Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Sendmail ACL ability (like squid ACL's)

52 views
Skip to first unread message

ask...@gmail.com

unread,
Aug 7, 2007, 6:05:53 AM8/7/07
to
Hi All!

I have 2 weeks of googling for ACL ability for sendmail, but hasn't
find nothing for my needs. Maybe, and most likely, I use "not right
words" for this, anyway, here is description of ability, that I need:

I need to control all incoming/outgoing mail for my corporative users,
using ACLs. It should looks like this - there are 2 large groups of
users: 1 - users, who are under control of ACL and 2 - all other users
(they are allowed to send and receive any email). Users, from 1st
group needs to be controlled in this ways:
- Allowed incoming mails
- Denied incoming mails
- Allowed outgoing mails
- Denied outgoing mails
How it should looks:
I plan to create 4 files - to.allow, to.deny, from.allow and from.deny
with the following syntaxes:
user1 <TAB> LIST
Where "user1" - username, form 1st group, "LIST" - list of valid
domain/email addresses. For example:

to.allow:
#User name(looks like T on the scheme*) <tab> LIST
user1 <tab> a...@a.com
user2 <tab> @b.com c...@c.com

to.deny:
#User name(looks like T on the scheme*) <tab> LIST
user2 <tab> b...@b.com
user3 <tab> @c.com

from.allow:
#User name(looks like F on the scheme*) <tab> LIST
user1 <tab> a...@a.com

from.deny:
#User name(looks like F on the scheme*) <tab> LIST
user3 <tab> @spam.com z...@z.com

*scheme - it is a graphical file, thats explain logic of ACL checks,
that should to be applied. It can be found at -
http://photos.streamphoto.ru/5/e/0/86e9958dc43d76bba6783f8b850ba0e5.jpg
T and F on this scheme are means usernames on to.* and from.* files.
T@ and F@ on this scheme are means email addresses LISTs at to.* and
from.* files.

Small explain:
to.allow - this file will consists addresses "To:" which "user"
allowed to send emails, all other addresses for this "user" will be
denied. So if "user" exists in to.allow it ONLY allowed to send mails
to his lists, all other is denied.
to.deny - this file will consists addresses "To:" which "user" denied
to send emails, all other addresses for this "user" will be allowed.
So if "user" exists in to.deny it ONLY denied to send mails to his
lists, all other is allowed.
If "user" exists both in to.allow and to.deny - to.allow should be
used, exempt cases when "LIST" in one of lists contains only domain
part - @a.com and another "LIST" contains full email address - a...@a.com

from.allow - this file will consists addresses "From:", from which
"user" allowed to received emails, all other addresses for this "user"
will be denied. So if "user" exists in from.allow it can ONLY receive
mail from allowed addresses, all other is denied.
from.deny - this file will consists addresses "From:", from which
"user" NOT allowed to received emails, all other addresses for this
"user" will be allowed. So if "user" exists in from.deny it can
receive all mail, exempt listed in this file.
If "user" exists both in from.allow and from.deny - from.allow should
be used, exempt cases when "LIST" in one of lists contains only domain
part - @a.com and another "LIST" contains full email address - a...@a.com

How it should works, for my example files:
1. user1 can send and receive email ONLY to/from a...@a.com, all other
are DENIED for this user.
2. user2 can send emails ONLY to @b.com and c...@c.com addresses, exempt
b...@b.com. user2 can receive all emails.
3. user3 can send emails anywhere, receive all emails, but not from
@spam.com and z...@z.com
4 All other users are not limited by ACLs.

Any ideas, maybe there are already exists some sendmail milter that
can be used for this after simple modification? Or maybe anybody of
sendmail Guru's are ready to write rules for this ability?

Thx.

ask...@gmail.com

unread,
Aug 8, 2007, 9:31:36 AM8/8/07
to
Nobody didn't knows? Really???? Ok, I'll ask my question on other
side:
Is it possible to use lists from external file for Compat: option?

User to user option works fine:

Compat: us...@myhost.com<@>al...@otherhost.com ERROR:"550 not allowed"

But what should I do to prevent sending from us...@myhost.com to any
user at @otherhost.com? May I use something like ":include:" in
aliases for list of recipients?
Is is possible to use compat_check rules at check_rcpt phase?

ska

unread,
Aug 9, 2007, 3:47:13 AM8/9/07
to
You need to use a Milter for this sort of control.
A general Milter, like MIMEDefang (http://www.mimedefang.org/), can do
anything with a transmission.
ska

0 new messages