|

Courier Mail Server

»

Restricting Outbound ESMTP Access

View: New views

12 Messages — Rating Filter: Alert me

	Restricting Outbound ESMTP Access by Alexander Erameh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Hi, Is there a way to restrict some local users to sending local Mails only? That is they cannot send external Mails. From the Courier Server of course. Alexander ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Restricting Outbound ESMTP Access by Sam Varshavchik :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Alexander Erameh writes: > Hi, > > Is there a way to restrict some local users to sending local Mails only? > That is they cannot send external Mails. > > From the Courier Server of course. Nope. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users attachment0 (204 bytes) Download Attachment
	Re: Restricting Outbound ESMTP Access by Gordon Messmer :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. On 11/06/2009 02:50 AM, Alexander Erameh wrote: Is there a way to restrict some local users to sending local Mails only? That is they cannot send external Mails. You could always write your own policy by using the courierfilter interface. You can start with pythonfilter or Courier::Filter if you're comfortable with python or perl. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Restricting Outbound ESMTP Access by Alexander Erameh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. I have tried using Courier Filter but ran into problems because I am a novice in Perl. I want to use this medium to suggest to the developers of Courier to consider including these restrictions in their next upgrade. Having used as lot of Microsoft Windows Mail Servers, I make bold to say that Courier is in a class of its own; it is simply remarkable. However the addition of these kinds of restrictions will actually make it more attractive. Thanks Alexander From: Gordon Messmer [mailto:yinyang@...] Sent: Friday, November 06, 2009 6:54 PM To: 'Courier-Users' Subject: Re: [courier-users] Restricting Outbound ESMTP Access On 11/06/2009 02:50 AM, Alexander Erameh wrote: Is there a way to restrict some local users to sending local Mails only? That is they cannot send external Mails. You could always write your own policy by using the courierfilter interface. You can start with pythonfilter or Courier::Filter if you're comfortable with python or perl. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Restricting Outbound ESMTP Access by Ale2008 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Gordon Messmer wrote: > On 11/06/2009 02:50 AM, Alexander Erameh wrote: >> Is there a way to restrict some local users to sending local Mails >> only? That is they cannot send external Mails. > > You could always write your own policy by using the courierfilter > interface. Besides implementation concerns, how practical would it be to use SMTP AUTH for delivering? For example, rather than SPF-whitelist a number of forwarders, it is possible to give them userid/pass with a very restrictive policy, for better control. Has anybody tried? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Restricting Outbound ESMTP Access by Bijan Soleymani :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Alessandro Vesely wrote: > Gordon Messmer wrote: >> On 11/06/2009 02:50 AM, Alexander Erameh wrote: >>> Is there a way to restrict some local users to sending local Mails >>> only? That is they cannot send external Mails. >> You could always write your own policy by using the courierfilter >> interface. > > Besides implementation concerns, how practical would it be to use > SMTP AUTH for delivering? For example, rather than SPF-whitelist a > number of forwarders, it is possible to give them userid/pass with a > very restrictive policy, for better control. Has anybody tried? This is a good point. If courier supports PAM (which I think it does) then you could use a module to check if the user that is trying to send mail is in a "sendmail" group and only allow access for those users. Bijan ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Restricting Outbound ESMTP Access by Bijan Soleymani :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Bijan Soleymani wrote: > Alessandro Vesely wrote: >> Gordon Messmer wrote: >>> On 11/06/2009 02:50 AM, Alexander Erameh wrote: >>>> Is there a way to restrict some local users to sending local Mails >>>> only? That is they cannot send external Mails. >>> You could always write your own policy by using the courierfilter >>> interface. >> Besides implementation concerns, how practical would it be to use >> SMTP AUTH for delivering? For example, rather than SPF-whitelist a >> number of forwarders, it is possible to give them userid/pass with a >> very restrictive policy, for better control. Has anybody tried? > > This is a good point. If courier supports PAM (which I think it does) > then you could use a module to check if the user that is trying to send > mail is in a "sendmail" group and only allow access for those users. Actually I guess that wouldn't work unless courier had some local program to send mail. Since you can't really determine the user's uid, if he is connecting to courier on port 25 or whatever. I guess you could write a program to send mail (using SMTP auth) and only allow users from a certain group to access it, but that wouldn't be that secure. So I guess you're left with giving a username and password to each user that needs to send mail. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Restricting Outbound ESMTP Access by Ale2008 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Bijan Soleymani wrote: > Bijan Soleymani wrote: >> Alessandro Vesely wrote: >>> Gordon Messmer wrote: >>>> On 11/06/2009 02:50 AM, Alexander Erameh wrote: >>>>> Is there a way to restrict some local users to sending local Mails >>>>> only? That is they cannot send external Mails. >>>> You could always write your own policy by using the courierfilter >>>> interface. >>> Besides implementation concerns, how practical would it be to use >>> SMTP AUTH for delivering? For example, rather than SPF-whitelist a >>> number of forwarders, it is possible to give them userid/pass with a >>> very restrictive policy, for better control. Has anybody tried? >> This is a good point. If courier supports PAM (which I think it does) >> then you could use a module to check if the user that is trying to send >> mail is in a "sendmail" group and only allow access for those users. It's easier with virtual users, as one can add attributes at will for the purpose of describing local policies. > Actually I guess that wouldn't work unless courier had some local > program to send mail. Since you can't really determine the user's uid, > if he is connecting to courier on port 25 or whatever. Virtual users share the same uid. Senders who don't authenticate get standard filtering and no relaying privileges. External senders who wish to be whitelisted from filtering would have to register in order to obtain that. (Automating such registrations implies further implementation concerns, that I still leave aside.) In this scenario, the policy may be even more restrictive than that for anonymous port-25 senders, as it should only allow the subset of local recipients that are interested in that particular whitelisted forwarding. > I guess you could write a program to send mail (using SMTP auth) and > only allow users from a certain group to access it, but that wouldn't be > that secure. Users with terminal access can always telnet to external hosts using whatever program they like. