Re: [exim] User Restrictions

Top Pagina
Delete this message
Reply to this message
Auteur: Tony Finch
Datum:  
Aan: kerneloverdrive
CC: exim-users
Onderwerp: Re: [exim] User Restrictions
On Thu, 1 Jun 2006, kerneloverdrive wrote:
>
> Is it possible to set policies per account? for example user1@??? can
> only send and receive from @domain.com and user2@??? can send to
> @domain.com and @otherdomains.com?
> If this is possible, how?


If you want to restrict who can send to a particular address, use the
senders precondition on the router that handles the address. If there are
multiple routers (e.g. in the default configuration there is the
userforward router and the localuser router) it's probably easier to put a
router like this before them:

  restricted_recipients:
    driver = redirect
    domains = +local_domains
    local_parts = +restricted_users
    senders = *@+local_domains
    data = :fail: $local_part@$domain may not receive email from you
    allow_fail


If you want to restrict who a particular user can send email to, add a
recipients condition to the appropriate place in your ACLs. You'll have to
guard it with a condition which checks for the relevant senders, which
might be a senders condition, or you might prefer to use the authenticated
user ID or even the sending host as the key. Something like:

  deny
    authenticated = *
    condition = ${if and{{ match_domain{$sender_address_domain}{+local_domains} } \
                         { match_local_part{$sender_address_local_part}{+restricted_users} }} }
  ! domains = +local_domains


The reason for doing one in the routers and one in the ACLs is that the
former is a restriction on the recipient email address, and addresses are
things that routers deal with, whereas the latter is a restriction on the
SMTP client, and clients are things that ACLs deal with.

You could take a slightly different view and say that only non-restricted
users may email remote addresses, which sounds more like an address-based
restriction. So instead of the checks in the ACL, you could have the
following modified dnslookup router:

  dnslookup:
    driver = dnslookup
    domains = ! +local_domains
    condition = ${if and{{ match_domain{$sender_address_domain}{+local_domains} } \
                         { match_local_part{$sender_address_local_part}{+restricted_users} }} }
    transport = remote_smtp
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
    no_more


It's largely a matter of taste.

(Hmm, this really shows up Exim's strangely non-uniform sender and
recipient address handling...)

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}