resrict account and alias to receive from specific senders only.

From: Manvendra Bhangui <mbhangui@...>
Subject: Re: resrict account and alias to receive from specific senders only.
To: "MOHAMED AHMED" <f_a_f12001@...>
Cc: qmail@...
Date: Thursday, October 15, 2009, 12:53 PM

On Thu, Oct 15, 2009 at 3:33 PM, MOHAMED AHMED <f_a_f12001@...> wrote:

Dear All, I want to restrict email account and also another alias to receive emails from specific  users only. Say I want email user@... to receive emails only from user2@... and to reject any other emails from any other body. Also I have alias .qmail-sales And I want user user1@somadonain only can send emails to this alias. How to do this using Qmail, Kindly advice?

IndiMail - http://www.indimail.org adds a feature to qmail-smtpd called accesslist. It is meant to do exactly what you require. You can either use IndiMail from

https://sourceforge.net/projects/indimail/files/Patches/qmail-1.03.patch.gz/download

or just pick up the accesslist code (in case you know how to patch and a bit of C programming) from

https://sourceforge.net/projects/indimail/files/Patches/qmail-1.03.patch.gz/download

accesslist

qmail-smtpd will apply access list to allow email transaction between sender and recipient. A line in accesslist is of the form

 type:sender:recipient

where type is either the word 'from' or 'rcpt' and sender and recipient can be the actual sender or recipients or wildcards. The environment variable QREGEX can be set to match sender, recipient using regular expressions.

 rcpt:ajit_a@...:indi_maa@...
 rcpt:george_z@...:indi_maa@...
 from:recruiter@...:hr@...

 - only ajit_a@... and george_z@...
   are permitted to send mails to indi_maa@...
 - recruiter@... is permitted to send mails to
   hr@... only

These restrictions do not apply when the from is "" or the recipient is postmaster or abuse.

--
Regards Manvendra - http://www.indimail.org
Sent from Chennai, TN, India

From: Kyle Wheeler <kyle-qmail@...>
Subject: Re: resrict account and alias to receive from specific senders only.
To: qmail@...
Date: Sunday, October 18, 2009, 4:17 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thursday, October 15 at 03:03 AM, quoth MOHAMED AHMED:
> I want to restrict email account and also another alias to receive
> emails from specific users only.

That's pretty easy, but the details depend on your specific setup.

Before we get into this, you have to be made aware of something. This
is going to sound stupid, but its something that is often forgotten by
beginning email administrators:

    PEOPLE SOMETIMES LIE.

Spammers (or whoever) can forge the sending address on email as easily
as they can forge a realistic-looking subject line. Any security or
restriction based on email sender is an illusion (unless you require
the sender to authenticate themselves somehow). I'm going to tell you
how to do what you ask, but I'm warning you: what you're attempting to
do is probably (at best) a way of stopping only the least-determined
of violators.

In essence, each email account or alias can (or must, in the case of
aliases) have a .qmail file that specifies delivery information. To
restrict things, simply add a restriction at the beginning. For
example:

    |test "$SENDER" != "allowed@..." && exit 100 || exit 0

That's a shell command that you're using to compare (using /bin/test)
the value of the $SENDER environment variable with the allowed value.
If the test is true (i.e. if the SENDER is not the allowed address),
this simple shell command exits with a code of 100, which tells qmail
that the delivery cannot be made. The message will be rejected. If the
test is false (i.e. if the SENDER *is* the allowed address), the
command exits with a code of 0, which tells qmail to continue
delivering the message according to any subsequent lines in the .qmail
file.

So, for example, if you have a user whose home directory is
/home/user/, then you can limit who can send to them by creating a
/home/user/.qmail file which reads:

    |test "$SENDER" != "allowed@..." && exit 100 || exit 0
    /home/user/Maildir/

Note that if the user has access to their home directory, they can
edit this file, so it's not a bulletproof restriction (to do that,
you'd have to do something slightly more complicated).

Make sense?

