Loading ...
Sorry, an error occurred while loading the content.

Block users from sending to ALL addresses except for specific addresses

Expand Messages
  • linuxknight
    Greetings, I am attempting to limit specific local users from sending mail to ALL addresses except members of my management team. Basically I want our sales
    Message 1 of 3 , Jun 20, 2013
    • 0 Attachment
      Greetings, I am attempting to limit specific local users from sending mail to ALL addresses except members of my management team.

      Basically I want our sales agents to be able to receive important emails/bulletins from management, but only be able to reply to and send email to the members of management.

      Initially I figured I would just block their ability to send altogether with /etc/postfix/access but then decided it would be nice to give them the ability to email management if necessary. If there are no other solutions, I will probably just defer to the latter.

      I have postfix setup so they cant send to or receive email from the outside world, I just want to limit WHO they can send email TO within the company. Unfortunately many of my staff would abuse the privilege if I allowed them to email anyone internally.

      Thank you in advance for your suggestions.
    • /dev/rob0
      ... IMO, this sounds like you re trying to solve a political problem using technical means. ... What is /etc/postfix/access? It has no magical, universal
      Message 2 of 3 , Jun 20, 2013
      • 0 Attachment
        On Thu, Jun 20, 2013 at 12:23:19PM -0400, linuxknight wrote:
        > Greetings, I am attempting to limit specific local users from
        > sending mail to ALL addresses except members of my management team.
        >
        > Basically I want our sales agents to be able to receive important
        > emails/bulletins from management, but only be able to reply to and
        > send email to the members of management.

        IMO, this sounds like you're trying to solve a political problem
        using technical means.

        > Initially I figured I would just block their ability to send
        > altogether with /etc/postfix/access

        What is /etc/postfix/access? It has no magical, universal meaning
        across all of Postfixland. There are many different types of
        access(5) lookups which can be done. If you don't understand this,
        your chances of solving this problem are poor. This might be a
        starting point:

        http://www.postfix.org/SMTPD_ACCESS_README.html

        > but then decided it would be nice to give them the
        > ability to email management if necessary. If there are no other
        > solutions, I will probably just defer to the latter.
        >
        > I have postfix setup so they cant send to or receive email from
        > the outside world, I just want to limit WHO they can send email
        > TO within the company. Unfortunately many of my staff would abuse
        > the privilege if I allowed them to email anyone internally.

        You probably already have these untrustworthy staff (!) on an
        isolated and restricted subnet, right? (If not, there may be other
        political problems you need to address.) It would be simple to
        present clients from that subnet (via a check_client_access lookup)
        with a check_recipient_access lookup.

        Another idea using sender addresses is here:

        http://www.postfix.org/RESTRICTION_CLASS_README.html#external

        But in that case you will also need to force authentication and
        maintain smtpd_sender_login_maps. This might be more work than you
        will wish to commit to for an untrustworthy staff, which probably
        also means high turnover rates.

        RESTRICTION_CLASS_README.html has the basics you need in either case.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      • linuxknight
        Thanks rob0, no need to beat me down with the access comment - I simply meant using REJECT within the access file. I have gone over the restriction class
        Message 3 of 3 , Jun 20, 2013
        • 0 Attachment
          Thanks rob0, no need to beat me down with the access comment - I simply meant using REJECT within the access file.  I have gone over the restriction class readme as well but didnt find an implementation, I am a somewhat new postfix user but able to learn.

          Yes, my users are untrustworthy and on their own subnet.  Ill keep reading and searching for a method.  

          Appreciations.


          On Thu, Jun 20, 2013 at 5:18 PM, /dev/rob0 <rob0@...> wrote:
          On Thu, Jun 20, 2013 at 12:23:19PM -0400, linuxknight wrote:
          > Greetings, I am attempting to limit specific local users from
          > sending mail to ALL addresses except members of my management team.
          >
          > Basically I want our sales agents to be able to receive important
          > emails/bulletins from management, but only be able to reply to and
          > send email to the members of management.

          IMO, this sounds like you're trying to solve a political problem
          using technical means.

          > Initially I figured I would just block their ability to send
          > altogether with /etc/postfix/access

          What is /etc/postfix/access? It has no magical, universal meaning
          across all of Postfixland. There are many different types of
          access(5) lookups which can be done. If you don't understand this,
          your chances of solving this problem are poor. This might be a
          starting point:

          http://www.postfix.org/SMTPD_ACCESS_README.html

          > but then decided it would be nice to give them the
          > ability to email management if necessary. If there are no other
          > solutions, I will probably just defer to the latter.
          >
          > I have postfix setup so they cant send to or receive email from
          > the outside world, I just want to limit WHO they can send email
          > TO within the company. Unfortunately many of my staff would abuse
          > the privilege if I allowed them to email anyone internally.

          You probably already have these untrustworthy staff (!) on an
          isolated and restricted subnet, right? (If not, there may be other
          political problems you need to address.) It would be simple to
          present clients from that subnet (via a check_client_access lookup)
          with a check_recipient_access lookup.

          Another idea using sender addresses is here:

          http://www.postfix.org/RESTRICTION_CLASS_README.html#external

          But in that case you will also need to force authentication and
          maintain smtpd_sender_login_maps. This might be more work than you
          will wish to commit to for an untrustworthy staff, which probably
          also means high turnover rates.

          RESTRICTION_CLASS_README.html has the basics you need in either case.
          --
            http://rob0.nodns4.us/ -- system administration and consulting
            Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

        Your message has been successfully submitted and would be delivered to recipients shortly.