1

Topic: Prevent account emailing outside domain

==== Required information ====
- iRedMail version: iRedMail-0.9.2 / iRedAdmin-Pro-LDAP-2.3.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Linux/BSD distribution name and version: Ubuntu 14.04
- Related log if you're reporting an issue:
====

Hello! I haven't been able to find an up-to-date answer to this question. What's the preferred way to prevent an account sending emails outside it's own domain. For example, how can i prevent testuser@example.com sending email to testuser@gmail.com while still allowing it to email testuser2@example.com

I wonder if this is a feature of iRedAPD but I cannot find a way to configure it.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Prevent account emailing outside domain

You can use white/blacklist provided by iRedAPD plugin `amavisd_wblist`.

In user profile page, under tab 'White/Blacklist', add '@.' (without quotes) as blacklisted senders, then add '@example.com' (again, without quotes) as whitelisted senders.

Let me know whether or not it works for you.

3

Re: Prevent account emailing outside domain

ZhangHuangbin wrote:

You can use white/blacklist provided by iRedAPD plugin `amavisd_wblist`.

In user profile page, under tab 'White/Blacklist', add '@.' (without quotes) as blacklisted senders, then add '@example.com' (again, without quotes) as whitelisted senders.

Let me know whether or not it works for you.

This is where I looked initially, but seemed to be for incoming email not outgoing?

I have tried setting @. in the blacklisted senders field, and @example.com in the whitelisted senders field, but the account in question was still able to email outwards to a gmail account.

4

Re: Prevent account emailing outside domain

Could you please turn on debug mode in iRedAPD and try again? We need debug log for troubleshooting.

Reference: http://www.iredmail.org/docs/debug.iredapd.html

5

Re: Prevent account emailing outside domain

I have done this and saved the section pertaining to an email leading the domain, but I am reluctant to post the output here since it is a production mailserver. It is also a lot to censor. Is there a specific part you would like to see?

I notice "DEBUG No per-recipient white/blacklist found"  in the "Apply plugin: amavisd_wblist" section, perhaps this is the area to concentrate on?

6

Re: Prevent account emailing outside domain

Oh, my mistake. Please enable iRedAPD plugin 'ldap_recipient_restrictions' instead.

Then manage this local user with phpLDAPadmin (web) or ldapvi (command line), add two new attributes to this user:

mailWhitelistRecipient: @example.com
mailBlacklistRecipient: @.

7

Re: Prevent account emailing outside domain

UPDATE:

*) We should make it manageable in iRedAdmin-Pro.
*) We should merge iRedAPD plugins 'ldap_amavisd_block_blacklisted_senders.py', 'ldap_recipient_restrictions.py', 'sql_user_restrictions.py' to one plugin `amavisd_wblist`.

I will try to implement this in future release.

8

Re: Prevent account emailing outside domain

ZhangHuangbin wrote:

Oh, my mistake. Please enable iRedAPD plugin 'ldap_recipient_restrictions' instead.

Then manage this local user with phpLDAPadmin (web) or ldapvi (command line), add two new attributes to this user:

mailWhitelistRecipient: @example.com
mailBlacklistRecipient: @.

Thanks Zhang, I'll try to make these changes. What's the preferred way to enable a plugin? I see that /opt/iredapd/settings.py contains relevant settings but also instructs "DO NOT TOUCH BELOW LINE."

9

Re: Prevent account emailing outside domain

It just says don't touch the one line immediately following the warning line.

To enable a plugin, just list the plugin name in parameter 'plugins ='. Note, the order of plugin names is very important, because plugins will be called in specified order.

10

Re: Prevent account emailing outside domain

Okay Zhang, I followed your instruction and this is working well! E-mails sent outside of the domain are rejected with "Recipient address rejected: Permission denied".

Thanks for your quick and effective help, I'd absolutely love to see this integrated within the pro web interface since this is something I'd like to implement for many of our internal services.

11

Re: Prevent account emailing outside domain

candidate10 wrote:

I'd absolutely love to see this integrated within the pro web interface since this is something I'd like to implement for many of our internal services.

I will try to implement this in future release.

Thread closed.