Restrict ticket creation to registered users


I only just set up Zammad on my server. It’s so simple and friendly on admins, agents and users, great first impression!

I noticed that anyone is able to create tickets just by sending an email to the address registered with Zammad, no further verification seems necessary.

I guess the first thing that comes to mind here is unsolicited emails. You could have a spam check right on your server but the risk is for false positives to just never even arrive in your Zammad inbox so that doesn’t seem like a good idea. It would be safer to have this function in Zammad directly.

Personally, I don’t see the need to deal with complex spam rules and false positives, I’d much rather just restrict ticket creation to properly registered users. If someone registered through the web form, or was manually set up by me, they should be allowed to send support requests via email. If not, I would like for them to receive an automatic reply informing them of this requirement.

With an open source solution, obviously everything is possible. But is there a recommended way to achieve my goal?


I think we had this topic once or twice already, but currently am short on time.

The functionality you’re requesting here is not possible within Zammad core and, to be honest, not desired from our end. The reason for this is that you’d other wise have to ensure you have all your customers created within Zammad which may cause a lot of overhead before hand. Also, if the customer has several mail addresses and is not able to “use the correct one” this may lead to unwanted situations with your customer.

Zammad by default aims to allow communication with everyone, just like a normal mailbox (without special mail server configuration!) would do.

Also, checking for spam on Zammad end is a bit out of scope for the application itself.
My opinion always will be that this is a task of your mail server. If you’re not too sure, you can always create a mailbox to redirect “maybe spams” to and then use a dedicated group for such information.

This is not ideal, I’m aware, but expecting a spam filter in Zammad would be a big gun.
Let alone the possibilities of bugs and the massive introduction of settings and UI stuff that would go against the aim of “keeping it simple”.

Please don’t get me wrong, I get your idea!
I just wanted to let you know, that this currently is no aim for the Zammad core.

You could try to achieve your goal, if you absolutely have to, by adjusting Zammads code (not update safe) or implementing a Zammad addon.
Further input on Zammad addons can be found here:

Hi MrGeneration,

Thanks for taking the time to elaborate on your opinion and why this is not something you see as a core requirement for Zammad. I understand your points and, considering how advanced this young system already is, am confident that Zammad over time may gain some new features that offer a higher level of flexibility.

Just to give you a better idea of what I have in mind. My company offers support services exclusively to clients who have signed a contract. These are all corporate clients and they will all contact me exclusively from their corporate domain, or through other channels such as telephone. So, at the moment a contract is signed, I would just create the organization in Zammad and anyone writing from that domain could reach me, anyone else would receive some sort of reject message (reject message here can also mean lead generation / invitation).

I’m wondering if there is a way to simulate this. For example, I could just create a new role “New contact”, make it the default at signup. Then create a trigger that sends a confirmation email to people with the role “Customer” but a reject message to people with the role “New contact”.

This would basically solve my issue but would require that I could select this new role in the trigger. I just tried that and even after creating a new role “New contact”, I can still only select between “Customer”, “Agent”, and “System” for the sender type.

What is “Sender” looking for if not the role, and do you think there is anything I can do with the default installation of Zammad to come close to fulfilling my requirements? Can I maybe use the VIP designation somehow to simulate this?

I’ll keep trying and investigating this but any hints you can give me are most welcome.


You could just have your MTA drop/reject all mails except from customers’ domains. :nerd_face:

The role part won’t work, as you have no possibility within Zammad to filter for exactly that.
What you however can use is e.g. the VIP state for single customers or, if your customers users are always living in organisations and (to help you) use domain based assignment, you could use a custom object on the organisation.

I’m afraid that you can’t drop the mail during fetching, but what you can do is to automatically close affected tickets. To reduce agent notifications, you could use a different group which nobody has access to. You can then clean up that group with the scheduler to remove these unwanted mails.

It’s by far perfect, but may help to reduce MTA administration.
The in my opinion relevant points for the above are:

You could even not just re route those mails but also inform the sender about that task, if you’d like.
If removal is a bit “too much”, you could also redirect it to a Sales group where you’re going on a hunt for customers - depending on how your business tries to operate. :man_shrugging:


Thank you again for your very valuable input, I’ll try this.

1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.