← Back to Documentation

Sender Restrictions New

Control which recipients specific senders can email - perfect for limiting automated accounts, contractors, or restricted users.

Table of Contents

Overview

Sender Restrictions is a powerful feature that allows administrators to limit which recipients specific email addresses can send to. When a restricted sender tries to email someone not on their approved list, the message is immediately rejected with a customizable error message.

Key Benefit: Prevent data leaks and unauthorized communications by ensuring certain accounts can only communicate with approved recipients.

🔒 Outbound Control

Restrict outbound emails from specific senders to only approved recipients or domains.

🎯 Wildcard Support

Use *@domain.com patterns to allow entire domains with a single rule.

⚡ Real-time Enforcement

Restrictions are enforced immediately at the SMTP level - unauthorized emails never leave your server.

📝 Custom Messages

Configure custom rejection messages so users understand why their email was blocked.

Use Cases

1. Automated/Service Accounts

Limit notification accounts to only send to internal recipients:

2. Contractors & Temporary Staff

Restrict temporary employees to communicate only with their project team:

3. Compliance & Data Protection

Prevent sensitive accounts from communicating externally:

How It Works

┌─────────────────────────────────────────────────────────────────────┐ │ Email Flow with Sender Restrictions │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ User sends email │ │ │ │ │ ▼ │ │ ┌─────────────┐ │ │ │ Postfix │ │ │ └──────┬──────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────┐ │ │ │ SecZim Policy Server │ │ │ │ │ │ │ │ 1. Check if sender has restrictions │ │ │ │ 2. If yes, verify recipient is allowed │ │ │ │ 3. If not allowed → REJECT │ │ │ │ 4. If allowed → Continue │ │ │ └──────┬──────────────────────────────────┘ │ │ │ │ │ ┌────┴────┐ │ │ │ │ │ │ ▼ ▼ │ │ REJECT CONTINUE │ │ (550) (to next module) │ │ │ └─────────────────────────────────────────────────────────────────────┘
Processing Order: Sender Restrictions runs at priority 97, after Access Control (100) but before other modules like Auto-Blacklist (98) and GeoIP (90). This ensures whitelisted senders bypass restrictions while still enforcing limits on regular users.

Configuration

Navigate to Configuration → Sender Restrictions in the SecZim dashboard.

Adding a New Restriction

  1. Click "Add Restriction"
    Opens the configuration modal for a new sender restriction.
  2. Enter Sender Email
    The email address that will be restricted (e.g., notifications@company.com).
  3. Add Allowed Recipients
    Add one or more recipients this sender can email. Use exact addresses or wildcard patterns.
  4. Set Reject Message (Optional)
    Customize the error message shown when the sender tries to email unauthorized recipients.
  5. Enable the Restriction
    Toggle "Active" to enable. You can disable temporarily without deleting the rule.

Configuration Fields

Field Description Example
Sender Email The email address to restrict alerts@company.com
Allowed Recipients List of recipients/patterns this sender can email admin@company.com, *@company.com
Reject Message Custom message for rejected emails "This account can only send to internal recipients"
Active Enable/disable the restriction On/Off

Wildcard Patterns

SecZim supports wildcard patterns to allow entire domains:

Pattern Matches Does NOT Match
*@company.com anyone@company.com, sales@company.com user@sub.company.com, user@other.com
admin@company.com admin@company.com (exact match only) admin2@company.com, admin@other.com
Note: Wildcard patterns only match the exact domain. *@company.com will NOT match user@sub.company.com. Add subdomains separately if needed.

Practical Examples

Example 1: Notification Service Account

Restrict an automated notification account to only send internally:

Sender Email: notifications@company.com
Allowed Recipients:
  - *@company.com
Reject Message: "This is an automated account that can only send to internal recipients"
Active: Yes

Example 2: Contractor with Limited Access

Allow a contractor to only communicate with their project manager and HR:

Sender Email: contractor.john@company.com
Allowed Recipients:
  - manager@company.com
  - hr@company.com
  - project-team@company.com
Reject Message: "Your account is restricted to project-related communications only"
Active: Yes

Example 3: Finance Department Compliance

Restrict the finance reporting account to internal plus external auditors:

Sender Email: finance-reports@company.com
Allowed Recipients:
  - *@company.com
  - audit@externalauditor.com
  - compliance@regulatorybody.gov
Reject Message: "Finance reports can only be sent to authorized recipients"
Active: Yes

Best Practices

✅ Start Permissive

When first restricting an account, include all known recipients. Monitor logs and add missing ones as needed.

✅ Use Domain Wildcards

For internal-only accounts, use *@yourdomain.com instead of listing every employee.

✅ Clear Reject Messages

Write helpful rejection messages so users understand the restriction and know who to contact.

✅ Document Your Rules

Keep a record of why each restriction exists, especially for compliance-related rules.

Warning: Be careful when restricting executive or critical accounts. Always test restrictions in a staging environment or during off-hours first.

Monitoring Restricted Senders

All rejected emails from restricted senders appear in:

Tip: Use the Audit Log filter to search for Module: SenderRestrictions to see all enforcement actions for your restricted senders.

Need help? Contact support@seczim.com