Restrict Carbonio Community Edition Users to Send Emails Locally Or Externally | Carbonio CE

Imagine a scenario where a company’s sensitive financial information or proprietary information is at risk of being leaked. By implementing internal email policies and controlling email flow, businesses can prevent unauthorized external emails, ensuring that sensitive data remains secure within the organization.

Let’s take a look at the following scenario:

Restrict carbonio users to send emails locally or externally.

The consequences of a data breach in this scenario can be severe. Not only can it lead to financial losses for the company, but it can also damage its reputation and erode the trust of clients and stakeholders. How data breaching can cost and hurt an organization in today’s scenario, you can take a look at this article.

In this article, we will show how you can restrict/allow your users to send emails to both local and external users.

Add the following line on top of /opt/zextras/conf/zmconfigd/

%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zextras/common/conf/restricted_senders%%

Look at the example:

zextras@mail:~$ cat /opt/zextras/conf/zmconfigd/
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zextras/common/conf/restricted_senders%%
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zextras/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zextras/common/conf/
permit_mynetworks, reject_sender_login_mismatch
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zextras/common/conf/

Now modify the server using MtaSmtpdSenderRestrictions attribute:

zextras@mail:~$ carbonio prov ms +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/common/conf/restricted_senders"
zextras@mail:~$ carbonio prov gs zimbraMtaSmtpdSenderRestrictions
# name
zimbraMtaSmtpdSenderRestrictions: check_sender_access lmdb:/opt/zextras/common/conf/restricted_senders


Edit /opt/zextras/conf/ and find the section SECTION mta DEPENDS amavis (Line: 65). Add following lines before RESTART mta

POSTCONF    smtpd_restriction_classes  local_only
POSTCONF    local_only  FILE

It will look like:

root@mail:~# sed -n '280,286p' /opt/zextras/conf/
        POSTCONF smtpd_tls_session_cache_timeout        LOCAL postfix_smtpd_tls_session_cache_timeout
        POSTCONF smtpd_tls_session_cache_database       LOCAL postfix_smtpd_tls_session_cache_database
        POSTCONF    smtpd_restriction_classes  local_only
        POSTCONF    local_only  FILE
        RESTART mta

SECTION opendkim DEPENDS mta

Now create the following file (/opt/zextras/conf/ and add mentioned line:

root@mail:~# cat /opt/zextras/conf/
check_recipient_access lmdb:/opt/zextras/common/conf/local_domains, reject

Create a file for the users on whom we want to impose the restriction:

root@mail:~# cat /opt/zextras/common/conf/restricted_senders         local_only

Now, create another file for the list of domains where the restricted users are allowed to send emails.

root@mail:~# cat /opt/zextras/common/conf/local_domains     OK

Remarks: If we leave this file empty then the restricted user will not be able to send email to anyone, even to himself. Also, we can add more email address or domains in this file.

Fix the permissions of following files:

root@mail:~# chown zextras:zextras /opt/zextras/conf/
root@mail:~# chmod 644 /opt/zextras/conf/
root@mail:~# chown :zextras /opt/zextras/common/conf/restricted_senders
root@mail:~# chmod 775 /opt/zextras/common/conf/restricted_senders
root@mail:~# chown :zextras /opt/zextras/common/conf/local_domains
root@mail:~# chmod 775 /opt/zextras/common/conf/local_domains

Now, postmap created files and restart the MTA service.

zextras@mail:~$ postmap /opt/zextras/common/conf/restricted_senders
zextras@mail:~$ postmap /opt/zextras/common/conf/local_domains
zextras@mail:~$ zmmtactl restart

So let’s see what we have achieved.

Right now, user is in the restriction list and it can only send emails to domain (

zextras@mail:~$ grep sales2 /var/log/carbonio.log | tail -n 1
Jul  4 18:08:07 mail postfix/lmtp[125232]: AE63028391B: to=<>,[]:7025, delay=0.36, delays=0.01/0.02/0.05/0.29, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
zextras@mail:~$ grep imsilsa /var/log/carbonio.log | tail -n 1
Jul  4 18:07:34 mail postfix/smtpd[124536]: NOQUEUE: reject: RCPT from localhost[]: 554 5.7.1 <>: Sender address rejected: Access denied; from=<> to=<> proto=ESMTP helo=<>

So this is how you can enforce restrictions and delivery policy for your users to control the data flow of your organization. Besides this kind of restriction, if you want to know how you can secure your users by blocking unwanted addresses, check out How to Blacklist/Whitelist address in Carbonio Community Edition Server.

In summary, restricting email users to local delivery is essential for enhancing security and protecting sensitive information. Implementing these email policies helps prevent unauthorized access and data leaks, ensuring a secure communication environment. Adopting these measures will safeguard your company’s data and build trust among stakeholders.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Essential Blacklist and Whitelist Tips for Carbonio Community Edition Email Servers | Carbonio CE
Why Disclaimers Matter: Enhancing Legal Compliance in Carbonio Community Edition Servers | Carbonio CE