Distribution list permission issue: allow sending by list members plus others

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
jamma
Posts: 5
Joined: Sun Jan 13, 2019 10:03 am

Distribution list permission issue: allow sending by list members plus others

Postby jamma » Wed Feb 13, 2019 9:37 pm

Hello evrybody!

I want to configure a distribution list with limited permission to send to the list. I want any list members (it contains internal and external addresses) plus all user of the Zimbra instance to be allowed to send to the list, but nobody else.

Unfortunately, I was unable to achieve that.

First, I tried to configure it using the Web UI: logged in as an owner of that list, edit the list, go to distribution list properties, select the "Only these users can send to this list" option and enter the list itself plus some other lists into the input field. Click Save, return to the edit page and see option "only members can send to this list" selected.

Okay, I thought to myself, maybe it's an UI issue and went to command line to configure the permissions I want.

Code: Select all

zmprov grr dl mitglieder@buerger-meissen.de grp mitglieder@buerger-meissen.de sendToDistList
zmprov grr dl mitglieder@buerger-meissen.de all sendToDistList

Then I verified the ACE:

Code: Select all

zmprov ckr dl mitglieder@buerger-meissen.de some.addresse@on-the-list sendToDistList
Said "OK"

Code: Select all

zmprov ckr dl mitglieder@buerger-meissen.de some-internal-user@buerger-meissen.de sendToDistList
Said "OK"

Code: Select all

zmprov ckr dl mitglieder@buerger-meissen.de some.addresse@not-on-the-list sendToDistList
Said "Nope"
All seems to be well... until it just doesn't work. As soon as the distribution list itself get's granted the right to send to itself, any other ACE seems to be ignored. Internal users could not send to the list - Access Denied.

Workaround: Build a second, identical distribution list (easy because the members of the list are taken from another database via nightly cron script), grant permission to this helper list plus any additional users/lists.

Is that a known bug? Or a feature? We'll probably set up more lists if this kind (list members + x allowed), so I'd like to get a simple and stable solution.

Any hints?

Thanks,

Jamma!


jamma
Posts: 5
Joined: Sun Jan 13, 2019 10:03 am

Re: Distribution list permission issue: allow sending by list members plus others

Postby jamma » Sat Feb 23, 2019 5:08 pm

Replying to myself: I've found a simpler workaround. I create a secondary list called "firstlist-sendpermission" which has the first list as member (plus maybe others) and grant permission to that list. No mail allowed for this list, might be even hiden from GAL.

That seems to work fine.

Next issue: Is there some kind of delay involved when limiting permissions to distribution lists? I've set up another experiment: A list of two addresses (both external), only one of them should be allowed to send to the list. But reply-All still works for the other one, even though

Code: Select all

zmprov ckr dl testlist@mydomain second-account sendToDistList
says "DENIED". Mail still comes through and looking at the headers I'm seeing that it went through Zimbra.

Code: Select all

zmprov gdl testlist@mydomain
shows just two ACE entries: Owner (another account) and the send permission.
Zimbra version is 8.8.10GA_3716FOSS btw. Milter is active.

Ah, found it: Milter service needs to be restarted for the restrictions to take effect. That's strange and unexpected!

What's the expected delay or behaviour here?

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 10 guests