Implement Access Control List With MailScanner???

Ken A ka at PACIFIC.NET
Fri Jul 2 16:10:23 IST 2004 

Walt Wyndroski wrote:

> Here is some more information on my setup:
>
> 1) Over 3000 users.
> 2) I allow relaying only for the 8 Class C networks which we use/serve.
> 3) I DO NOT allow relaying for my domain name.
> 4) Roaming users can user our web interface if they wish to send mail as
> being from our domain.
> 5) I am blocking outbound and inbound port 25 for all of my network except
> for my mail server obviously, my T-1 customers, and static ip customers. So
> doing SMTP auth will not be a wise choice for me as some of our users who
> connect to remote mail servers must relay through ours. This prevent virus
> infected email from being spewed out from our networks or least minimizes
> it.
> 6) Unfortunately, the security of my mail server and network must come
> before the needs of any roaming users which I may or may not have. Security
> is inversely proprortional to convenience.

And convenience is directly proportional to customer satisfaction.. But
I notice you call them 'users' not 'customers', so perhaps that's not an
issue. :-)
Ken


> Walt Wyndroski
>
> ----- Original Message -----
> From: "Alex Neuman" <alex at nkpanama.com>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Thursday, July 01, 2004 10:10 PM
> Subject: Re: Implement Access Control List With MailScanner???
>
>
>
>>This would break compatibility for roaming users.
>>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>
> Behalf
>
>>Of Walt Wyndroski
>>Sent: Thursday, July 01, 2004 4:42 PM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Implement Access Control List With MailScanner???
>>
>>Actually, this thought just occured to me: The rulesets in MailScanner are
>>structured as From:, FromOrTo:, To:, FromAndTo:. If I could use
>
> FromAndFrom:
>
>>then I could build a rule as follows:
>>
>>From: mydomain.com    From: <IP or Subnet>    Accept
>>From: mydomain.com    From: 0.0.0.0/0              Deny
>>
>>OR:
>>
>>Can I use rulesets within rulesets? For instance, in the blacklist.rules
>>could I put:
>>
>>From: mydomain.com    /etc/MailScanner/rules/mydomain.com.txt
>>
>>And inside "/etc/MailScanner/rules/mydomain.com.txt" I would put:
>>
>>From: <my subnet(s)>    NO
>>From: default                  YES  or  From: /!(<my subnet(s)>)/    YES
>>
>>What do you all think?
>>
>>Walt Wyndroski
>>
>>
>>
>>----- Original Message -----
>>From: "Walt Wyndroski" <wdwrn at friendlycity.net>
>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>Sent: Thursday, July 01, 2004 5:05 PM
>>Subject: Implement Access Control List With MailScanner???
>>
>>
>>
>>>Hello all,
>>>    I've been doing some serious googling over the 2-3 days about how to
>>>implement a type of ACL (access control list) for Sendmail which would
>>
>>help
>>
>>>in preventing the spoofing of my domain to my users. The only thing I
>
> can
>
>>>find are rulesets which are inserted direclty into the sendmail.cf,
>
> which
>
>>is
>>
>>>something that I really want to avoid. I was hoping MailScanner would
>>
>>allow
>>
>>>me to do this. Here is my setup:
>>>
>>> Kernel Version    2.4.22-1.2194.nptlsmp
>>>SendMail RPM Version    sendmail-8.12.10-1.1.1
>>>Procmail RPM Version    procmail-3.22-11
>>>MailScanner RPM Version    mailscanner-4.30.2-1
>>>
>>>If an email arrives at my mail server with the from header as
>>
>>user at mydomain,
>>
>>>I need to further look at the message to see if the message originated
>>
>>from
>>
>>>one of the subnets for which I relay. If it did, I'll accept it. If it
>>>didn't, I'll discard it. If anyone knows of a Sendmail m4 rule for this,
>>>please point me in the right direction and accept my apologies for being
>>
>>on
>>
>>>the wrong list. :) Otherwise, if MailScanner can already do this or if
>>>someone has already written a custom function for this, please point me
>
> in
>
>>>the right direction.
>>>
>>>Walt Wyndroski
>>>
>>>-------------------------- MailScanner list ----------------------
>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>>Before posting, please see the Most Asked Questions at
>>>http://www.mailscanner.biz/maq/     and the archives at
>>>http://www.jiscmail.ac.uk/lists/mailscanner.html
>>
>>-------------------------- MailScanner list ----------------------
>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>Before posting, please see the Most Asked Questions at
>>http://www.mailscanner.biz/maq/     and the archives at
>>http://www.jiscmail.ac.uk/lists/mailscanner.html
>>
>>-------------------------- MailScanner list ----------------------
>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>Before posting, please see the Most Asked Questions at
>>http://www.mailscanner.biz/maq/     and the archives at
>>http://www.jiscmail.ac.uk/lists/mailscanner.html
>
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list