Hi, I'm sure that this has been solved, but I can't find the answers and I'm having trouble crafting a solution.
Running exim4 4.8+ (with split setup) / dovecot 1:2.1+ -- with system user auth and virtual users with exim4. Each system user login can use ANY email address for "sender and/or reply-to" for domains that the server is the mail exchanger for; that is, they are not restricted to their /own/ authorized set of email addresses. The system user aaa can send email as [email protected] as well as [email protected] -- They do need to "auth" to send, but what should happen is that the user needs to be restricted to sending as [email protected] and/or perhaps additional other email address(es) such as [email protected] but not as bbb@ The system user "aaa" may receive emails for say the following: sales@ info@ accounts@ aaa@ Whilst system user "bbb" may receive emails for say the following: sales@ info@ bbb@ [not accounts@ for instance] This can be multiplied by adding similar domains such as: example.com example.net.au example.com.au Each of the additional domains may have their own set of authorized emails for the system user; either aaa or bbb system user in this example. The point is, I need to restrict users (even ones logged in and authenticated, which includes every user) to be able to send emails ONLY for address(es) to which they are specifically authorized to do so. The users have their own distinct system logins (not shared), they each have a set of email addresses that they are allowed to be the sender for such -- but they need to be limited to only those address(es). The above example, aaa may be allowed to send as accounts@ but bbb should not be allowed to send as accounts@ Both users aaa and bbb might be allowed to send as info@ as well. There are other domain names that the server is also the mail exchanger for, but they are otherwise completely unrelated to the ones above; those other domains will have their own system users and set of authorized address(es) that they can send from. The users securely log in to send email via dovecot with TLS over port 465 or perhaps using a webmail (squirelmail) interface, which in turn will also use dovecot via localhost. I would like for there to be a simple and secured text file for each system login that contains ALL of the authorized email addresses that the system user is authorized to send email as -- sending should fail if the authenticated user tries to send as some address that is not authorized for them to use. An alert to admin or root would be a good too for mis-use. The idea is that system users shouldn't be able to improperly use any email address that they are otherwise not authorized to use. What is the best way to enforce these restrictions? Kind Regards AndrewM
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
