限制特定用户收发邮件的高级访问控制方法

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

一般邮件应用稍微有一电规模的企业,大多都会涉及到这样的应用需求:

某销售A只能收到来自163.com及sina.com的邮件某技术员B只能给内部用户发邮件,不允许向外网发邮件,但可以收到外网邮件某主管可以收发内、外网邮件......

如何实现呢?Postfix 1.x就已经可以通过配置实现这些功能了。

以下是邮件列表里Noel Jones 提出的解决方案:

Hello!

I have the same problem:

1. I need to permit some internal users (not all) to send mail to any

external user (Internet)

2. I need to permite any external user to send mail to some my internal

users (not all)

In fact, the problem is: just "some" of my internal users have permission to

receive mail from and send mail to the Internet.

How can I solve this?

寄件者:Noel Jones (njones@megan.vbhcs.org)

主旨:Re: RES: User Restriction.....

View this article only

新闻群组:mailing.postfix.users

日期:2002-12-04 15:18:04 PST

At 05:39 PM 12/4/02 -0200, raissa.medeiros@caixa.gov.br wrote:

1. I need to permit some internal users (not all) to send mail to any

external user (Internet)

2. I need to permite any external user to send mail to some my internal

users (not all)

In fact, the problem is: just "some" of my internal users have permission

to receive mail from and send mail to the Internet.

How can I solve this?

Thanks,

Raissa

Restricting also who can receive mail from the internet changes the example

I posted a few minutes ago.

In the example below, the same list of restricted_users is used for

controlling both who can send and who can receive internet mail. If you

don't require the local_plus feature, just leave that part out.

in main.cf: use restriction classes to make restricted_users file more readable.

smtpd_restriction_classes = local_only, local_plus local_only =

reject_unauth_destination

permit_mynetworks

reject

local_plus =

check_recipient_access hash:/etc/postfix/local_plus

check_sender_access hash:/etc/postfix/local_plus

reject_unauth_destination

permit_mynetworks

reject

this is the default setting, required for this setup.

smtpd_delay_reject = yes we'll do this in sender restrictions to avoid open relay problems.

smtpd_sender_restrictions =

check_sender_access hash:/etc/postfix/restricted_users

check_recipient_access hash:/etc/postfix/restricted_users and in /etc/postfix/restricted_users

# /etc/postfix/restricted_users

# this file contains a list of users only allowed to send and receive local

mail

# postmap this file after changes

# local users not listed here have no restrictions

user1@miodemi.com local_only

user2@miodemi.com local_plus

and in /etc/postfix/local_plus:

# /etc/postfix/local_plus

# this file contains allowed destinations and senders

# for users restricted to local_plus

# postmap this file after changes

miproveedor.com OK

Remember to "postmap local_plus" and "postmap restricted_users" after

making changes to them.

Remember to run "postfix reload" after changing main.cf

我自己常用的限制方法有几个方法:

1) smtpd_restriction_classes = local_only

设置一个限制类别叫local_only,然后参考access(5)的格式做一个访问控制:

local_only = check_recipient_access hash:/etc/postfix/maps/my_rcpt

文件my_rcpt内容:

163.com RELAY21cn.com RELAYhzqbbc.com RELAY

然后,设置:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/maps/mysender

mysender内容:

hzqbbc@local.hzqbbc.com local_only

这样凡是Mail from:的信只能RCPT TO: 到163.com, 21cn.com及 hzqbbc.com 三个地方了。其他的都发不出去。

按这个方法,还可以设置更多的类别,例如remote_only以及不限制的帐号等。但这些都只对from:限制。而且不管是否SASL后的。所以有一定缺陷。不过,已经达到目的了。

2)使用snapshot版的policy策略

根据某个hash表或配置文件,判断对应的sender和recipient是否匹配,匹配就返回OK或者DUNNO或者RELAY等(可能RELAY已经过时,这个是postfix 1.1.x的)如果不匹配就返回错误代码

按postfix所带的smtpd-policy.pl模式,修改一下就可以使用了。详细参考POLICY_README等。

3)使用APF for postfix

详细地址:http://apf.org.cn/addon/

其实和2)方法是基本一致的。同样利用postfix内置的policy功能。

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航