LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 08-18-2004, 10:16 PM   #1
rebel
LQ Newbie
 
Registered: Aug 2003
Distribution: CentOS
Posts: 24

Rep: Reputation: 15
Qn: How to restrict in/out emails within a domain name/internal organisation only?


Qn: How to restrict in/out emails within a domain name/internal organisation only?


Hi,

I have searched high and low for a solution to my problem but couldn't not find any. Really need help on this one.

I have a server that runs RedHat Linux 9.0. For one of the domain names, I wish to restrict email communications within that domain name only. That is, tom@domain.com could only send/receive to/from jenny@domain.com and vice-versa. If you like, I am trying to implement a closed email system for communication within an internal organisation only.

Does anyone know how to achieve this?

Many thanks in advance.

R
 
Old 08-19-2004, 03:25 PM   #2
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
You didn't say what you were using as the MTA. Is this PC acting as a mail server? If so, what application are you using? If you are using Sendmail there is indeed a way to do this. I am not sure about Postfix. Dig up those answers and repost.
 
Old 08-21-2004, 10:51 AM   #3
rebel
LQ Newbie
 
Registered: Aug 2003
Distribution: CentOS
Posts: 24

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by ScooterB
You didn't say what you were using as the MTA. Is this PC acting as a mail server? If so, what application are you using? If you are using Sendmail there is indeed a way to do this. I am not sure about Postfix. Dig up those answers and repost.
Hi ScooterB,

Thanks for your response. I am using Sendmail although I am thinking of switching to Postfix, and yes, the server is used as a web server and a mail server. I use POP and SMTP. Is there anything else you need to know?

R

Last edited by rebel; 08-21-2004 at 11:04 AM.
 
Old 08-23-2004, 07:34 AM   #4
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
There is a database located at /etc/mail called "access" (quotation marks mine). It is accessible via your text editor. I use vi. If you open the file simply called access in your editor, you can restrict by sender name, address, or ip number. Since you want to restrict by a domain, use the ip address of that domain (i.e., 123.456.789 or whatever describes your network where the domain is located). You can even address just the domain if you want to. Leave host addresses off and simply address the domain. Then you can do whatever you want with other addresses. You basically have five choices for resolution by Sendmail; OK, RELAY, REJECT, DISCARD, SKIP. They each have a different reaction and result. You can get more info about each at either the man pages, Sendmail's website (www.sendmail.org) or from the O'Reilly manual "Sendmail". Look some of these over to be able to fine tune your list. After you get it the way you want it, you will have to remake the database by using the hash command:
#cd /etc/mail
# makemap hash access < access
This will rebuild it using the new rules you put in, then you can test it and tweak as necessary. If you have any other questions or need more help repost and I'll try to assist. Good luck and have fun!
 
Old 08-23-2004, 12:42 PM   #5
rebel
LQ Newbie
 
Registered: Aug 2003
Distribution: CentOS
Posts: 24

Original Poster
Rep: Reputation: 15
Thanks very much for your help, ScooterB. I am very grateful.

I am hosting several domain names on my server but would like to restrict emails for one of the domain names only.

Wouldn't the rules in /etc/mail/access apply to ALL the domain names, instead of only one?

For example, if I have these domain names:

abc.com
def.com
ghi.com

and I only want to restrict email addresses on abc.com (e.g. serene@abc.com) to be able to send/receive to/from email addresses from abc.com (e.g. constance@abc.com).

For def.com and ghi.com, they don't have any restrictions on receipt and sending of emails.

I can't quite figure out how to set a rule to achieve that?
 
Old 08-23-2004, 01:21 PM   #6
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
I see what you mean now. You can address the domains separately easy enough but I am not sure how you will be able to set up allowing the one domain to only email someone else in the same domain. I have several of these running but I have never tried to do that. Is this server local to the domain or is it remote? If it's local it would be alot easier, if its remote that would make it tough. This might be a good question for the gurus out there. You might even try the sendmail site and their discussion forums. I'll dig thru my manual as soon as I get a chance and see if I can come up with something. Keep on trying and don't give up. I can guarantee that you aren't the only person who has tried to do this; it will just be a matter of finding the one who did before you and finding out how they did it.
 
Old 08-23-2004, 09:38 PM   #7
rebel
LQ Newbie
 
Registered: Aug 2003
Distribution: CentOS
Posts: 24

Original Poster
Rep: Reputation: 15
Thanks ScooterB. I searched the sendmail.org site that you posted, and found the below link. It looks promising but as I am no expert in Sendmail, I have to look a bit more closely to understand what have been said.


http://www.sendmail.org/~ca/email/protected.html

Protecting internal aliases against E-Mail from external addresses.

