bill - nice work with the gateway matcherpairs btw - i set up a variation of it last night ...
but it seems that the original inquery was to ensure beyond doubt that a particular sender is authorized to send mail. althoug your gateway more or less can ensure that the mail originated from a network, it can't really ensure that the sender actually has the authority to send. this goes towards role based certs an dwhatnot, but a simple acl can be used in conjunction with a custom MatcherPair to validate the mails going out ... > i belive there may be a solution to this by adding the > concept of 'direction' to the mail flow analysis. this > only works if your mail server is in a protected area > where IP spoofing is not possible (you cannot trust your > ISP to check for spoofing, but a well configured firewall > or router does this quite reliably). it works like this: > > 1. you define those ip addresses that are considered > 'internal'. in my world that is the company mailserver, > since james is acting as an intelligent filtering mx (yes > , i still owe the list some docs on this, i haven't > forgotten! :o) > > 2. you extend your "RecipientIS" mailet to consider the ip > address of the sender: anything that matches the subnet > of the 'internal' address becomes 'outgoing' mail, > anything doesn't becomes 'incoming' mail. > > 3. you only allow 'outgoing' mail that matches the naming > scheme you currently have defined in "RecipientIS" to be > delivered. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
