Re: [vchkpw] Request for new feature: Internal-only accounts
On Tuesday 14 June 2005 19:53, Bruno Negrão wrote: > Wouldn't the string NOQUOTA be exactly in the place where there is a 60MB > in my example above? Yes, sorry. I'm blind! > But this feature is still useful I'm not sure how...what is the use you see? How on earth do you really intend to stop these people from sending mail? You have to force them to use your SMTP server, and block nearly all of their access to the internet to ensure they can't send E-mail, and you better hope they don't go home and send mail from their work account from there. If it's an attempt to increase productivity, it won't work. At every corporation I've been at that has network restrictions, the majority of people spend more time trying to get their work done around them than anything else. The last one I worked at had only ports 80 and 443 open, which made everything really difficult to do. You'd hear people talking on the phone complaining about "the d*** firewall" and related problems all day long. Those of us who were more technical set up SSH servers on port 80 and tunneled everything anyways. You can do that even on a Windows machine without local administrative rights, which I later just took home and formatted out of frustration (after that I worked much more efficiently ;-) ). > there are commercial mail servers providing it There are commercial mail servers providing lots of things that are bad ideas. And most mail servers have at least one oddball feature that you won't find in any other package. One of my favorite quotes is "It is better not to do something than to do it poorly." (from Andreas Hanssen, author of BincIMAP). This is one of those things that cannot be done well because of how the SMTP mail infrastructure works. If it only works 90% of the time, that's what I call "broken", or a flawed idea. > so I want to be able to do this with qmail and vpopmail (or other add-on > software that can do this in place of vpopmail) Well it's certainly possible to create something...likely you won't want to accept these at the SMTP level at all, so the best solution I can think of would be to write a custom SMTP server like rblmstpd that instead of checking RBLs, checked a local database for an allowed recipient domains list for the account trying to send, or simply a boolean external value as you propose. Cheers, -- Casey Allen Shobe | http://casey.shobe.info [EMAIL PROTECTED] | cell 425-443-4653 AIM & Yahoo: SomeLinuxGuy | ICQ: 1494523 SeattleServer.com, Inc. | http://www.seattleserver.com
Re: [vchkpw] Request for new feature: Internal-only accounts
Bruno Negrão wrote: Hi Casey, patrick:$1$oza9XaY.qO8uXhlaR701:1:0:patrick is internal only:/var/vpopmail/domains/exampledom.com.br/patrick:60MB:textpasswd:INTERN AL You'd at least need an extra colon before INTERNAL, because there's already the optional NOQUOTA property. Wouldn't the string NOQUOTA be exactly in the place where there is a 60MB in my example above? I understand your point. Makes sense. But this feature is still useful, and there are commercial mail servers providing it, so I want to be able to do this with qmail and vpopmail (or other add-on software that can do this in place of vpopmail) I will try with vpopmail more. The vpopmail developers didn't show up until now to give their opinion, maybe they're too busy. Let's wait. Hi, While not a developer per se, I do help with a lot of testing etc and I think the preferred place to put a flag like that is in the gid field with all of the other flags. While the idea does have merit, most of the development occurs to fixes bugs or if one of the developers has a particular itch to scratch. I don't think we'll be seeing this in vpopmail until a C programmer needs it or someone is willing to pay for it. I'll poke around in the code and see if I can guesstimate how much work it would be to add it. You are correct about the NOQUOTA location though, it does go where the 60MB in your example is. HTH, Rick
Re: [vchkpw] Request for new feature: Internal-only accounts
Hi Casey, patrick:$1$oza9XaY.qO8uXhlaR701:1:0:patrick is internal only:/var/vpopmail/domains/exampledom.com.br/patrick:60MB:textpasswd:INTERN AL You'd at least need an extra colon before INTERNAL, because there's already the optional NOQUOTA property. Wouldn't the string NOQUOTA be exactly in the place where there is a 60MB in my example above? I don't work for a large corporation anymore (thank the gods) and I know their opinions on things differ greatly from mine and often what is logical in anyone's mind, but my gut feeling on this is that if you can't trust an employee enough to allow them to send email out, then you shouldn't give that employee a half-arsed E-mail account at all. I understand your point. Makes sense. But this feature is still useful, and there are commercial mail servers providing it, so I want to be able to do this with qmail and vpopmail (or other add-on software that can do this in place of vpopmail) I will try with vpopmail more. The vpopmail developers didn't show up until now to give their opinion, maybe they're too busy. Let's wait. regards, - Bruno Negrao - Network Manager Engepel Teleinformática. 55-31-34812311 Belo Horizonte, MG, Brazil
