Koozali.org: home of the SME Server

Restrict a set of users to local domain only

Offline pizzaco

  • **
  • 53
  • +0/-0
Restrict a set of users to local domain only
« on: March 18, 2008, 09:31:59 PM »
Hi All,
I have group of email users that I want to restrict so that they can only send / receive emails to / from our local domain. In other words, they should not be able to send emails to external addresses or receive emails from external addresses. These users are at remote restaurant locations and connect through the external interface on the server. Here’s what I’ve tried so far:

1. Have the users connect on port 25 - This prevents them from sending to external domains, but doesn't stop external mail from coming in.

2. Set Visibilty=internal for each user and connect on 25 - This works except that restricted users cannot send email to other restricted users.

3. Set Visibility=internal and connect on port 465 using SSL - This solves the problem in #2 but it doesn’t stop emails from going to outside domains.

I searched the forums and haven't found anything that seems workable. If anyone could point me in the right direction, I would greatly appreciate it.

Offline raem

  • *
  • 3,972
  • +4/-0
...

Offline pizzaco

  • **
  • 53
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #2 on: March 19, 2008, 04:04:32 PM »
Thanks! I'll give it a try.

Offline pizzaco

  • **
  • 53
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #3 on: April 01, 2008, 11:05:47 PM »
I did these two things:

# db accounts setprop username Visible internal

To block outbound mail add the users e-mail address into /var/qmail/control/badmailfrom. This is a templated file so create a templates-custom fragment.


Setting up badmailfrom resulted in my test user not being able to send email at all.  I'm trying to find a way to allow the the group of restricted users to send email to other internal users but not to external domain.

Offline pizzaco

  • **
  • 53
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #4 on: April 15, 2008, 07:05:45 PM »
Here's a method I put together but would like some feedback before I actually use it on a production server:

1. Created a template fragement and named it /etc/e-smith/templates-user-custom/.qmail/09AllowOnlyFrom:
{
    # vim: ft=perl:
    $OUT = "";
    die "USERNAME not set." unless defined ($USERNAME);
    use esmith::AccountsDB;    $adb = esmith::AccountsDB->open_ro or die "Couldn't open AccountsDB";
    my $allow_from = $adb->get_prop($USERNAME, 'EmailAllowOnlyFrom')   || 'notset';
    return "# EmailAllowOnlyFrom is not set for this user"
       unless ($allow_from ne 'notset');
    $allow_from =~ s/,/\\|/g;
    $OUT = "|bouncesaying \"550 mail to \$RECIPIENT not accepted here (#5.1.1)\" test \"\`echo \$SENDER | grep -i -v -e \"" . $allow_from . "\"\`\" != \"\"";
}

2. Ran these commands:

db accounts setprop speedlinelab EmailAllowOnlyFrom @foo.com,@mydomain.com

signal-event email-update

3. This results in the following dot-qmail file in /home/e-smith/file/users/speedlinelab:

#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------

|bouncesaying "550 mail to $RECIPIENT not accepted here (#5.1.1)" test "`echo $SENDER | grep -i -v -e "@foo.com\|@mydomain.com"`" != ""

# sortspam disabled
# Forward not set
./Maildir/


It seems perform properly and block emails from senders that are not in the allow list. I know this method isn't foolproof because senders can spoof the from address.

Does anyone have any thoughts or suggestiosn on this? Perhaps a better way of doing it, security concerns, or potential problems?


Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #5 on: April 19, 2008, 01:58:46 AM »
pizzaco

You need to add the users (for each domain) to  /var/qmail/control/badrcptto
That is done using
db accounts setprop username Visible internal
followed by
signal-event email-update

check with
db accounts show username

I have tried this on my sme 7.3 server (fully updated) with two user accounts on my server, test2 and test3, and they behave as you require.
They can send locally to other users on sme, but they cannot send externally to outside domain addresses.
Here's the error message:
*******************************************************
Hi. This is the qmail-send program at mydomain.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<name@externaldomain.com>:
xxx.xx.xxx.xx does not like recipient.
Remote host said: 550 5.7.1 <name@externaldomain.com>... recipient denied, because MX 0 'mail.mydomain.com.' [yy.yyy.yyy.yyy] for <test3@mydomain.com> rejected address saying: mail to test3@mydomain.com not accepted here (#5.1.1)
Giving up on xxx.xx.xxx.xx.
*******************************************************


If I try to send a message to either of those addresses from an external email account (behind a sme server) I get an undeliverable message from mailer-daemon.
Here's the error message:
*******************************************
Hi. This is the qmail-send program at externaldomain.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<test3@mydomain.com>:
yy.yyy.yyy.yyy does not like recipient.
Remote host said: 550 mail to test3@mydomain.com not accepted here (#5.1.1)
Giving up on yy.yyy.yyy.yyy.
************************************************


From a yahoo or similar online free email account, when I try to send to test3@mydomain.com I get this error
*****************************************************
Sorry, we were unable to deliver your message to the following address.

<test3@mydomain.com>:
Remote host said: 550 mail to test3@mydomain.com not accepted here (#5.1.1) [RCPT_TO]
*****************************************************

If I disable the setting with
db accounts delprop test3 Visible
signal-event email-update

I can then send from the test3 address (on a local network) to external email addresses, and also send to test3 address from external addresses.


I'm not sure what else (that I have installed) that could be affecting this, if at all, but I do have a variety of contribs installed.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline pizzaco

  • **
  • 53
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #6 on: April 21, 2008, 06:13:47 PM »
Thanks for the suggestion. For whatever reason, Visible=internal only seems to block incoming emails my box. Emails sent to external domains are not blocked. It might be because I'm still on 7.1 (an upgrade is in the works).

