Implement Access Control List With MailScanner???

Trever Furnish TGFurnish at HERFFJONES.COM
Fri Jul 2 15:35:28 IST 2004


Um, what you're looking for is called SPF.

http://spf.pobox.com

Since you're using Sendmail, that means your process would be like this:
1. Publish an SPF record for your domain(s).
2. Install the Sendmail SPF milter from spf.pobox.com.

There's a wizard on the spf site above that will walk you through creating
an initial "SPF record" for your domains - it's just a text record with a
specific format.  The contents of the record list the allowed sender
addresses for mail claiming to be from your domain.  Anything you don't list
will not be allowed to deliver mail claiming to be from your domain to any
servers that honor the SPF record you publish.

If you have users who currently send mail claiming to be from your domain
using other SMTP servers, you have additional issues to work out, and you
have some options:
- Designate the ISPs your people use as valid senders for your domain.
        - That may open you up too much though.

- Use authenticated SMTP to allow your users to relay through your own
server from outside your network.
        - Many "home user" ISPs now block connections to port 25 though.
(Ie Comcast has started doing that.)

- Use a vpn for your users - if they want to send mail from your domain,
this allows them to come from your trusted network.

I want to stress that not everyone has to support remote users - if you
don't, then you ought to have no major problem with spf.

--
Trever

> -----Original Message-----
> From: Walt Wyndroski [mailto:wdwrn at FRIENDLYCITY.NET]
> Sent: Friday, July 02, 2004 7:28 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Implement Access Control List With MailScanner???
>
>
> Here is some more information on my setup:
>
> 1) Over 3000 users.
> 2) I allow relaying only for the 8 Class C networks which we
> use/serve.
> 3) I DO NOT allow relaying for my domain name.
> 4) Roaming users can user our web interface if they wish to
> send mail as
> being from our domain.
> 5) I am blocking outbound and inbound port 25 for all of my
> network except
> for my mail server obviously, my T-1 customers, and static ip
> customers. So
> doing SMTP auth will not be a wise choice for me as some of
> our users who
> connect to remote mail servers must relay through ours. This
> prevent virus
> infected email from being spewed out from our networks or
> least minimizes
> it.
> 6) Unfortunately, the security of my mail server and network must come
> before the needs of any roaming users which I may or may not
> have. Security
> is inversely proprortional to convenience.
>
> Walt Wyndroski
>
> ----- Original Message -----
> From: "Alex Neuman" <alex at nkpanama.com>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Thursday, July 01, 2004 10:10 PM
> Subject: Re: Implement Access Control List With MailScanner???
>
>
> > This would break compatibility for roaming users.
> >
> > -----Original Message-----
> > From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf
> > Of Walt Wyndroski
> > Sent: Thursday, July 01, 2004 4:42 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Implement Access Control List With MailScanner???
> >
> > Actually, this thought just occured to me: The rulesets in
> MailScanner are
> > structured as From:, FromOrTo:, To:, FromAndTo:. If I could use
> FromAndFrom:
> > then I could build a rule as follows:
> >
> > From: mydomain.com    From: <IP or Subnet>    Accept
> > From: mydomain.com    From: 0.0.0.0/0              Deny
> >
> > OR:
> >
> > Can I use rulesets within rulesets? For instance, in the
> blacklist.rules
> > could I put:
> >
> > From: mydomain.com    /etc/MailScanner/rules/mydomain.com.txt
> >
> > And inside "/etc/MailScanner/rules/mydomain.com.txt" I would put:
> >
> > From: <my subnet(s)>    NO
> > From: default                  YES  or  From: /!(<my
> subnet(s)>)/    YES
> >
> > What do you all think?
> >
> > Walt Wyndroski
> >
> >
> >
> > ----- Original Message -----
> > From: "Walt Wyndroski" <wdwrn at friendlycity.net>
> > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > Sent: Thursday, July 01, 2004 5:05 PM
> > Subject: Implement Access Control List With MailScanner???
> >
> >
> > > Hello all,
> > >     I've been doing some serious googling over the 2-3
> days about how to
> > > implement a type of ACL (access control list) for
> Sendmail which would
> > help
> > > in preventing the spoofing of my domain to my users. The
> only thing I
> can
> > > find are rulesets which are inserted direclty into the
> sendmail.cf,
> which
> > is
> > > something that I really want to avoid. I was hoping
> MailScanner would
> > allow
> > > me to do this. Here is my setup:
> > >
> > >  Kernel Version    2.4.22-1.2194.nptlsmp
> > > SendMail RPM Version    sendmail-8.12.10-1.1.1
> > > Procmail RPM Version    procmail-3.22-11
> > > MailScanner RPM Version    mailscanner-4.30.2-1
> > >
> > > If an email arrives at my mail server with the from header as
> > user at mydomain,
> > > I need to further look at the message to see if the
> message originated
> > from
> > > one of the subnets for which I relay. If it did, I'll
> accept it. If it
> > > didn't, I'll discard it. If anyone knows of a Sendmail m4
> rule for this,
> > > please point me in the right direction and accept my
> apologies for being
> > on
> > > the wrong list. :) Otherwise, if MailScanner can already
> do this or if
> > > someone has already written a custom function for this,
> please point me
> in
> > > the right direction.
> > >
> > > Walt Wyndroski
> > >
> > > -------------------------- MailScanner list ----------------------
> > > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > > Before posting, please see the Most Asked Questions at
> > > http://www.mailscanner.biz/maq/     and the archives at
> > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list