Mailing List Archive: Qmail: users

per domain access control

Index | Next | Previous | View Threaded

nic.drew at slightlydifferent

May 6, 2008, 3:04 AM

Post #1 of 6 (359 views)
Permalink

per domain access control

Hi All

We are running qmail 1.03 on a redhat box. Some of our clients use
third party spam/virus filtering services and others do not. For the
ones that do, we wish to restrict which IPs we accept incoming email
from. This would be easy to do if all our clients used the third party
service - but because that is not the case, we need the access control
to be per domain. Does anyone have any idea how we can go about this
via qmail...?

Many Thanks.

Nic

-- -- -- --

Slightly Different is the trading name of Slightly Different Ltd., a company registered in England and Wales with company number 4014634 and registered office at Waterside Court, Falmouth Road, Penryn, TR10 8AW. The Slightly Different VAT registration number is 760 2167 50.

-- -- -- --
This email has been scanned for viruses by Slightly Different Centurion
<http://www.slightlydifferent.co.uk/centurion/>

search-web-for-address at pyropus

May 6, 2008, 6:04 AM

Post #2 of 6 (344 views)
Permalink

Re: per domain access control [In reply to]

Nic Drew <nic.drew[at]slightlydifferent.co.uk> wrote:
>
> We are running qmail 1.03 on a redhat box. Some of our clients use third
> party spam/virus filtering services and others do not. For the ones that do,
> we wish to restrict which IPs we accept incoming email from. This would be
> easy to do if all our clients used the third party service - but because
> that is not the case, we need the access control to be per domain. Does
> anyone have any idea how we can go about this via qmail...?

Assign multiple IP addresses to your server; put the clients that use the
3rd-party filtering service on a qmail-smtpd assigned to one address, which
you use tcprules-based filtering for, and the other clients on a qmail-smtpd
on the other address with no filtering.

Charles
--
--------------------------------------------------------------------------
Charles Cazabon
GPL'ed software available at: http://pyropus.ca/software/
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
--------------------------------------------------------------------------

kyle-qmail at memoryhole

May 6, 2008, 10:12 AM

Post #3 of 6 (344 views)
Permalink

Re: per domain access control [In reply to]

On Tuesday, May 6 at 11:04 AM, quoth Nic Drew:
>Hi All
>
>We are running qmail 1.03 on a redhat box. Some of our clients use
>third party spam/virus filtering services and others do not. For the
>ones that do, we wish to restrict which IPs we accept incoming email
>from. This would be easy to do if all our clients used the third party
>service - but because that is not the case, we need the access control
>to be per domain. Does anyone have any idea how we can go about this
>via qmail...?

Charles' suggestion is the best way to go about it.

BUT... if you can't use multiple IPs for some reason, my suggestion
would be to either use a qmail-queue wrapper (at that point, you know
the recipients and you know the TCPREMOTEIP) or use something like Jay
Soffian's RCPTCHECK patch, which allows you to create a script that
can allow or deny an email based on the $RECIPIENT and $TCPREMOTEIP
variables.

~Kyle
--
Democracy must be something more than two wolves and a sheep voting on
what to have for dinner.
-- James Bovard

nic.drew at slightlydifferent

May 7, 2008, 1:59 AM

Post #4 of 6 (339 views)
Permalink

RE: per domain access control [In reply to]

> -----Original Message-----
> From: Charles Cazabon [mailto:search-web-for-address[at]pyropus.ca]
> Sent: 06 May 2008 14:04
> To: qmail[at]list.cr.yp.to
> Subject: Re: per domain access control
>
> Nic Drew <nic.drew[at]slightlydifferent.co.uk> wrote:
> >
> > We are running qmail 1.03 on a redhat box. Some of our
> clients use third
> > party spam/virus filtering services and others do not. For
> the ones that do,
> > we wish to restrict which IPs we accept incoming email
> from. This would be
> > easy to do if all our clients used the third party service
> - but because
> > that is not the case, we need the access control to be per
> domain. Does
> > anyone have any idea how we can go about this via qmail...?
>
> Assign multiple IP addresses to your server; put the clients
> that use the
> 3rd-party filtering service on a qmail-smtpd assigned to one
> address, which
> you use tcprules-based filtering for, and the other clients
> on a qmail-smtpd
> on the other address with no filtering.
>
> Charles
> --

Many thanks Charles [and also Kyle]. We now have multiple qmail-smtpd's
assigned - and it seems to be working great.

All the best,
Nic
-- -- -- --

Slightly Different is the trading name of Slightly Different Ltd., a company registered in England and Wales with company number 4014634 and registered office at Waterside Court, Falmouth Road, Penryn, TR10 8AW. The Slightly Different VAT registration number is 760 2167 50.

-- -- -- --
This email has been scanned for viruses by Slightly Different Centurion
<http://www.slightlydifferent.co.uk/centurion/>

search-web-for-address at pyropus

May 7, 2008, 6:53 AM

Post #5 of 6 (337 views)
Permalink

Re: per domain access control [In reply to]

Nic Drew <nic.drew[at]slightlydifferent.co.uk> wrote:
> >
> > Assign multiple IP addresses to your server; put the clients that use the
> > 3rd-party filtering service on a qmail-smtpd assigned to one address,
> > which you use tcprules-based filtering for, and the other clients on a
> > qmail-smtpd on the other address with no filtering.
>
> Many thanks Charles [and also Kyle]. We now have multiple qmail-smtpd's
> assigned - and it seems to be working great.

Note that if all you've done is configured an additional qmail-smtpd service,
malicious attackers can still get around your 3rd-party filtering service by
deliberately connecting to the other, open SMTP service. If there's no clues
in DNS to lead them to try this, you may be okay.

The "sure" fix for that is to actually have multiple qmail installations (so
that the two SMTP services have different lists of domains they'll accept mail
for -- i.e. control/rcpthosts). That way, the open SMTP service refuses to
accept mail for any of the domains that should only be coming from the
filtering service's outbound addresses.

Charles
--
--------------------------------------------------------------------------
Charles Cazabon
GPL'ed software available at: http://pyropus.ca/software/
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
--------------------------------------------------------------------------

kyle-qmail at memoryhole

May 7, 2008, 9:08 AM

Post #6 of 6 (337 views)
Permalink

Re: per domain access control [In reply to]

On Wednesday, May 7 at 07:53 AM, quoth Charles Cazabon:
> The "sure" fix for that is to actually have multiple qmail
> installations (so that the two SMTP services have different lists of
> domains they'll accept mail for -- i.e. control/rcpthosts). That
> way, the open SMTP service refuses to accept mail for any of the
> domains that should only be coming from the filtering service's
> outbound addresses.

Good point! If necessary, this can be achieved with Soffian's
RCPTCHECK patch as well (but that can get more convoluted, and isn't
as "self-documenting" as simply having multiple qmail installations).

~Kyle
--
Human beings, who are almost unique in having the ability to learn
from the experience of others, are also remarkable for their apparent
disinclination to do so.
-- Douglas Adams

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com