be applicable to straight Postfix or Zimbra.

You’ll want to do all the work as the zimbra user:
Run the zmprov command for each of your mtas.

# su - zimbra

$ zmprov ms zimbraMtaMyNetworks

$ vi /opt/zimbra/postfix/conf/
smtpd_sasl_auth_enable = no
# if you want enable sending to domains for which your environment is not
#   authoritative this is also handy for testing in your dev environment
#   that is only authoritative for a dev domain
relay_domains =,

You also want to modify smtpd_recipient_restrictions but in Zimbra you must modify that with in the zimbra configuration:

$ vi /opt/zimbra/conf/
# remove permit_sasl_authenticated
check_sender_access hash:/opt/zimbra/postfix/conf/access

$ vi /opt/zimbra/postfix/conf/access OK OK

$ zmmtactl reload

You might want to check that /opt/zimbra/postfix/conf/ now contains this:

smtpd_recipient_restrictions = reject_non_fqdn_recipient,
hash:/opt/zimbra/postfix/conf/access, permit_mynetworks,
reject_unauth_destination, reject_unlisted_recipient,
reject_invalid_hostname, reject_non_fqdn_sender, permit

You should now be set.

It’s worth mentioning: check_sender_access will only check and allow the sender domain. if you don’t set relay_domains the recipient domain is allowed because your environment is the final destination for that/those domain(s). As noted above you can set relay_domains above if you want to allow relaying to domains for which this environment is not the final destination.

Leave a Reply

Your email address will not be published. Required fields are marked *