|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
(no subject)
991688_szb
21cn.net
Date: Fri Sep 12 2003 - 08:47:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello: all
At http://www.postfix.org/faq.html#relay_restrict, there have the list:
Restricting what users can send mail to off-site destinations
How can I configure Postfix in a way that some users can send mail to the internet and other users not. The users with no access should receive a generic bounce message. Please don't discuss whether such access restrictions are necessary, it was not my decision.
Postfix has support for per-user restrictions. The restrictions are implemented by the SMTP server. Thus, users that violate the policy have their mail rejected by the SMTP server. Like this:
554 <userremote>: Access denied
The implementation uses two lookup tables. One table defines what users are restricted in where they can send mail, and the other table defines what destinations are local. It is left as an exercise for the reader to change this into a scheme where only some users have permission to send mail to off-site destinations, and where most users are restricted.
The example assumes DB/DBM files, but this could also be done with LDAP or SQL.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders
...other stuff...
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject
/etc/postfix/restricted_senders:
foodomain local_only
bardomain local_only
/etc/postfix/local_domains:
this.domain OK matches this.domain and subdomains
that.domain OK matches that.domain and subdomains
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what map types Postfix supports, use the command postconf -m.
The smtpd_restriction_classes verbiage exists so that Postfix can open /etc/postfix/local_domains.db before entering a chroot jail, so it is only an artefact of implementation.
This scheme does not authenticate the user, therefore it can be bypassed in several ways:
By sending mail as someone else who does have permission to send mail to off-site destinations.
By sending mail as yourself via a less restrictive mail relay host.
I according the FAQ, and can restrict the senders. But I found that my restricted users can sender mails to off-site by change the "E-mail address" at outlook, so how can I do?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]