Re: [vchkpw] Request for new feature: Internal-only accounts
On Tuesday 14 June 2005 12:58, Bruno Negrão wrote: > If vpopmail start supporting a new user property, "INTERNAL", inside > vpasswd file, like the prototype bellow: > > patrick:$1$oza9XaY.qO8uXhlaR701:1:0:patrick is internal > only:/var/vpopmail/domains/exampledom.com.br/patrick:60MB:textpasswd:INTERN >AL You'd at least need an extra colon before INTERNAL, because there's already the optional NOQUOTA property. I don't work for a large corporation anymore (thank the gods) and I know their opinions on things differ greatly from mine and often what is logical in anyone's mind, but my gut feeling on this is that if you can't trust an employee enough to allow them to send email out, then you shouldn't give that employee a half-arsed E-mail account at all. Sometimes the client needs to be told when they're idea is just plain stupid (in the nicest manner possible of course ;-) ). Cheers, -- Casey Allen Shobe | http://casey.shobe.info [EMAIL PROTECTED] | cell 425-443-4653 AIM & Yahoo: SomeLinuxGuy | ICQ: 1494523 SeattleServer.com, Inc. | http://www.seattleserver.com
Re: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
This could also be done with a flag in the vadduser/vmoduser programs? Yes, perfect! KBO (or some vpopmail developer), are you reading this thread? Regards, bnegrao
RE: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
>If vpopmail start supporting a new user property, "INTERNAL", inside >vpasswd file, like the prototype bellow: > >patrick:$1$oza9XaY.qO8uXhlaR701:1:0:patrick is internal >only:/var/vpopmail/domains/exampledom.com.br/patrick:60MB:textpasswd:INTERN AL The only qualm I see with that is how upgrades would be handled for mysql backend users. If users didn't read the docs carefully, they would end up with column not found errors when the internal flag was checked. Of course, if people don't read the upgrade docs, is it really a developer problem? >And added a tool like 'vsetinternaluser' to set this parameter inside >vpasswd file, >And provided this program to be added by QMAILQUEUE variable, which would >look for the INTERNAL property inside each vpasswd file, This could also be done with a flag in the vadduser/vmoduser programs? Regards, Andrew Preece
Re: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
Guys, With the QMAILQUEUE patch it's possible to add a program that scans the passing messages(local and remote) and block some of them, based on certain criteria. Correct? (that's how inter7's simscan software works) With this, I could add a program to filter the passing messages to block the internal<-to->external messages only for the internal-only accounts. The program would get the internal-only accounts list from a text file with the list of internal-only accounts. What do you think of this idea? Going on with this idea I see a possibility for vpopmail. If vpopmail start supporting a new user property, "INTERNAL", inside vpasswd file, like the prototype bellow: patrick:$1$oza9XaY.qO8uXhlaR701:1:0:patrick is internal only:/var/vpopmail/domains/exampledom.com.br/patrick:60MB:textpasswd:INTERNAL And added a tool like 'vsetinternaluser' to set this parameter inside vpasswd file, And provided this program to be added by QMAILQUEUE variable, which would look for the INTERNAL property inside each vpasswd file, Then we would have this feature fully implemented. Someone agree? Regards, - Bruno Negrao - Network Manager Engepel Teleinformática. 55-31-34812311 Belo Horizonte, MG, Brazil
Re: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
Bruno Negrão wrote: Thanks Tom, but this is not what I'm looking for. I want that, in the same domain and network, some users can send-receive external emails and some user are interal-only. regards, bruno place a second, relay-only server, and block there. the main server will be used from the clients, then the mail will be relayed to the second server if needed. anyway, it would be a nice feature. but, imho, will be too complicated to implement, in qmail+vpopmail. wwell edi
Re: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
Thanks Tom, but this is not what I'm looking for. I want that, in the same domain and network, some users can send-receive external emails and some user are interal-only. regards, bruno - Original Message - From: "Tom Collins" <[EMAIL PROTECTED]> To: Sent: Monday, June 13, 2005 6:12 PM Subject: Re: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS On Jun 13, 2005, at 12:22 PM, Bruno Negrão wrote: Now, the director of one of the companies I give support asked me to set a bunch of e-mail accounts as internal-only, i.e., they can send e-mail internally but cannot send or receive external e-mails. It would have to take place entirely in qmail-smtpd, I would think. If it's a singled, dedicated server, it should be a simple patch to qmail-smtpd to make sure that both the sender's domain and the recipient's domain are in /var/qmail/control/locals. You could probably accomplish this if you don't publish an MX record for the domain -- only mail submitted directly to the server will be delivered, and that would only be messages sent by these clients. Disable qmail-remote on the server and it will be impossible for it to send mail to remote servers. Keep in mind that you will need to have the users' email clients use your smtp server for outbound email. If they point to their ISP's server, you can't prevent them from sending to external addresses. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
