[Kolab-devel] Goal of kolab policy server

Fabio Pietrosanti lists at infosecurity.ch
Tue Dec 4 13:54:28 CET 2007


Alain Spineux wrote:
> On Dec 4, 2007 11:57 AM, Fabio Pietrosanti <lists at infosecurity.ch> wrote:
>   
>> Can someone briefly explain the goal of the kolab policy server?
>>
>> Which are the policy that it apply?
>>
>> I would like to evaluate if those "policy enforcement" can be done
>> directly with postfix's feature instead of using a policyserver.
>>     
>
> It check if the authenticated match the sender of the email and if
> the user can send an email to some distribution list.
>   
mmm regarding the matching of authorized sender for a specific
authenticated user we can use the standard postfix feature:

smtpd_sender_restrictions= reject_sender_login_mismatch
smtpd_sender_login_maps = (with an ldap lookup)

*reject_sender_login_mismatch
*Reject the request when $smtpd_sender_login_maps specifies an owner for
the MAIL FROM address, but the client is not (SASL) logged in as that
MAIL FROM address owner; or when the client is (SASL) logged in, but the
client login name doesn't own the MAIL FROM address according to
$smtpd_sender_login_maps.

*smtpd_sender_login_maps
*Optional lookup table with the SASL login names that own sender (MAIL
FROM) addresses.

Specify zero or more "type:table" lookup tables. With lookups from
indexed files such as DB or DBM, or from networked tables such as NIS,
LDAP or SQL, the following search operations are done with a sender
address of user at domain:

1) user at domain
This table lookup is always done and has the highest precedence.
2) user
This table lookup is done only when the domain part of the sender
address matches $myorigin, $mydestination, $inet_interfaces or
$proxy_interfaces.
3) @domain
This table lookup is done last and has the lowest precedence.



Which are the rules for the distribution list authorization or not?
We could use the smtpd_sender_restrictions to match this kind of condition.

I would be happy to provide all the configurations useful to use
built-in postfix features instead of custom code.

> And probably soon, if not already, limit the recipient's domains for some user.
>   
Any more info on that side?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/devel/attachments/20071204/2e91501c/attachment.html>


More information about the devel mailing list