[EMAIL PROTECTED] wrote:
>
> On Wed, Sep 27, 2000 at 03:15:14PM -0300, Daniel Augusto Fernandes wrote:
> > "Ihnen, David" wrote:
> > >
> > > > -----Original Message-----
> > > > From: Daniel Augusto Fernandes [mailto:[EMAIL PROTECTED]]
> > > >
> > > > Dave Sill wrote:
> > > > >
> > > > > "Gustavo Zambon Rozatti" <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > > > I have more than 500 users in a qmail server, wich are
> > > > > > conected to Internet and to our Intranet, but not
> > > > all of them
> > > > > > can have Internet access. So how can I prevent some users
> > > > > > from sending and receveing any mail to/from any host other
> > > > > > then localhost?
> > > > >
> > > > > It's not easy. To do it right, you'd have to run all your
> > > > mail through
> > > > > a general filter (see qmail.faqts.com or possibly modify a spam
> > > > > filter).
> > > >
> > > > What about a simple single firewall on that machine?
> > >
> > > How would that work? What rules?
> > >
> >
> > Well, he could set up two smtp servers in his net. One for users who are
> > allowed to send extern mail and other for those who are not allowed. The
> > first one should use SMTP-AUTH as in:
> > http://members.elysium.pl/brush/qmail-smtpd-auth/
> >
> > So, if one annoying user change his smtp server config in the MUA he
> > would have to authenticate.
> >
> > Then, he would have a firewall to deny port 25 packets from the second
> > smtp server to the internet and allow it from the first server.
> >
> > Is this all ok?
>
> Well it depends a lot on his setup. First off, he didn't particularly say
> that all the users came in via smtp. Maybe they have shell access?
Even with shell access, one would have to connect to a port 25 on the
other side to send its msgs. This would not be possible with the
firewall. These users would have to use the first server as a relay if
they want to send msgs to the net.
>
> Second. The address allocation may be via DHCP or somesuch that is
> not within his control.
>
My suggestion has nothing to do with the client IP adresses. All the
machine in the local net should not have access to extern port 25 but
the only relay smtp server (the first one).
> Third. The users may use shared PCs.
>
Again, the same reply above. And they would have to authenticate in the
smtp server.
> Fourth. He may not have the ability to put a firewall on his machine.
>
Well, there is a lot of free firewall systems avaliable in the net. He
could use an extra machine as a firewall or his own mailserver could
have two IP aliases for the smtp servers and the firewalling abilities.
> I think that's why Dave said it's difficult as each avenue of entry
> has to be addressed. That's not to say your idea wont work, but we need
> to know the full situation - which hasn't been stated.
>
> Regards.
Ok... I was wrong saying it would be a 'simple single firewal'. But, I
think he would be able to do what he wants.
Regards
:o)
--------------------------------------------------------------------
Daniel Augusto Fernandes (DAF tm) [EMAIL PROTECTED]
GCSNet http://www.gcsnet.com.br/
--------------------------------------------------------------------
Se voc� n�o encontra
o sentido das coisas
� porque este n�o
se encontra, se cria.
Antoine Saint-Exup�ry
