A client has asked that mail through his Zimbra MTA only be allowed from or to valid domains within their organization. This is particularly applicable to Zimbra as Zimbra will only archive mail if it’s from or to a domain for which it is authoritative. The idea is to archive all mail through their Zimbra environment.. If it is not one of their domains, refuse it.
If this were my organization it would look like this:
mail from firstname.lastname@example.org to any domain would work
mail from email@example.com to any domain would work
mail from any domain to firstname.lastname@example.org would work
mail from any domain to email@example.com would work
of course mail from and to firstname.lastname@example.org or 1038east.com will work
all other mail will be considered relaying.
One thing we did not do that I might want to do is force authentication. The problem with this configuration is it does open up to spamming as it only validates from or to domain.
This is really a discussion about Postfix configuration but I did the work in Zimbra so I might as well add the additional steps to configure it in Zimbra.. These instructions will be applicable to straight Postfix or Zimbra.
You’ll want to do all the work as the zimbra user:
Run the zmprov command for each of your mtas.
# su - zimbra
$ zmprov ms mta01.morganjones.org zimbraMtaMyNetworks 127.0.0.0/8
$ vi /opt/zimbra/postfix/conf/main.cf
smtpd_sasl_auth_enable = no
# if you want enable sending to domains for which your environment is not
# authoritative this is also handy for testing in your dev environment
# that is only authoritative for a dev domain
relay_domains = 1038east.com, morganjones.org
You also want to modify smtpd_recipient_restrictions but in Zimbra you must modify that with in the zimbra configuration:
$ vi /opt/zimbra/conf/postfix_recipient_restrictions.cf
# remove permit_sasl_authenticated
$ vi /opt/zimbra/postfix/conf/access
$ zmmtactl reload
You might want to check that /opt/zimbra/postfix/conf/main.cf now contains this:
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_invalid_hostname, reject_non_fqdn_sender, permit
You should now be set.
It’s worth mentioning: check_sender_access will only check and allow the sender domain. if you don’t set relay_domains the recipient domain is allowed because your environment is the final destination for that/those domain(s). As noted above you can set relay_domains above if you want to allow relaying to domains for which this environment is not the final destination.