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Restrict a set of users to local domain only
« Reply #7 on: April 21, 2008, 07:55:05 PM »
Thanks for the suggestion. For whatever reason, Visible=internal only seems to block incoming emails my box.

Correct, that's all it's intended to do.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #8 on: April 21, 2008, 09:46:41 PM »
Charlie

Quote
Correct, that's all it's intended to do.

That's what I thought it was only supposed to do too, from my reading & your earlier advices on the subject, but my server definitely behaves as advised in my earlier post.
Could you possibly suggest what other mechanism is causing the additional behaviour ? As mentioned there are a few additional contribs installed, but I cannot deduce which, if any, are responsible or whether some other configuration I made in the past is responsible. I suppose it has something to do with this message:

<name@externaldomain.com>:
xxx.xx.xxx.xx does not like recipient.
Remote host said: 550 5.7.1 <name@externaldomain.com>... recipient denied, because MX 0 'mail.mydomain.com.' [yy.yyy.yyy.yyy] for <test3@mydomain.com> rejected address saying: mail to test3@mydomain.com not accepted here (#5.1.1)
Giving up on xxx.xx.xxx.xx.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Restrict a set of users to local domain only
« Reply #9 on: April 21, 2008, 09:52:18 PM »
Charlie

That's what I thought it was only supposed to do too, from my reading & your earlier advices on the subject, but my server definitely behaves as advised in my earlier post.
Could you possibly suggest what other mechanism is causing the additional behaviour ? As mentioned there are a few additional contribs installed, but I cannot deduce which, if any, are responsible or whether some other configuration I made in the past is responsible. I suppose it has something to do with this message:

<name@externaldomain.com>:
xxx.xx.xxx.xx does not like recipient.
Remote host said: 550 5.7.1 <name@externaldomain.com>... recipient denied, because MX 0 'mail.mydomain.com.' [yy.yyy.yyy.yyy] for <test3@mydomain.com> rejected address saying: mail to test3@mydomain.com not accepted here (#5.1.1)
Giving up on xxx.xx.xxx.xx.


The server at "externaldomain.com" is refusing to accept mail from test3@mydomain.com because such messages cannot be replied to.

Note that there is nothing that you can do to affect the choice of anti-spam rules applied by externaldomain.com. Accounts with 'Visible' set to 'internal' should not be sending outbound email - or at least, not if they want to receive replies and/or bounces.

Perhaps SME server shouldn't allow 'relay' privileges for such accounts.

« Last Edit: April 21, 2008, 09:55:36 PM by CharlieBrady »

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #10 on: April 21, 2008, 10:18:49 PM »
Charlie

Thanks for your feedback

Quote
The server at "externaldomain.com" is refusing to accept mail from test3@mydomain.com because such messages cannot be replied to.

This behaviour therefore adds to the overall effect for users with "Visible internal" set, to only be able to send and receive local messages, behaviour that quite a few people seem desirable of having.


Quote
Note that there is nothing that you can do to affect the choice of anti-spam rules applied by externaldomain.com.

I'm sure though that the same effect happens when sending to other externaldomains, so I don't think it is the recipient server (although that's a guess), but I'm wondering is it my ISP ? My server sends mail via the ISP's smtp server and I do have Reverse DNS records for my domain configured by the ISP.

Based on this part of the message:
"because MX 0 'mail.mydomain.com.' [yy.yyy.yyy.yyy] for <test3@mydomain.com> rejected address"

Is this behaviour due to the ISP's mail server rejecting messages from accounts on my server that cannot receive ?
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Restrict a set of users to local domain only
« Reply #11 on: April 21, 2008, 10:32:12 PM »
Based on this part of the message:
"because MX 0 'mail.mydomain.com.' [yy.yyy.yyy.yyy] for <test3@mydomain.com> rejected address"

Is this behaviour due to the ISP's mail server rejecting messages from accounts on my server that cannot receive ?

Yes.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #12 on: April 21, 2008, 10:58:37 PM »
Charlie

Thank you for your confirmation and pointing me in the right direction to work out why this behaviour is happening.

Other users who want to avail of this additional behavioural characteristic, should then also ensure appropriate external records/settings are in place.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline kryptos

  • ****
  • 245
  • +0/-0
Re: Restrict a set of users to local domain only
« Reply #13 on: June 07, 2008, 08:20:30 AM »
Hi all,

Quote
You need to add the users (for each domain) to  /var/qmail/control/badrcptto
That is done using
db accounts setprop username Visible internal
followed by
signal-event email-update

If I use this (db accounts setprop groupname Visible internal) will this mean that it effects in all users belonging to that group? and how do I add this to /var/qmail/control/badrcptto? Is it templated? I want to restrict local users from sending or receiving to other domain i want only them send/receive internally.

Regards,
Rocel

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Restrict a set of users to local domain only
« Reply #14 on: June 07, 2008, 03:47:43 PM »
If I use this (db accounts setprop groupname Visible internal) will this mean that it effects in all users belonging to that group?

No, it only applies to the group email address.

Quote
and how do I add this to /var/qmail/control/badrcptto?

Add what?

Quote
Is it templated?

Are you too lazy to look?

Quote
I want to restrict local users from sending or receiving to other domain i want only them send/receive internally.

All local users? You can do that by using a custom template to set qpsmtpd and sqpstmpd up to have no local networks. You might be able to do that by setting the access property in the configuration db to 'localhost' rather than 'private' (if so, you wouldn't need a custom template).