18.8 Limiting Users Mail Access

18.8 Limiting Users' Mail Access

Some organizations grant different amounts of access to email to different users. In particular, some are allowed to send mail outside the organization and some can't. There are a lot of different ways to set this up, but one of the simplest to set up is to create two parallel copies of qmail on the same host, one for restricted users and one for general users. Following the instructions in Chapter 17, create two instances of qmail; the regular one for unrestricted users and incoming mail in /var/qmail, and the restricted one in /var/rqmail. Create accounts for all of the users so that every user has a mailbox, and set up a POP (and IMAP if you want it) server.

Set up SMTP daemons for both instances on separate IP addresses, and set up the users' PCs so that the restricted users send their outgoing mail to the restricted server and the unrestricted users to the general server. To keep the restricted users from sending any mail through the general server, add their addresses to /var/qmail/control/badmailfrom. To keep them from sending external mail from the restricted server, put this line to fail all remote deliveries into /var/rqmail/control/smtproutes:

:[127.0.0.0]

(This is a deliberately bad address that will refuse all connections.)

Another approach that's a little harder to set up but easier to administer is to use a single copy of qmail but to check the mail as users send it. If you use the old-fashioned fixup scheme described at the beginning of Chapter 7 to handle injected mail, you can check whether a user is allowed to send external mail in the fixup script. Modify ~alias/.qmail-fixup-default to something like this:

| bouncesaying 'Permission denied' [ "@$HOST" != "@fixme" ] | ./checkrestrict | qmail-inject -f "$SENDER" -- "$DEFAULT"

Example 18-2 checks whether the sender is in a list of authorized users.

Example 18-2. checkrestrict script for .qmail-fixme

#!/bin/sh # inherit $SENDER and $DEFAULT from the .qmail file   case "$DEFAULT" in        *@example.com) # our domain, always permitted             exit 0 ;;        *@*) # external address             if egrep -q "^($SENDER)$" authorized-users             then                 exit 0             else                 bouncesaying "You cannot send external mail."             fi ;;         *) # local mail, always permitted             exit 0 ;;   esac

This script needs to be ruggedized a little, because mail from user fred might have a sender of fred or fred@example.com depending on how his mail program is set up, and a local recipient address might be mary@EXAMPLE.COM in uppercase, but the checking remains quite simple.

If you use ofmipd, you can't easily use the fixup trick, but assuming you've applied the QMAILQUEUE patch, you can run qmail-qfilter and use a similar script that checks $QMAILUSER and $QMAILRCPTS and returns an exit code of 31 to reject the mail or 0 to permit it. (Remember that if you accept the mail, you have to copy the message from stdin to stdout, too, or the message you accept will always be empty.) Call the checking program, which can most easily be write in Perl or Python, /var/qmail/bin/checkauth, then create this script called /var/qmail/bin/authfilter to run it. See Example 18-3.

Example 18-3. Run injected mail through authorization checker

#!/bin/sh # check incoming mail exec /var/qmail/bin/qmail-qfilter \     /var/qmail/bin/checkauth

Then set QMAILQUEUE to /var/qmail/bin/authfilter. If you provide web mail for your users, be sure to set QMAILQUEUE when running the web mail application so it also calls the filtering script to check whether a user is allowed to send mail.