Last Update 2002-05-02

--------------------------------------------------------------------------------
This example ruleset protects internal aliases against mail from external senders. It uses class w to detect local senders/recipients. Attention: this protection is only based on the address information given in the envelope of the e-mail which can be easily forged.
List those aliases (which are local) in a file:

LOCAL_CONFIG
F{Internal}/etc/mail/intern.only

Then the rules work like this:
LOCAL_RULESETS
SLocal_check_rcpt
# if the recipient isn't internal, they get the mail
R$+ $: <@> $>3 $1
R<@> $={Internal}<@$=w.> $: <$1@$2>
R<@> $={Internal} $: <$1@$j>
# no internal alias
R<@>$+ $@ OK
# check to see if the sender is local
R$* $: $>3 $&f
R$+<@$=w.> $@ OK
# empty sender: accept (RFC 1123)
R<@> $@ OK
R$+ $#error $: 551 $&f not allowed to send to recipient

Before 8.9, you have to use Scheck_rcpt instead of SLocal_check_rcpt.

The ruleset works like this:

is the recipient a local alias (listed in the file)?
if no: OK
if yes: the sender must be local too
if it isn't: error
A more sophisticated ruleset has been posted to comp.mail.sendmail .

A slightly better solution is to check the relaying host instead of the sender address, however, this requires that you don't have other servers "in front" of the one that performs these checks.

LOCAL_RULESETS
SLocal_check_rcpt
...
# check to see if the sender is local
R$* $: $&{client_name}
# or some other class instead of m
R$*$=m $@ OKSOFAR
R$* $#error $: 551 $&f not allowed to send to recipient

You can also use $&{client_name}; or you can lookup the name/address in the access map.
A much better solution is possible in sendmail 8.10 using SMTP AUTH. It requires that the sender is authenticated, for example:

LOCAL_RULESETS
SLocal_check_rcpt
...
# check to see if the sender is local
R$* $: $&{auth_type}
R$+ $@ OKSOFAR
R$* $#error $: 551 $&f not allowed to send to recipient

Of course you can use also other AUTH macros such as {auth_authen} or {auth_author} to provide even finer access control.
Combining Rulesets
If you want to use several rulesets SLocal_check_rcpt you should turn them into subroutines and call them, e.g.,
LOCAL_RULESETS
SLocal_check_rcpt
R$* $: $1 $| $>"Protect" $1
R$* $| $#$* $#$2
R$* $| $* $: $1 $| $>"Restrict" $1
R$* $| $#$* $#$2

and rename the other rulesets:
LOCAL_RULESETS
SProtect
...
SRestrict
...
 
Old 08-23-2004, 09:56 PM   #8
rebel
LQ Newbie
 
Registered: Aug 2003
Distribution: CentOS
Posts: 24

Original Poster
Rep: Reputation: 15
Another tip.


http://www.sendmail.org/~ca/email/ex...l.aliases.html

Internal.aliases
Last Update 2000-12-22
Notice: I changed the ruleset name down below. However, there's no guarantee it will work...


From: juan@physics.mcgill.ca (Juan Gallego)
Newsgroups: comp.mail.sendmail
Subject: Re: Internal aliases only
Date: 28 Oct 1997 14:26:43 GMT
Message-ID: <634sn3$856@sifon.cc.mcgill.ca>

[ posted and mailed ]

In article <6332ah$9sq$1@power42t.hkbu.edu.hk>
posted to comp.mail.sendmail on 27 Oct 1997 21:50:08 GMT,
Mr. Chow Wing Siu (wschow@Comp.HKBU.Edu.HK) wrote:

: In sendmail, how to prevent external (outside domain users) persons
: to access the aliases? I have included many mailing lists in terms
: of /etc/aliases but those mailing lists may have the potential to
: be spammed by outsiders. How to do in cf level to reject those
: mails from OUTSIDE domains but to accept from the organizations
: or selected sites?

I implemented the following hack exactly for that purpose when our
internal distribution lists got hit by spam. I'm sure it could be
easily adapted to meet your needs.

Add the following to your m4 master configuration file:

#
LOCAL_CONFIG
Kprivate hash -o /etc/private
Kprivateok hash -o /etc/privateok
#
LOCAL_RULE_0
#
SLocal_check_rcpt
# check recipient. Let it through unless it's a private address
# (possibly with host or local domain attached to it)
R$* $: $>3 $1
R$- $: $(private $1 $: OK $)
ROK $@ OK non-private @ local
R$* < @ $* $=m . > $* $: $(private $1 $: OK $)
R$* < @ $* > $* $@ OK someone @ somewhere
ROK $@ OK non-private @ here
# if private, check the sender (f macro). If the sender is local, let it
# through. The <@> and << >> hack is ugly, but I couldn't come up with a
# better way to treat user.something as a single token (any suggestions?)
RPRIVATE $: $>3 $(dequote "" $&f $)
R$* $: $1 <@>
R$* < @ $+ > $* < @ > $: $1 << @ $2 >> $3
R$+ < @ > $@ OK sender @ here
R$* << @ $* >> $* $: $1 < @ $2 > $3
R$* < @ $* $=m . > $* $@ OK address @ domain
# not a local sender. Get the relay (client_name)...
R$* < @ $+ . > $* $: $1@$2 $| $>3 @ $(dequote "" $&{client_name} $)
# a particular sender through a valid relay is ok
R$+ $| $* < @ $+ . > $* $: $(privateok $3:$1 $: $1 $) $| $3
ROK $| $* $@ OK relay: user@host
# anyone from a given host/domain from a valid relay is also ok
R$-@$+ $| $+ $: $2 $| $3
R$+ $| $+ $: $(privateok $2:@$1 $: notOK $)
ROK $* $@ OK relay: @host
# the rest can go to hell
R$* $#error $@ 5.7.1 $: "571 private address."

