GUIDE: Postifx: HOW TO: Multiple access lists for protected Distribution-lists
I have just implemented Zimbra 5 in my company. Its great. One problem I encountered was there are multiple distribution lists with different groups having access to it.
For e.g. Sales users alone should send email to Sales distribution list. Others cant. Likewise, Accounts users can send to Accounts distribution list.
I found this wiki
on Zimbra Wiki page.
- but this talks about several distribution lists but with SINGLE set of users having access to it. I researched the net and have found easy ways for GRANULAR control:
Here is how you do it. Lets take Sales and Accounts for with respective rights. Execute the commands as 'zimbra' user. Use sudo where necessary.
Create a file called sales-senders: "/opt/zimbra/postfix/conf/sales-senders"
This file has sales group who can send to firstname.lastname@example.org. The content shoud be like this (add emails as necessary):
Create a 2nd file: "/opt/zimbra/postfix/conf/accounts-senders"
This file has accounts group which can send to email@example.com. The content shoud be like this (add emails as necessary):
Create the access-list file: "/opt/zimbra/postfix/conf/protected_recipients"
This is the access-list file defining who can send to particular lists. Add the following content: (add as necessary)
Create a script file to update and execute the access-list: "/opt/zimbra/postfix/conf/update-sec-list"
Now, update the main configuration file: "/opt/zimbra/postfix/conf/main.cf"
echo "rebuild authorised sales-list senders..."
echo "rebuild authorised accounts-list senders..."
echo "REBUILD protected_recipeints..."
Here you are actually restricting access by groups you defined.
And add the following code in the last section.
Now, edit this file: "/opt/zimbra/conf/postfix_recipient_restrictions.cf"
sales-senders-list = check_sender_access hash:/opt/zimbra/postfix/conf/sales-senders, reject
accounts-senders-list = check_sender_access hash:/opt/zimbra/postfix/conf/accounts-senders, reject
smtpd_restriction_classes = sales-senders-list, accounts-list
Add the following line the FIRST LINE of the file above all else
Now reload postfix from the command line.
That's it! You are done. Now sales cant send to accounts and vice versa. You can create as many access-lists you want.
Thanks to Zimbra and the Postfix group for making such features possible.