Implement Access Control List With MailScanner???

Walt Wyndroski wdwrn at FRIENDLYCITY.NET
Fri Jul 2 13:28:12 IST 2004


Here is some more information on my setup:

1) Over 3000 users.
2) I allow relaying only for the 8 Class C networks which we use/serve.
3) I DO NOT allow relaying for my domain name.
4) Roaming users can user our web interface if they wish to send mail as
being from our domain.
5) I am blocking outbound and inbound port 25 for all of my network except
for my mail server obviously, my T-1 customers, and static ip customers. So
doing SMTP auth will not be a wise choice for me as some of our users who
connect to remote mail servers must relay through ours. This prevent virus
infected email from being spewed out from our networks or least minimizes
it.
6) Unfortunately, the security of my mail server and network must come
before the needs of any roaming users which I may or may not have. Security
is inversely proprortional to convenience.

Walt Wyndroski

----- Original Message -----
From: "Alex Neuman" <alex at nkpanama.com>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Thursday, July 01, 2004 10:10 PM
Subject: Re: Implement Access Control List With MailScanner???


> This would break compatibility for roaming users.
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf
> Of Walt Wyndroski
> Sent: Thursday, July 01, 2004 4:42 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Implement Access Control List With MailScanner???
>
> Actually, this thought just occured to me: The rulesets in MailScanner are
> structured as From:, FromOrTo:, To:, FromAndTo:. If I could use
FromAndFrom:
> then I could build a rule as follows:
>
> From: mydomain.com    From: <IP or Subnet>    Accept
> From: mydomain.com    From: 0.0.0.0/0              Deny
>
> OR:
>
> Can I use rulesets within rulesets? For instance, in the blacklist.rules
> could I put:
>
> From: mydomain.com    /etc/MailScanner/rules/mydomain.com.txt
>
> And inside "/etc/MailScanner/rules/mydomain.com.txt" I would put:
>
> From: <my subnet(s)>    NO
> From: default                  YES  or  From: /!(<my subnet(s)>)/    YES
>
> What do you all think?
>
> Walt Wyndroski
>
>
>
> ----- Original Message -----
> From: "Walt Wyndroski" <wdwrn at friendlycity.net>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Thursday, July 01, 2004 5:05 PM
> Subject: Implement Access Control List With MailScanner???
>
>
> > Hello all,
> >     I've been doing some serious googling over the 2-3 days about how to
> > implement a type of ACL (access control list) for Sendmail which would
> help
> > in preventing the spoofing of my domain to my users. The only thing I
can
> > find are rulesets which are inserted direclty into the sendmail.cf,
which
> is
> > something that I really want to avoid. I was hoping MailScanner would
> allow
> > me to do this. Here is my setup:
> >
> >  Kernel Version    2.4.22-1.2194.nptlsmp
> > SendMail RPM Version    sendmail-8.12.10-1.1.1
> > Procmail RPM Version    procmail-3.22-11
> > MailScanner RPM Version    mailscanner-4.30.2-1
> >
> > If an email arrives at my mail server with the from header as
> user at mydomain,
> > I need to further look at the message to see if the message originated
> from
> > one of the subnets for which I relay. If it did, I'll accept it. If it
> > didn't, I'll discard it. If anyone knows of a Sendmail m4 rule for this,
> > please point me in the right direction and accept my apologies for being
> on
> > the wrong list. :) Otherwise, if MailScanner can already do this or if
> > someone has already written a custom function for this, please point me
in
> > the right direction.
> >
> > Walt Wyndroski
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list