Implement Access Control List With MailScanner???
Derek Winkler
dwinkler at ALGORITHMICS.COM
Tue Jul 6 16:46:11 IST 2004
You need to read README and EXAMPLES in the rules directory, you can do this
already.
A rule can contain an 'and' and two conditions.
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Walt Wyndroski
> Sent: Tuesday, July 06, 2004 10:11 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Implement Access Control List With MailScanner???
>
>
> Simple semantics :) User is a shorter word. :) Actually they
> are customers.
>
> I am going to look into SPF for my domain as suggested from a
> post a couple
> of days ago. However, I would still like to see some type of
> ACL method in
> MailScanner. I think it would be handy to some type of
> ruleset as follows:
>
> From:/To:/FromOrTo: <domain> From: <cidr block or ip>
> <deliver/delete/store/etc.>
>
> That could give some really fine control over some situations.
>
> Walt Wyndroski
>
> ----- Original Message -----
> From: "Ken A" <ka at PACIFIC.NET>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Friday, July 02, 2004 11:10 AM
> Subject: Re: Implement Access Control List With MailScanner???
>
>
> > Walt Wyndroski wrote:
> >
> > > Here is some more information on my setup:
> > >
> > > 1) Over 3000 users.
> > > 2) I allow relaying only for the 8 Class C networks which
> we use/serve.
> > > 3) I DO NOT allow relaying for my domain name.
> > > 4) Roaming users can user our web interface if they wish
> to send mail as
> > > being from our domain.
> > > 5) I am blocking outbound and inbound port 25 for all of
> my network
> except
> > > for my mail server obviously, my T-1 customers, and
> static ip customers.
> So
> > > doing SMTP auth will not be a wise choice for me as some
> of our users
> who
> > > connect to remote mail servers must relay through ours.
> This prevent
> virus
> > > infected email from being spewed out from our networks or least
> minimizes
> > > it.
> > > 6) Unfortunately, the security of my mail server and
> network must come
> > > before the needs of any roaming users which I may or may not have.
> Security
> > > is inversely proprortional to convenience.
> >
> > And convenience is directly proportional to customer
> satisfaction.. But
> > I notice you call them 'users' not 'customers', so perhaps
> that's not an
> > issue. :-)
> > Ken
> >
> >
> > > Walt Wyndroski
> > >
> > > ----- Original Message -----
> > > From: "Alex Neuman" <alex at nkpanama.com>
> > > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > > Sent: Thursday, July 01, 2004 10:10 PM
> > > Subject: Re: Implement Access Control List With MailScanner???
> > >
> > >
> > >
> > >>This would break compatibility for roaming users.
> > >>
> > >>-----Original Message-----
> > >>From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > >
> > > Behalf
> > >
> > >>Of Walt Wyndroski
> > >>Sent: Thursday, July 01, 2004 4:42 PM
> > >>To: MAILSCANNER at JISCMAIL.AC.UK
> > >>Subject: Re: Implement Access Control List With MailScanner???
> > >>
> > >>Actually, this thought just occured to me: The rulesets
> in MailScanner
> are
> > >>structured as From:, FromOrTo:, To:, FromAndTo:. If I could use
> > >
> > > FromAndFrom:
> > >
> > >>then I could build a rule as follows:
> > >>
> > >>From: mydomain.com From: <IP or Subnet> Accept
> > >>From: mydomain.com From: 0.0.0.0/0 Deny
> > >>
> > >>OR:
> > >>
> > >>Can I use rulesets within rulesets? For instance, in the
> blacklist.rules
> > >>could I put:
> > >>
> > >>From: mydomain.com /etc/MailScanner/rules/mydomain.com.txt
> > >>
> > >>And inside "/etc/MailScanner/rules/mydomain.com.txt" I would put:
> > >>
> > >>From: <my subnet(s)> NO
> > >>From: default YES or From: /!(<my
> subnet(s)>)/ YES
> > >>
> > >>What do you all think?
> > >>
> > >>Walt Wyndroski
> > >>
> > >>
> > >>
> > >>----- Original Message -----
> > >>From: "Walt Wyndroski" <wdwrn at friendlycity.net>
> > >>To: <MAILSCANNER at JISCMAIL.AC.UK>
> > >>Sent: Thursday, July 01, 2004 5:05 PM
> > >>Subject: Implement Access Control List With MailScanner???
> > >>
> > >>
> > >>
> > >>>Hello all,
> > >>> I've been doing some serious googling over the 2-3
> days about how
> to
> > >>>implement a type of ACL (access control list) for
> Sendmail which would
> > >>
> > >>help
> > >>
> > >>>in preventing the spoofing of my domain to my users. The
> only thing I
> > >
> > > can
> > >
> > >>>find are rulesets which are inserted direclty into the
> sendmail.cf,
> > >
> > > which
> > >
> > >>is
> > >>
> > >>>something that I really want to avoid. I was hoping
> MailScanner would
> > >>
> > >>allow
> > >>
> > >>>me to do this. Here is my setup:
> > >>>
> > >>> Kernel Version 2.4.22-1.2194.nptlsmp
> > >>>SendMail RPM Version sendmail-8.12.10-1.1.1
> > >>>Procmail RPM Version procmail-3.22-11
> > >>>MailScanner RPM Version mailscanner-4.30.2-1
> > >>>
> > >>>If an email arrives at my mail server with the from header as
> > >>
> > >>user at mydomain,
> > >>
> > >>>I need to further look at the message to see if the
> message originated
> > >>
> > >>from
> > >>
> > >>>one of the subnets for which I relay. If it did, I'll
> accept it. If it
> > >>>didn't, I'll discard it. If anyone knows of a Sendmail
> m4 rule for
> this,
> > >>>please point me in the right direction and accept my
> apologies for
> being
> > >>
> > >>on
> > >>
> > >>>the wrong list. :) Otherwise, if MailScanner can already
> do this or if
> > >>>someone has already written a custom function for this,
> please point me
> > >
> > > in
> > >
> > >>>the right direction.
> > >>>
> > >>>Walt Wyndroski
> > >>>
> > >>>-------------------------- MailScanner list
> ----------------------
> > >>>To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > >>>Before posting, please see the Most Asked Questions at
> > >>>http://www.mailscanner.biz/maq/ and the archives at
> > >>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >>
> > >>-------------------------- MailScanner list ----------------------
> > >>To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > >>Before posting, please see the Most Asked Questions at
> > >>http://www.mailscanner.biz/maq/ and the archives at
> > >>http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >>
> > >>-------------------------- MailScanner list ----------------------
> > >>To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > >>Before posting, please see the Most Asked Questions at
> > >>http://www.mailscanner.biz/maq/ and the archives at
> > >>http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >
> > >
> > > -------------------------- MailScanner list ----------------------
> > > To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > > Before posting, please see the Most Asked Questions at
> > > http://www.mailscanner.biz/maq/ and the archives at
> > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >
> > >
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/ and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> -------------------------- MailScanner list ----------------------
> To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/ and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
This email and any files transmitted with it are confidential and
proprietary to Algorithmics Incorporated and its affiliates
("Algorithmics"). If received in error, use is prohibited. Please destroy,
and notify sender. Sender does not waive confidentiality or privilege.
Internet communications cannot be guaranteed to be timely, secure, error or
virus-free. Algorithmics does not accept liability for any errors or
omissions. Any commitment intended to bind Algorithmics must be reduced to
writing and signed by an authorized signatory.
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list