SQL: Per-user inbound and outbound restrictions

This tutorial is applicable to all SQL backends: MySQL, MariaDB, PostgreSQL.

There's another way to achieve per-user inbound/outbound restriction, it's called per-user white/blacklists (stored in SQL table amavisd.wblist, implemented by iRedAPD plugin amavisd_wblist), but per-user white/blacklists are manageable by user themselves.

iRedAPD (a simple Postfix policy server developed by iRedMail team) provides for per-user plugin sql_user_restrictions for per-user inbound/outbound restrictions.

Please make sure plugin sql_user_restrictions is enabled in iRedAPD config file /opt/iredapd/settings.py like below:

# Part of file: /opt/iredapd/settings.py

plugins = [..., 'sql_user_restrictions']

Restarting iRedAPD service is required if you modified /opt/iredapd/settings.py.

You can store allowed or disallowed senders in 4 SQL columns in vmail database:

• mailbox.rejectedsenders: disallowed to receive email from listed senders.
• mailbox.allowedsenders: allowed to receive email from listed senders.
• mailbox.rejectedrecipients: disallow user to send email to listed recipients.
• mailbox.allowedrecipients: allow user to send email to listed recipients.

Valid sender/recipient formats are:

• @.: all addresses (user, domain, sub-domain). Be careful: There's a dot after @.
• @domain.com: entire domain.
• @.domain.com: entire domain and all its sub-domains. Be careful: There's a dot after @.
• user@domain.com: single email address
• empty value means no restriction.

NOTES:

• Multiple senders/recipients must be separated by comma (,).
• mailbox.allowedsenders has higher priority than mailbox.rejectedsenders.
• mailbox.allowedrecipients has higher priority than mailbox.rejectedrecipients.

Sample usage:

• allow local mail user user@example.com to send to and receive from the same domain (example.com) and gmail.com, but not others.

sql> USE vmail;
sql> UPDATE mailbox \
     SET \
         rejectedsenders='@.', \
         allowedsenders='@example.com,@gmail.com', \
         rejectedrecipients='' \
         allowedrecipients='@example.com,@gmail.com', \
     WHERE \
          username='user@example.com';

OpenLDAP backend special

OpenLDAP backend requires iRedAPD plugin ldap_amavisd_block_blacklisted_senders.

• If you have iRedAdmin-Pro, you can manage this restriction in user profile page.

• If you don't have iRedAdmin-Pro, you can manage it with phpLDAPadmin or other LDAP management tools. Related LDAP attributes are:

  • mailWhitelistRecipient: same as SQL mailbox.allowedrecipients
  • mailBlacklistRecipient: same as mailbox.rejectedrecipients
  • amavisWhitelistSender: same as mailbox.allowedsenders
  • amavisBlacklistSender: same as mailbox.rejectedsenders

Values for these LDAP attributes use the same format as mentioned above.

Document published under a CC BY-ND 3.0 license. If you found something wrong, please do contact us to fix it.