Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [courier-users] Restricting Outbound ESMTP Access

1 view
Skip to first unread message

Sam Varshavchik

unread,
Nov 6, 2009, 7:04:05 AM11/6/09
to
Alexander Erameh writes:

> Hi,
>
> Is there a way to restrict some local users to sending local Mails only?
> That is they cannot send external Mails.
>
> From the Courier Server of course.

Nope.

Alessandro Vesely

unread,
Nov 8, 2009, 10:24:42 AM11/8/09
to
Gordon Messmer wrote:

> On 11/06/2009 02:50 AM, Alexander Erameh wrote:
>> Is there a way to restrict some local users to sending local Mails
>> only? That is they cannot send external Mails.
>
> You could always write your own policy by using the courierfilter
> interface.

Besides implementation concerns, how practical would it be to use
SMTP AUTH for delivering? For example, rather than SPF-whitelist a
number of forwarders, it is possible to give them userid/pass with a
very restrictive policy, for better control. Has anybody tried?

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
courier-users mailing list
courie...@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Bijan Soleymani

unread,
Nov 8, 2009, 3:37:17 PM11/8/09
to
Alessandro Vesely wrote:
> Gordon Messmer wrote:
>> On 11/06/2009 02:50 AM, Alexander Erameh wrote:
>>> Is there a way to restrict some local users to sending local Mails
>>> only? That is they cannot send external Mails.
>> You could always write your own policy by using the courierfilter
>> interface.
>
> Besides implementation concerns, how practical would it be to use
> SMTP AUTH for delivering? For example, rather than SPF-whitelist a
> number of forwarders, it is possible to give them userid/pass with a
> very restrictive policy, for better control. Has anybody tried?

This is a good point. If courier supports PAM (which I think it does)
then you could use a module to check if the user that is trying to send
mail is in a "sendmail" group and only allow access for those users.

Bijan

Bijan Soleymani

unread,
Nov 8, 2009, 3:41:33 PM11/8/09
to
Bijan Soleymani wrote:
> Alessandro Vesely wrote:
>> Gordon Messmer wrote:
>>> On 11/06/2009 02:50 AM, Alexander Erameh wrote:
>>>> Is there a way to restrict some local users to sending local Mails
>>>> only? That is they cannot send external Mails.
>>> You could always write your own policy by using the courierfilter
>>> interface.
>> Besides implementation concerns, how practical would it be to use
>> SMTP AUTH for delivering? For example, rather than SPF-whitelist a
>> number of forwarders, it is possible to give them userid/pass with a
>> very restrictive policy, for better control. Has anybody tried?
>
> This is a good point. If courier supports PAM (which I think it does)
> then you could use a module to check if the user that is trying to send
> mail is in a "sendmail" group and only allow access for those users.

Actually I guess that wouldn't work unless courier had some local
program to send mail. Since you can't really determine the user's uid,
if he is connecting to courier on port 25 or whatever.

I guess you could write a program to send mail (using SMTP auth) and
only allow users from a certain group to access it, but that wouldn't be
that secure.

So I guess you're left with giving a username and password to each user
that needs to send mail.

Alessandro Vesely

unread,
Nov 9, 2009, 2:46:34 AM11/9/09
to
Bijan Soleymani wrote:
> Bijan Soleymani wrote:
>> Alessandro Vesely wrote:
>>> Gordon Messmer wrote:
>>>> On 11/06/2009 02:50 AM, Alexander Erameh wrote:
>>>>> Is there a way to restrict some local users to sending local Mails
>>>>> only? That is they cannot send external Mails.
>>>> You could always write your own policy by using the courierfilter
>>>> interface.

>>> Besides implementation concerns, how practical would it be to use
>>> SMTP AUTH for delivering? For example, rather than SPF-whitelist a
>>> number of forwarders, it is possible to give them userid/pass with a
>>> very restrictive policy, for better control. Has anybody tried?
>> This is a good point. If courier supports PAM (which I think it does)
>> then you could use a module to check if the user that is trying to send
>> mail is in a "sendmail" group and only allow access for those users.

It's easier with virtual users, as one can add attributes at will
for the purpose of describing local policies.

> Actually I guess that wouldn't work unless courier had some local
> program to send mail. Since you can't really determine the user's uid,
> if he is connecting to courier on port 25 or whatever.

Virtual users share the same uid. Senders who don't authenticate get
standard filtering and no relaying privileges. External senders who
wish to be whitelisted from filtering would have to register in
order to obtain that. (Automating such registrations implies further
implementation concerns, that I still leave aside.) In this
scenario, the policy may be even more restrictive than that for
anonymous port-25 senders, as it should only allow the subset of
local recipients that are interested in that particular whitelisted
forwarding.

> I guess you could write a program to send mail (using SMTP auth) and
> only allow users from a certain group to access it, but that wouldn't be
> that secure.

Users with terminal access can always telnet to external hosts using
whatever program they like.

Gordon Messmer

unread,
Nov 13, 2009, 4:50:43 PM11/13/09
to
On 11/08/2009 07:24 AM, Alessandro Vesely wrote:
> On 11/06/2009 02:50 AM, Alexander Erameh wrote:
>>> Is there a way to restrict some local users to sending local Mails
>>> only? That is they cannot send external Mails.
>>>
> Besides implementation concerns, how practical would it be to use
> SMTP AUTH for delivering? For example, rather than SPF-whitelist a
> number of forwarders, it is possible to give them userid/pass with a
> very restrictive policy, for better control. Has anybody tried?
>

I don't think you ever defined what you meant by "local". Courier will
always relay mail for users of the local host, where they can use
"sendmail".

Network users, including those in "local" networks, can easily be
controlled with AUTH. Just remove the RELAYCLIENT setting from
/etc/courier/smtpaccess/default and "makesmtpaccess". Thereafter, only
clients who have a username and password which the server can
authenticate will be able to relay.

0 new messages