> Hi guys,
>
> As managers and directors of the companies are getting more acquainted
> about the Internet use (and abuse) inside their companies, they want to
> have more and more control over what employees can and cannot do on the
> Internet.
>
> Now, the director of one of the companies I give support asked me to set a
> bunch of e-mail accounts as internal-only, i.e., they can send e-mail
> internally but cannot send or receive external e-mails.
>
> As I reconized that his need probably will also be desired for a lot of
> other companies, I think it's worth to discuss here which would be the most
> appropriate manner to achieve this feature with Qmail-LDAP.
>
>
> THE IDEAL SCENE:
>
> The ideal scene for me would be if qmail-ldap could provide a means for
> doing
> this. To set the internal-only account I'd like that every user account
> could have a propertie, like
> "interalOnly", that I could simply set it to "yes" or "no":
>
> internalOnly: yes
>
> I have no idea of how this could be implemented by qmail-ldap. Can someone
> out there imagine something?
>
>
> IDEAS:
>
> Until now, the only thing that occurs to me in order to accomplish this, is
> to edit (manually) the famous "tcp.smtp" file and laboriously
> add a bunch of IP addresses, of each internal-only user, unsetting the
> RELAYCLIENT variable for each one of them. This would prevent the users
> from sending e-mails to external domains. But they could receive external
> e-mails (althouth they would not be able answer the e-mails).
>
> Or, suddenly, I could set the IPs of all internal-only user's machines
> inside a specified IP range, and I would disable RELAYCLIENT just for this
> range. I should explain this change to my customer, and they should follow
> the IP range specification. Still, I would be relying on tcp.smtp file to
> accomplish this.
>
>
> I see there is a LDAP_PROGRAM parameter where I could set a
> "deliveryProgramPath". Does someone know if this program could be a filter
> that would block interal<->external mail delivery?
>
>
> Further ideas?
>
> Regards,
> -------------------------------------------------
> Bruno Negrao - Support Analyst
> Engepel Teleinformática. 55-31-34812311
> Belo Horizonte, MG, Brazil
>
Bruno,
I have exactly the same problem. I worked a solution by:
1) Installing Postfix as my frontline smtpd, bounded
to eth0-ip-address:25
2) Creating a openldap schema with an attribute called
mailClass, which can have values like:
interNet= receives/sends only from/to Internet
intraNet= receives/sends only from/to Internal mail
all= receives/sends from/to Internet and Internal mail
3) Installing qmail-ldap as backstage smtpd, same machine
as Postfix, bounded to 127.0.0.1:25
Configuration for Postfix looks at the recipient and
retrieves attribute mailClass. Then, it looks at the
sender and proceeds accordingly, relaying the email to
qmail-ldap at 127.0.0.1 or returning a non-authorized
email message to the sender.
If authorized, qmail-ldap receives the email and proceed
to remote or local delivery.
Pros: Postfix can be very good at blocking SPAM, so I
inserted anti-spam rules in it, besides the rules
for filtering out non-authorized mails.
Cons: One more smtp service to maintain. Not that dificult,
but it means using more resources, like memory, cpu
and disks.
--
Bye,
Fernando Maciel Souto Maior
[EMAIL PROTECTED]
http://www.araujo.com.br
+55+31 3270-5886
LPIC/1 # 31908
AVISO-------------------------------------------------------------
Esta mensagem pode conter informacao confidencial ou privilegiada.
Se voce nao for o destinatario ou a pessoa autorizada a receber
esta mensagem, nao pode usar, copiar ou divulgar as informacoes
nela contidas ou tomar qualquer acao baseada nessas informacoes.
Se voce recebeu esta mensagem por engano, favor avisar o remetente
imediatamente, respondendo o e-mail e em seguida apagando-o.
Obrigado pela cooperacao.
DISCLAIMER--------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on any information herein. If you have received this message in
error, please advise the sender immediately by replying to this
e-mail and delete this message. Thank you for your cooperation.
------------------------------------------------------------------
This email was sent using SquirrelMail - http://squirrelmail.org
