I need some ideas for implementing this uber-restrictive mailserver at my company.
Some background: CEO doesn't want to buy Exchange. We have basically 3 user groups: agents, their team leads, and corporate (execs, etc). The goal is: Execs don't want agents to e-mail each other or anyone outside the company. Agents are also prohibited from receiving e-mail from anyone outside the company. Agents can only e-mail people in the company who are not agents. Summary: agents can only send mail to and receive from their leads or corporate. Non-agents are on Google Apps (GA). We have 3 GA domains (ex: cc.com, dfs.com, acr.com), depending on which corporate identity the corporate employee uses. Agents are allowed to send to and receive from anyone on the GA domains; they just can't e-mail each other on their local Postfix server. Agents' e-mail will be on agents.cc.com. I looked at Zimbra, which is built on Postfix, and would work great if it could be configured restrictively - then we could get rid of Outloook, too. Any tips? I'm reading Postfix documentation to see if its directives can do this. There's only 60 agents and 35 non-agents, so having to manually maintain access lists isn't a huge deal, but if I could build it so that smtpd_recipient_restrictions and standard RELAY restrictions could control it, that'd be fabulous. I'm currently on this page of the wiki, trying to understand how to apply it to this problem. http://postfix.wiki.xs4all.nl/index.php?title=Client_sender_recipient_restrictions smtpd_client_restrictions = check_client_access hash:/etc/postfix/restricted_clients, permit_mynetworks, permit smtpd_restriction_classes = local_only local_only = check_recipient_access hash:/etc/postfix/local_domains_to, reject #/etc/postfix/restricted_clients #Add the list of IP addresses which cannot send emails to each other 10.5 local_only # would this apply to the entire 10.5.x.x network? or should I use 10.5.10.11 local_only 10.5.10.12 local_only # /etc/postfix/local_domains_to # Insert the list of domains that every user can send emails to cc.com OK dfs.com OK acr.com OK agents.cc.com DENY # to deny e-mail from the agents to the agents Any tips? Thanks, -Mike
