Create a VIP mailbox in Zimbra Collaboration Open-Source Edition

In enterprises, a situation often arises when the creation of a so-called VIP mailbox is required, only a certain circle of people can send letters to it. Such mailboxes are typical for any top managers with personal secretaries. Instead of the top manager, all the e-mail is received by the secretary, who then selects really important and necessary messages from the general stream and redirects them to his manager’s mailbox. An ordinary employee of an enterprise, when trying to send a message to a VIP mailbox, should receive a notification that his message has not been delivered. Such a VIP mailbox can be easily implemented in Zimbra Open-Source Edition using the built-in mail filtering tools called Amavis and cbpolicyd.

Amavis coordinates the actions of the Postfix email forwarding agent, Spam Assassin spam filter, ClamAV antivirus and several others. Together, all these utilities provide reliable protection against spam and viruses, as well as phishing emails, which pose a serious threat to the information security of the enterprise. By default, Amavis filters all emails without exception, but the built-in policy restriction functionality allows not only to disable this filtering for any mailboxes, but also to limit the list of people who can send emails to mailboxes in principle.

For example, take the mailbox of the CEO ceo@example.ru, for which it is necessary to limit the circle of people who can send messages directly. The list will be limited to the top management of the company in the form of CTO, CIO and CFO, as well as a personal secretary. For this, we will take advantage of Amavis policy restrictions. Using command zmprov ma ceo@example.ru + amavisWhitelistSender secretary@example.ru cto@example.ru cio@example.ru cfo@example.ru we will add to the white list addresses that can write emails to the CEO directly, and using the command zmprov ma ceo@example.ru amavisBlacklistSender example.ru we blacklist the rest.

In order to make sure that everything is done correctly, you can run the command zmprov -l ga ceo@example.ru | grep amavis | grep sender. The output of the command will show both those who are allowed to send messages to the CEO, and those to whom sending messages to his email address is prohibited. However, in addition to users of the enterprise’s domain, letters to the CEO’s mailbox can also come from domains on the external Internet. Therefore, a reasonable step would be the introduction of an unconditional ban on receiving emails from the external Internet for this mailbox.

These restrictions can be introduced by using cbpolicyd, the policy service built into the Zimbra Collaboration Suite Open-Source Edition. In order to use it, you must first activate the corresponding module in Zimbra OSE. To do this, enter the command zmprov ms mail.example.ru + zimbraServiceEnabled cbpolicyd. Run this command on the host with the MTA if your Zimbra OSE runs on a multi-server infrastructure. You will also need to open access to cbpolicyd through the web interface. To do this, enter the command ln -s / opt / zimbra / data / cbpolicyd / share / webui / opt / zimbra / httpd / htdocs /, which will create a symlink in the Apache server. In addition, you must add to the file /opt/zimbra/cbpolicyd/share/webui/includes/config.php information about the database to which the connection should take place. To do this, add a line to this file in any text editor $ DB_DSN = “sqlite: /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb”;. After that, it remains only to restart Zimbra OSE and the Apache web server using the commands zmcontrol restart and zmapachectl restart.

The web interface for administering cbpolicyd is now available at mail.example.ru: 7780 / webui / index.php, however, it should be noted that it may not be available due to the firewall settings. Configure it to access the cbpolicyd web interface. After you enter the cbpolicyd web interface, you need to create two groups: users_local_only for users who can receive mail only from users of the local domain, as well as local_domain for the local domain and enable them by unchecking the “Disabled”. After that, you need to add participants to the groups. In our case, we will add ceo@example.ru to the group users_local_only and example.ru domain into a group local_domain.

Now let’s get down to the policy settings. We will call our “Receiving Local Only” and indicate in it the user groups to which it will be distributed, and the domains that are considered local. Groups should be specified as their users_local_only and local_domain, and also indicate the priority of applying the policy. This is necessary for cases when several policies are applied to the same mailbox at once. Based on priority, cbpolicyd decides which policy will be applied and which will be ignored. In our case, you can set the priority to 100 and in the future, if additional overlapping policies appear, adjust it.

Another important point is the configuration of the action when the policy is triggered. In other words, if we forbade the CEO’s mailbox to receive letters from any external domains, then we need to decide what will happen to the letters that will continue to be sent to his mailbox. We suggest simply rejecting such letters using the option REJECT. After making the changes, it remains only to apply the policies and restart cbpolicyd using the commands zmprov ms mail.example.ru zimbraCBPolicydAccessControlEnabled TRUE and zmcbpolicydctl restart.

Thus, using the built-in tools of Zimbra Collaboration Suite Open-Source Edition, we created a VIP mailbox, which only a few people can send letters to. Using this template, you can expand the number of VIP mailboxes, as well as the number of accounts that can send them letters.