If you have an alias, such as is defined by
/var/qmail/alias/.qmail-user1, you can do something similar, by
modifying the alias file to insert the test command at the beginning,
like so:

    |test "$SENDER" != "allowed@..." && exit 100 || exit 0
    &user2@...

>Also I have alias .qmail-sales And I want user user1@somadonain only
>can send emails to this alias.

This one is a bit trickier. The *easiest* way to do it (IMHO) is to
use qmail-qfilter, and create a filter to restrict things. But again,
it depends on your setup, and once again, because people can so easily
lie about their return address, it is trivial to circumvent such
restrictions.

~Kyle
- --
Man has the right to act in conscience and in freedom so as personally
to make moral decisions. "He must not be forced to act contrary to his
conscience. Nor must he be prevented from acting according to his
conscience, especially in religious matters."
                                            -- Catholic Catechism 1782
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIVAwUBStp6xyuveozR/AWeAQhELA/9HI+2oN6Jyzf689VP15WfZMlv6zg6MZAL
B0O5xE6FR/BXNTnzI6moKIS/VZfP3zMK5osp0Jjju0f1jo+X4bVTa1g7WA/YMy0R
ZiQ8n5mUXazTO5HSrD1JmQwyi/tq/ef2gjaNuBvUlCqJTE+0Xk8XeuwMTA6ySxO9
xy1ow4ka3smvxrx+gQcfhwXTV61wF9aXRTSykiDnM66zbi0fXFBPLkSC4pb4Oyrc
vxHu8+eA1CktZHcmhDqG30CHOFtKJH8717oH3kZaU8ntJMWqW7zz3gJ2I4AiWA6Y
6z0eq6Coa87WB0jL9Af+JCZUJCoNaVnxfja02o4xpO1brW7JgfsMqChvQSpI/lkR
ZgKKPQocvBzUlOp4cNOJboYnVDTa948HS8FVYf1AiXrCHk548il8Muqb7q+hIJam
FqGsIpSIneQfrXsNRSV76YmUE6QeZTIYcKYVQ8rmVAlaq/qpQDywXHL9r6e0TiNg
v14qNPPj8vQpa+zkgpnO6yYiDfbV2a++fKXCp6KjQxz93fBivhhMrs7lJVoBVfEs
H/+ET04sPfXIYrjxuLg01wp9I9F5sPNCn48nNRlQ/sb2VK0zHRFvWqCS73Uyo1AX
VTbOz6oQk0KwEpOwRxwaoI/8YIo0lLLTMgBfHnZweIJW0NAhPl4v8d6OhJL1Y+tt
apPu05khjzs=
=FcKi
-----END PGP SIGNATURE-----

From: Markus Stumpf <lists-qmail@...>
Subject: Re: resrict account and alias to receive from specific senders only.
To: "MOHAMED AHMED" <f_a_f12001@...>
Cc: qmail@..., "Kyle Wheeler" <kyle-qmail@...>
Date: Tuesday, October 20, 2009, 9:04 PM

On Tue, Oct 20, 2009 at 06:49:43AM -0700, MOHAMED AHMED wrote:
> But who can tell the spammers about the only 1 or 2 emails that can send
> to this alias,

This happens easily and fast by malware (viruses, worms) collecting
addresses from user address books.
Just think of the famous ILOVEYOU worm back in 2000.
(see e.g. <http://news.zdnet.com/2100-9595_22-107344.html>)


"Security through obscurity" works much less than people think. :-)

> For example this also will benifit me on another situation, As I configured
> before an email so I can redirct spam emails to and the system learn from
> it through the a crontab entry,

Reminds me when I had the idea to use positive virus identification to
feed a (temporary) IP address based block list. Within minutes I had
some *really* large mailservers on the list that didn't do egress
virus filtering of their customers. FAIL. (we both, they for not filtering, me
for not thinking of that).
If a legit user sends an email to your filtered account and does that from
the wrong email address it will be fed to the spam filter as a (false)
positive.

Your setup may work and probably will do fine, but what (me and) Kyle IMHO
wanted to outline is that you should be prepared for it to fail sometimes.

    \Maex

--
Markus Stumpf