Implement Access Control List With MailScanner???

Walt Wyndroski wdwrn at FRIENDLYCITY.NET
Tue Jul 6 15:10:35 IST 2004 

Simple semantics :) User is a shorter word. :) Actually they are customers.

I am going to look into SPF for my domain as suggested from a post a couple
of days ago. However, I would still like to see some type of ACL method in
MailScanner. I think it would be handy to some type of ruleset as follows:

From:/To:/FromOrTo: <domain>    From: <cidr block or ip>
<deliver/delete/store/etc.>

That could give some really fine control over some situations.

Walt Wyndroski

----- Original Message -----
From: "Ken A" <ka at PACIFIC.NET>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Friday, July 02, 2004 11:10 AM
Subject: Re: Implement Access Control List With MailScanner???


> Walt Wyndroski wrote:
>
> > Here is some more information on my setup:
> >
> > 1) Over 3000 users.
> > 2) I allow relaying only for the 8 Class C networks which we use/serve.
> > 3) I DO NOT allow relaying for my domain name.
> > 4) Roaming users can user our web interface if they wish to send mail as
> > being from our domain.
> > 5) I am blocking outbound and inbound port 25 for all of my network
except
> > for my mail server obviously, my T-1 customers, and static ip customers.
So
> > doing SMTP auth will not be a wise choice for me as some of our users
who
> > connect to remote mail servers must relay through ours. This prevent
virus
> > infected email from being spewed out from our networks or least
minimizes
> > it.
> > 6) Unfortunately, the security of my mail server and network must come
> > before the needs of any roaming users which I may or may not have.
Security
> > is inversely proprortional to convenience.
>
> And convenience is directly proportional to customer satisfaction.. But
> I notice you call them 'users' not 'customers', so perhaps that's not an
> issue. :-)
> Ken
>
>
> > Walt Wyndroski
> >
> > ----- Original Message -----
> > From: "Alex Neuman" <alex at nkpanama.com>
> > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > Sent: Thursday, July 01, 2004 10:10 PM
> > Subject: Re: Implement Access Control List With MailScanner???
> >
> >
> >
> >>This would break compatibility for roaming users.
> >>
> >>-----Original Message-----
> >>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >
> > Behalf
> >
> >>Of Walt Wyndroski
> >>Sent: Thursday, July 01, 2004 4:42 PM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: Implement Access Control List With MailScanner???
> >>
> >>Actually, this thought just occured to me: The rulesets in MailScanner
are
> >>structured as From:, FromOrTo:, To:, FromAndTo:. If I could use
> >
> > FromAndFrom:
> >
> >>then I could build a rule as follows:
> >>
> >>From: mydomain.com    From: <IP or Subnet>    Accept
> >>From: mydomain.com    From: 0.0.0.0/0              Deny
> >>
> >>OR:
> >>
> >>Can I use rulesets within rulesets? For instance, in the blacklist.rules
> >>could I put:
> >>
> >>From: mydomain.com    /etc/MailScanner/rules/mydomain.com.txt
> >>
> >>And inside "/etc/MailScanner/rules/mydomain.com.txt" I would put:
> >>
> >>From: <my subnet(s)>    NO
> >>From: default                  YES  or  From: /!(<my subnet(s)>)/    YES
> >>
> >>What do you all think?
> >>
> >>Walt Wyndroski
> >>
> >>
> >>
> >>----- Original Message -----
> >>From: "Walt Wyndroski" <wdwrn at friendlycity.net>
> >>To: <MAILSCANNER at JISCMAIL.AC.UK>
> >>Sent: Thursday, July 01, 2004 5:05 PM
> >>Subject: Implement Access Control List With MailScanner???
> >>
> >>
> >>
> >>>Hello all,
> >>>    I've been doing some serious googling over the 2-3 days about how
to
> >>>implement a type of ACL (access control list) for Sendmail which would
> >>
> >>help
> >>
> >>>in preventing the spoofing of my domain to my users. The only thing I
> >
> > can
> >
> >>>find are rulesets which are inserted direclty into the sendmail.cf,
> >
> > which
> >
> >>is
> >>
> >>>something that I really want to avoid. I was hoping MailScanner would
> >>
> >>allow
> >>
> >>>me to do this. Here is my setup:
> >>>
> >>> Kernel Version    2.4.22-1.2194.nptlsmp
> >>>SendMail RPM Version    sendmail-8.12.10-1.1.1
> >>>Procmail RPM Version    procmail-3.22-11
> >>>MailScanner RPM Version    mailscanner-4.30.2-1
> >>>
> >>>If an email arrives at my mail server with the from header as
> >>
> >>user at mydomain,
> >>
> >>>I need to further look at the message to see if the message originated
> >>
> >>from
> >>
> >>>one of the subnets for which I relay. If it did, I'll accept it. If it
> >>>didn't, I'll discard it. If anyone knows of a Sendmail m4 rule for
this,
> >>>please point me in the right direction and accept my apologies for
being
> >>
> >>on
> >>
> >>>the wrong list. :) Otherwise, if MailScanner can already do this or if
> >>>someone has already written a custom function for this, please point me
> >
> > in
> >
> >>>the right direction.
> >>>
> >>>Walt Wyndroski
> >>>
> >>>-------------------------- MailScanner list ----------------------
> >>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>>Before posting, please see the Most Asked Questions at
> >>>http://www.mailscanner.biz/maq/     and the archives at
> >>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >>
> >>-------------------------- MailScanner list ----------------------
> >>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>Before posting, please see the Most Asked Questions at
> >>http://www.mailscanner.biz/maq/     and the archives at
> >>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >>
> >>-------------------------- MailScanner list ----------------------
> >>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>Before posting, please see the Most Asked Questions at
> >>http://www.mailscanner.biz/maq/     and the archives at
> >>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> >
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list