Hi,
... sorry in advance if this has been covered before - I tried to
"search" the archives on the website, but since there's no real search
functionality, it's pretty tedious, and I didn't come up with
anything... So if this has been discussed before, please just point me
in the right direction.
I'm wondering if something like this is possible using policyd. My setup
is as follows:
- Mixture of both physical and virtual users. All of them are
authenticated via SASL - physical users use their real username only
(e.g. "christoph" in my case), while virtual users use their full
address ("[email protected]").
- I already have a basic setup running, which restricts users from
sending more than 100 messages per hour to external domains. In other
words, I'm somewhat familiar with how policyd works, but far from being
an expert and understanding all of it.
Now, what I want to achieve is this:
1. Almost all users only need one sender identity: [email protected].
2. Some do use address extensions ([email protected]). Only
physical users though, for virtual ones this isn't supported anyway.
3. Some do use alternate identities (e.g. role accounts
<[email protected]>, or completely "unrelated" ones like
<[email protected]>). Address extensions aren't required in that
case.
With the current setup, anybody can send mail as anyone - if somebody
feels like impersonating [email protected], they can.
In short, I'd like to restrict case 3 to a whitelist of known identities
per user. So something like SASLUsername "christoph" is allowed to send
mail as "[email protected]" and as "[email protected]"... etc.
Ideally, after initial setup, I would only want to administer the
exceptions (i.e., case 3), without having to touch the generic rules (1
and 2). In other words: if I add a new user to the system, he can
immediately send mail as in 1) and 2). If he needs to be able to use an
alias or a specific external address, I'll need to add that rule.
From a logical point of view, this would roughly be the "algorithm" in
pseudo-perl:
if ($SASLUsername =~ /@/) {
$senderPattern = $SASLUserName
} else {
$senderPattern = $SASLUserName.'(\\+[^@]*)[email protected]'
}
if ($fromAddress =~ /$senderPattern/i) {
# allow mail
} else {
# check that $fromAddress is in "allowed list" for $SASLUsername
# allow if contained, reject "You are not allowed to send mail as
$fromAddress" otherwise
}
Can something like this be done (I'm pretty confident that it can), and
if so, how?
Thank you very much for your help!
Cheers,
Chris
PS: And sorry about the weird subject, it seems that the list doesn't
like me:
host lists.policyd.org[46.37.180.38] said: 554 5.7.1
Mail (id-37373-06214) appears to be unsolicited, please resend with the
code da5e4uvu appended to email subject and ask to have your sender
email
whitelisted (the code da5e4uvu changes each 24 hours). (in reply to
end of
DATA command)
_______________________________________________
Users mailing list
[email protected]
http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
