Re: REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS

Mon, 13 Jun 2005 13:38:55 -0700 

> From:  =?iso-8859-1?Q?Bruno_Negr=E3o?= <[EMAIL PROTECTED]>
> Date:  Mon, 13 Jun 2005 17:11:07 -0300
>
> Hi guys,
> 
> As managers and directors of the companies are getting more acquainted
> about the Internet use (and abuse) inside their companies, they want to
> have more and more control over what employees can and cannot do on the
> Internet.
> 
> Now, the director of one of the companies I give support asked me to set a
> bunch of e-mail accounts as internal-only, i.e., they can send e-mail
> internally but cannot send or receive external e-mails.
> 
> As I reconized that his need probably will also be desired for a lot of
> other companies, I think it's worth to discuss here which would be the most
> appropriate manner to achieve this feature with Qmail-LDAP.
> 
> 
> THE IDEAL SCENE:
> 
> The ideal scene for me would be if qmail-ldap could provide a means for 
> doing
> this. To set the internal-only account I'd like that every user account 
> could have a propertie, like
> "interalOnly", that I could simply set it to "yes" or "no":
> 
>     internalOnly: yes
> 
> I have no idea of how this could be implemented by qmail-ldap. Can someone
> out there imagine something?

Because you're trying to stop abuse, you need to make sure that you design 
things so that they can't be easily gotten around.  The first question to ask 
is do you want to determine good users by IP address or by user id.  IMHO, IP 
addresses are easier to implement, but harder to manage.  To implement an 
"internalOnly" flag on the user objects as you describe you'd first have to 
make sure that people are validated to send as the user in the from line.  
This would mean implementing OFMIP (old Fashioned Mail Injection Protocol) 
which is basically SMTP on another port that requires validation.  Your OFMIP 
daemon would then simply check the LDAP database and now allow mail to be sent 
externally if it's turned on.  This can be done without touching any of the 
qmail-ldap code at all.  You might try hacking the TMDA OFMIPD code.  I'm sure 
there are other OFMIPD implementations out there as well, some of which might 
be trivial to hack in this way.

Chris

-- 
Chris Garrigues                         Trinsic Solutions
President                               1611-B West 6th Street
                                        Austin, TX  78703-5074

512-322-0180                            http://www.trinsics.com

                 Would you rather proactively pay for
                uptime or reactively pay for downtime?

                          Trinsic Solutions
                 Your Proactive IT Management Partner

Attachment: pgpsOCAp96jee.pgp
Description: PGP signature

Reply via email to