Create a VIP mailbox in Zimbra Collaboration Open-Source Edition

In enterprises, a situation often arises when the creation of a so-called VIP mailbox is required, only a certain circle of people can send letters to it. Such mailboxes are typical for any top managers with personal secretaries. Instead of the top manager, all the e-mail is received by the secretary, who then selects really important and necessary messages from the general stream and redirects them to his manager’s mailbox. An ordinary employee of an enterprise, when trying to send a message to a VIP mailbox, should receive a notification that his message has not been delivered. Such a VIP mailbox can be easily implemented in Zimbra Open-Source Edition using the built-in mail filtering tools called Amavis and cbpolicyd.

Amavis coordinates the actions of the Postfix email forwarding agent, Spam Assassin spam filter, ClamAV antivirus and several others. Together, all these utilities provide reliable protection against spam and viruses, as well as phishing emails, which pose a serious threat to the information security of the enterprise. By default, Amavis filters all emails without exception, but the built-in policy restriction functionality allows not only to disable this filtering for any mailboxes, but also to limit the list of people who can send emails to mailboxes in principle.

For example, take the mailbox of the CEO ceo@example.ru, for which it is necessary to limit the circle of people who can send messages directly. The list will be limited to the top management of the company in the form of CTO, CIO and CFO, as well as a personal secretary. For this, we will take advantage of Amavis policy restrictions. Using the command zmprov ma ceo@example.ru + amavisWhitelistSender secretary@example.ru cto@example.ru cio@example.ru cfo@example.ru we will add to the white list addresses that can write emails to the CEO directly, and with using the command zmprov ma ceo@example.ru amavisBlacklistSender example.ru we add the rest to the black list.

In order to make sure that everything is done correctly, you can run the commandzmprov -l ga ceo@example.ru | grep amavis | grep sender . The team’s output will show both those who are allowed to send messages to the CEO, and those to whom sending messages to his email address is prohibited. However, in addition to users of an enterprise’s domain, letters to the CEO’s mailbox can also come from domains on the external Internet. Therefore, a reasonable step would be the introduction of an unconditional ban on receiving emails from the external Internet for this mailbox.

These restrictions can be introduced by using cbpolicyd, the policy service built into the Zimbra Collaboration Suite Open-Source Edition. In order to use it, you must first activate the corresponding module in Zimbra OSE. To do this, enter the commandzmprov ms mail.example.ru + zimbraServiceEnabled cbpolicyd . Run this command on the MTA host if your Zimbra OSE runs on a multi-server infrastructure. You will also need to open access to cbpolicyd through the web interface. To do this, enter the command ln -s / opt / zimbra / data / cbpolicyd / share / webui / opt / zimbra / httpd / htdocs / , which will create a symbolic link in the Apache server. In addition, you need to add the information about the database to which you want to connect to the /opt/zimbra/cbpolicyd/share/webui/includes/config.php file . To do this, in any text editor, add the line $ DB_DSN = "sqlite: /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb" to this file;. After that, all that remains is to restart Zimbra OSE and the Apache web server using the zmcontrol restart and zmapachectl restart commands .

Now the web interface for administering cbpolicyd is available at mail.example.ru : 7780 / webui / index.php, however, it should be noted that it may not be available due to the firewall settings. Configure it to access the cbpolicyd web interface. After you enter the cbpolicyd web interface, you need to create two groups: users_local_only for users who can receive mail only from users of the local domain, as well as local_domainfor the local domain and enable them by unchecking the "Disabled". After that, you need to add participants to the groups. In our case, we will add ceo@example.ru to the users_local_only group and the example.ru domain to the local_domain group .





Now let's get down to the policy settings. We will call our “Receiving Local Only” and indicate in it the user groups to which it will be distributed, and the domains that are considered local. The user_local_only and local_domain groups should be specified as them, and also indicate the priority of applying the policy. This is necessary for cases when several policies are applied to the same mailbox at once. Based on priority, cbpolicyd decides which policy will be applied and which will be ignored. In our case, you can set the priority to 100 and in the future, if additional overlapping policies appear, adjust it.



Another important point is the configuration of the action when the policy is triggered. In other words, if we forbade the CEO’s mailbox to receive letters from any external domains, then we need to decide what will happen to the letters that will continue to be sent to his mailbox. We suggest simply rejecting such emails using the REJECT option. After making the changes, it remains only to apply the policies and restart cbpolicyd using the commands zmprov ms mail.example.ru zimbraCBPolicydAccessControlEnabled TRUE and zmcbpolicydctl restart .

Thus, using the built-in tools of Zimbra Collaboration Suite Open-Source Edition, we created a VIP mailbox, which only a few people can send letters to. Using this template, you can expand the number of VIP mailboxes, as well as the number of accounts that can send them letters.

For all questions related to the Zextras Suite, you can contact the representative of the company "Zextras" Ekaterina Triandafilidi by e-mail katerina@zextras.com