just run another mail server. on a different machine or port. better on a different machine - if you want to have really "internal" mail, you must have "internal" server - meaning security. wwell edi Bruno Negrão wrote: Hi guys, As managers and directors of the companies are getting more acquainted about the Internet use (and abuse) inside their companies, they want to have more and more control over what employees can and cannot do on the Internet. Now, the director of one of the companies I give support asked me to set a bunch of e-mail accounts as internal-only, i.e., they can send e-mail internally but cannot send or receive external e-mails. As I reconized that his need probably will also be desired for a lot of other companies, I think it's worth to discuss here which would be the most appropriate manner to achieve this feature with Qmail and Vpopmail. THE IDEAL SCENE: The ideal scene for me would be if vpopmail could provide a means for doing this. To set the internal-only account I'd like to end up going to Qmailadmin, editing the properties of some user account, and just checking the new check-box: "( ) Internal-only account"; I have no idea of how this could be implemented by vpopmail. Can someone out there imagine something? IDEAS: Until now, the only thing that occurs to me in order to accomplish this, is to edit (manually) the famous /var/vpopmail/tcp.smtp file and laboriously add a bunch of IP addresses, of each internal-only user, unsetting the RELAYCLIENT variable for each one of them. This would prevent the users from sending e-mails to external domains. But they could receive external e-mails (althouth they would not be able answer the e-mails). Or, suddenly, I could set the IPs of all internal-only user's machines inside a specified IP range, and I would disable RELAYCLIENT just for this range. I should explain this change to my customer, and they should follow the IP range specification. Still, I would be relying on tcp.smtp file to accomplish this. Further ideas? Regards, - Bruno Negrao - Support Analyst Engepel Teleinformática. 55-31-34812311 Belo Horizonte, MG, Brazil
Re: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
On Jun 13, 2005, at 12:22 PM, Bruno Negrão wrote: Now, the director of one of the companies I give support asked me to set a bunch of e-mail accounts as internal-only, i.e., they can send e-mail internally but cannot send or receive external e-mails. It would have to take place entirely in qmail-smtpd, I would think. If it's a singled, dedicated server, it should be a simple patch to qmail-smtpd to make sure that both the sender's domain and the recipient's domain are in /var/qmail/control/locals. You could probably accomplish this if you don't publish an MX record for the domain -- only mail submitted directly to the server will be delivered, and that would only be messages sent by these clients. Disable qmail-remote on the server and it will be impossible for it to send mail to remote servers. Keep in mind that you will need to have the users' email clients use your smtp server for outbound email. If they point to their ISP's server, you can't prevent them from sending to external addresses. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
Hi Nick, Sounds not terribly difficult, and does actually sound pretty useful. Similar functionality exists in commercial servers like Exchange and Domino, so obviously other folks find it useful. Good to know that other mailservers already implement this feature. Maybe this helps to motivate the developers to run for a solution. Also, now I know what servers I can install if that director crazily wants this feature NOW!! Regards, - Bruno Negrao - Network Manager Engepel Teleinformática. 55-31-34812311 Belo Horizonte, MG, Brazil
RE: [vchkpw] REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
> > The ideal scene for me would be if vpopmail could provide a means for > doing > this. To set the internal-only account I'd like to end up going to > Qmailadmin, editing the properties of some user account, and just checking > the new check-box: "( ) Internal-only account"; Look at how vpopmail implements things like disabling inbound mail and disabling smtp auth functionality. What you're looking for would require qmail integration, or integration with the chkuser patches. Then you could add flags for disable external relay, and disable external inbound mail. > > I have no idea of how this could be implemented by vpopmail. Can someone > out there imagine something? > > Sounds not terribly difficult, and does actually sound pretty useful. Similar functionality exists in commercial servers like Exchange and Domino, so obviously other folks find it useful. Hope that helps, Nick