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Restricting Outbound ESMTP Access by Gordon Messmer :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 11/08/2009 07:24 AM, Alessandro Vesely wrote: > On 11/06/2009 02:50 AM, Alexander Erameh wrote: >>> Is there a way to restrict some local users to sending local Mails >>> only? That is they cannot send external Mails. >>> > Besides implementation concerns, how practical would it be to use > SMTP AUTH for delivering? For example, rather than SPF-whitelist a > number of forwarders, it is possible to give them userid/pass with a > very restrictive policy, for better control. Has anybody tried? > I don't think you ever defined what you meant by "local". Courier will always relay mail for users of the local host, where they can use "sendmail". Network users, including those in "local" networks, can easily be controlled with AUTH. Just remove the RELAYCLIENT setting from /etc/courier/smtpaccess/default and "makesmtpaccess". Thereafter, only clients who have a username and password which the server can authenticate will be able to relay. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Policy for SMTP access (was: Restricting Outbound ESMTP Access by Ale2008 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Gordon Messmer wrote: > On 11/08/2009 07:24 AM, Alessandro Vesely wrote: >> On 11/06/2009 02:50 AM, Alexander Erameh wrote: >>>> Is there a way to restrict some local users to sending local Mails >>>> only? That is they cannot send external Mails. >>>> >> Besides implementation concerns, how practical would it be to use >> SMTP AUTH for delivering? For example, rather than SPF-whitelist a >> number of forwarders, it is possible to give them userid/pass with a >> very restrictive policy, for better control. Has anybody tried? > > Network users, including those in "local" networks, can easily be > controlled with AUTH. Just remove the RELAYCLIENT setting from > /etc/courier/smtpaccess/default and "makesmtpaccess". Thereafter, only > clients who have a username and password which the server can > authenticate will be able to relay. That still stalls at RELAYCLIENT being a yes/no value. Tying it to a policy might result in some additional features; I can recap three: * restrict some local users, as in Alexander's quote above; * whitelist forwarders, as in my quote above; and * protect internal addresses: For example, as an alternative to Courier's outbox, a user may configure her client to store sent mail by adding a bcc:user-Sent@.... Then the problem is to enforce the policy so that only user@... can send mail to her Sent folder. More use cases may come to mind, e.g. guard children's mailboxes, limit a vip's direct reachability, et cetera. Fancy that? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Policy for SMTP access by Gordon Messmer :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 11/18/2009 12:10 AM, Alessandro Vesely wrote: > That still stalls at RELAYCLIENT being a yes/no value. Tying it to a > policy might result in some additional features; I can recap three: > > * restrict some local users, as in Alexander's quote above; > Yeah... by not setting RELAYCLIENT. > * whitelist forwarders, as in my quote above; and > I'm not even really sure what you were suggesting. You can use RELAYCLIENT to allow forwarding without authentication, or rely on authentication to control forwarding. This seems to be much more complicated in your mind than you are communicating. Could you enlighten us what kind of "restrictive policy" you had in mind? > * protect internal addresses: For example, as an alternative to > Courier's outbox, a user may configure her client to store sent mail > by adding abcc:user-Sent@.... Then the problem is to > enforce the policy so that onlyuser@... can send mail to > her Sent folder. More use cases may come to mind, e.g. guard > children's mailboxes, limit a vip's direct reachability, et cetera. > Now you're talking about accepting mail to local addresses, which is completely unrelated to controlling relaying mail. A policy mechanism exists for that already. It's documented as "localmailfilter". ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: Policy for SMTP access by Ale2008 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Gordon Messmer wrote: >> * whitelist forwarders, as in my quote above; and > > I'm not even really sure what you were suggesting. You can use > RELAYCLIENT to allow forwarding without authentication, or rely on > authentication to control forwarding. This seems to be much more > complicated in your mind than you are communicating. Could you > enlighten us what kind of "restrictive policy" you had in mind? I'm thinking of an external forwarded; mildly trusted, in the sense that it may blindly forward messages to one (or some) of our local users, but we would never grant it relaying. The forwarder is whitelisted after it authenticates, but then it can only send those forwarded messages that we gave it a userid for. It could be a single local address, and only that. Or, if it forwards for more users at ours, perhaps we could get away with a single userid for targeting any of them, rather than giving the same sender a different userid for each forwarding recipe it has: The granularity of the restriction has to match the forwarder's esmtpauthclient granularity. >> * protect internal addresses: For example, as an alternative to >> Courier's outbox, a user may configure her client to store sent mail >> by adding a bcc:user-Sent@.... Then the problem is to >> enforce the policy so that only user@... can send mail to >> her Sent folder. More use cases may come to mind, e.g. guard >> children's mailboxes, limit a vip's direct reachability, et cetera. > > Now you're talking about accepting mail to local addresses, which is > completely unrelated to controlling relaying mail. A policy mechanism > exists for that already. It's documented as "localmailfilter". Yup, that's correct. However, a policy that says how to do depending on the authenticated (or anonymous) sender and the target recipient, overlaps with localmailfilters quite "naturally". Maybe. It may be more or less convenient to configure. Just thinking freely. To control forwarders that way requires some other extra-SMTP implements (applying for and granting those userids, e.g.) That might then result in a policy affecting both incoming and outgoing messages. The question is, would such a policy be useful in general --that is, beyond controlling forwarders? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users