preventing internet mail access for selected users
I have a group of users who are to have internal (intranet) mail access only, no mail to or from the internet. All of the users in question have UIDs of the format letter-letter-number-number-number-number-number-number, i.e. aa1234576, zw067302.
I think that I can accomplish this within the tcp_local channel. I am just wondering if anyone has done anything like this and can provide any guidance or examples.
[424 byte] By [
tim-a] at [2007-11-26 9:22:12]
# 1
This isn't really something that the designers of our product had in mind.
What do you want to have happen to messages from the external world to these people? Silently drop? Return?
I think a sieve filter may be your best bet. One for each such user.
You can filter on the envelope from, and only allow locally-generated addresses to be sent to the store.
# 2
Hi Jay, A silent drop would be sufficient, especially for inbound. If I understand sieve filtering correctly it could not be used to prevent users from sending to the external addresses.
tima at 2007-7-6 23:55:14 >
# 3
I imagine you could do something with a global sieve for outbound, too, but, honestly, it might be easier if you could define your users by ip address. That would make filtering much easier.
# 4
It's an environment where everyone uses everyone's computer. Filtering has to be based upon user name.
The documentation on implementing sieve filters seems to hover someplace between incomplete and non existant. At one point I thought all you had to do was stick a sieve scipt in an ldap attribute to filter on a per user basis. Can you clarify that for me? Also, the head-of-household viltering options look useful to me but, again, are very poorly documented. Would you have any sort of an example that I could look at or can you give me a quick rundown on how that works?
Incidently, I have no mail filtering option in Messaging Express. (New install out of the JES 2005Q04 pack.) Is this a bug or does something need to be installed seperately these days? (I had intended to just add a filter via ME and then check out how it was formatted in LDAP to answer the above question.)
Thanks,
Tim
tima at 2007-7-6 23:55:14 >
# 5
Docmenting Sieve rules was considered out of place in our doc (not my decision). The Sieve language itself is reasonably well documented in the RFC.
There are several options for using filters, including a global file in the config directory, and individual filters in ldap.
The interface in ME is gone.
There is an interface in CE (also known as UWC), but it's less than perrfect. You can create a filter there, that you cannot see again, nor edit.....
# 6
I don't have CE (Communications Express, I assume) in this environment.
You might want to flag a couple of documentation bugs on filters in ME as it is listed in the documentation and also explained in the "help" that is part of ME.
I'm not looking for documentation of the sieve language itself. I'm looking for documenation on how to implement it within Messaging Server.
This:
http://docs.sun.com/app/docs/doc/819-2650/6n4u4dtsg?q=sieve&a=view
Says only:
To Create User-level Filters
Per-user mail filters apply to messages destined for a particular user抯 mailbox. Per-user mail filters can only be created using Messenger Express.
Is there anything else useful, buried in the documentation someplace? I've spent half a day looking for this and found nothing.
tima at 2007-7-6 23:55:14 >
# 7
> I don't have CE (Communications Express, I assume) in
> this environment.
You can certainly install it . . .
>
> You might want to flag a couple of documentation bugs
> on filters in ME as it is listed in the documentation
> and also explained in the "help" that is part of ME.
Believe me, we have flagged many doc bugs. Unfortunately, once a document is published, we can't change it. The changes show up in the next version.
>
> I'm not looking for documentation of the sieve
> language itself. I'm looking for documenation on how
> to implement it within Messaging Server.
>
> This:
> http://docs.sun.com/app/docs/doc/819-2650/6n4u4dtsg?q=
> sieve&a=view
> Says only:
> To Create User-level Filters
> Per-user mail filters apply to messages destined for
> a particular user抯 mailbox. Per-user mail filters
> can only be created using Messenger Express.
Yes. You can create sieve directly in ldap. They're base 64 encoded.
>
> Is there anything else useful, buried in the
> documentation someplace? I've spent half a day
> looking for this and found nothing.
# 8
Hi,
I don't suppose all the internal users also have a unique email domain (e.g. internal.domain.com)? If they did that would make life much easier as you should be able to write a mapping rule that would reject the emails in question based on that email domain.
e.g.
tcp_local|*|*|*@internal.domain.com $N$D30|Internal$ Address$ Only
Cheers,
Shane.
# 9
Hey Shane, No, they are not in a separate domain. They used to be but management has decided that that is no longer acceptable;
tima at 2007-7-6 23:55:14 >
# 10
Hi,
You may want to check out the following thread:
http://lists.balius.com/pipermail/info-ims-archive/2005-July/022203.html
It should be possible to restrict email delivery using a combination of a two mapping table rules which use a LDAP lookup for a special attribute. One rule would apply for the recipient address of incoming external emails (tcp_local) and the other would apply to outgoing sender addresses.
Cheers,
Shane.