The private map's keys are the list of private addresses with value PRIVATE:

list1 PRIVATE
list2 PRIVATE

The privateok keys are of the form relay:sender or relay:@host with values
OK:

relay.at.some.where:someone@some.where.else OK
relay.at.some.where:@its.ok.too OK

You can test the rules by invoking the test mode and predefining the
client_name and f macros with different combinations and then calling
the check_rcpt rule with the recipient's address.

Hope this helps,
--
Juan Gallego
Little ({sys,net}-{admin,hacker}) Boss
 
Old 08-23-2004, 09:59 PM   #9
rebel
LQ Newbie
 
Registered: Aug 2003
Distribution: CentOS
Posts: 24

Original Poster
Rep: Reputation: 15
FEATUREs for check_* in sendmail 8.9

http://www.sendmail.org/~ca/email/chk-89f.html



Using check_* in sendmail 8.8

http://www.sendmail.org/~ca/email/check.html
 
Old 08-23-2004, 10:52 PM   #10
rebel
LQ Newbie
 
Registered: Aug 2003
Distribution: CentOS
Posts: 24

Original Poster
Rep: Reputation: 15
Restricting local users from sending external mail
Last Update 2002-07-24

http://www.sendmail.org/~ca/email/restrict.html
 
Old 08-23-2004, 10:54 PM   #11
rebel
LQ Newbie
 
Registered: Aug 2003
Distribution: CentOS
Posts: 24

Original Poster
Rep: Reputation: 15
http://www.sendmail.org/~ca/email/doc8.9/op-sh-6.html

Restricting Use of Email

If it is necessary to restrict mail through a relay, the checkcompat routine can be modified. This routine is called for every recipient address. It returns an exit status indicating the status of the message. The status EX_OK accepts the address, EX_TEMPFAIL queues the message for a later try, and other values (commonly EX_UNAVAILABLE) reject the message. It is up to checkcompat to print an error message (using usrerr) if the message is rejected. For example, checkcompat could read:


int
checkcompat(to, e)
register ADDRESS *to;
register ENVELOPE *e;
{
register STAB *s;


s = stab("private", ST_MAILER, ST_FIND);
if (s != NULL && e->e_from.q_mailer != LocalMailer &&
to->q_mailer == s->s_mailer)
{
usrerr("No private net mail allowed through this machine");
return (EX_UNAVAILABLE);
}
if (MsgSize > 50000 && bitnset(M_LOCALMAILER, to->q_mailer))
{
usrerr("Message too large for non-local delivery");
e->e_flags |= EF_NORETURN;
return (EX_UNAVAILABLE);
}
return (EX_OK);
}


This would reject messages greater than 50000 bytes unless they were local. The EF_NORETURN flag can be set in e->e_flags to suppress the return of the actual body of the message in the error return. The actual use of this routine is highly dependent on the implementation, and use should be limited.
 
Old 08-24-2004, 07:25 AM   #12
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
WOW! It looks like you hit pay dirt. That is alot of info; more than I have ever had to do. But your circumstances are different. It appears that most of it has to do with the sendmail.cf file which is your configuration file. I would make a backup of your current one (which is working) and then you can play with the other one all you want. If it doesn't work correct you simply rename the other file and go back to the original. That way you won't be down and can recover easily. I wish you luck and repost if everything works out for you. I would be interested. Thanks for replying.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
is there a way to restrict users download speed on internal network? NuLLiFiEd Linux - Networking 3 10-06-2005 05:24 AM
Qn: How to restrict in/out emails within a domain name/internal organisation only? rebel Linux - Security 1 08-18-2004 11:03 PM
QMail won't receive internal emails when no internet connection AlexandreAmant Linux - Networking 5 04-22-2004 10:52 AM
emails rejected for tranferred domain noisybastard Linux - Networking 5 04-16-2004 05:28 PM
mutt will only send internal emails to other users on my computer, not external addrs denning Red Hat 1 01-05-2004 08:24 AM


All times are GMT -5. The time now is 10:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration