On Thu, 1 Jun 2006, kerneloverdrive wrote:
>
> Is it possible to set policies per account? for example user1@??? can
> only send and receive from @domain.com and user2@??? can send to
> @domain.com and @otherdomains.com?
> If this is possible, how?
If you want to restrict who can send to a particular address, use the
senders precondition on the router that handles the address. If there are
multiple routers (e.g. in the default configuration there is the
userforward router and the localuser router) it's probably easier to put a
router like this before them:
restricted_recipients:
driver = redirect
domains = +local_domains
local_parts = +restricted_users
senders = *@+local_domains
data = :fail: $local_part@$domain may not receive email from you
allow_fail
If you want to restrict who a particular user can send email to, add a
recipients condition to the appropriate place in your ACLs. You'll have to
guard it with a condition which checks for the relevant senders, which
might be a senders condition, or you might prefer to use the authenticated
user ID or even the sending host as the key. Something like:
deny
authenticated = *
condition = ${if and{{ match_domain{$sender_address_domain}{+local_domains} } \
{ match_local_part{$sender_address_local_part}{+restricted_users} }} }
! domains = +local_domains
The reason for doing one in the routers and one in the ACLs is that the
former is a restriction on the recipient email address, and addresses are
things that routers deal with, whereas the latter is a restriction on the
SMTP client, and clients are things that ACLs deal with.
You could take a slightly different view and say that only non-restricted
users may email remote addresses, which sounds more like an address-based
restriction. So instead of the checks in the ACL, you could have the
following modified dnslookup router:
dnslookup:
driver = dnslookup
domains = ! +local_domains
condition = ${if and{{ match_domain{$sender_address_domain}{+local_domains} } \
{ match_local_part{$sender_address_local_part}{+restricted_users} }} }
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
It's largely a matter of taste.
(Hmm, this really shows up Exim's strangely non-uniform sender and
recipient address handling...)
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}