PMDF System Manager's Guide

16.1.1 The SEND_ACCESS and ORIG_SEND_ACCESS Mappings

The SEND_ACCESS and ORIG_SEND_ACCESS mapping tables can be used to control who can or can not send mail, receive mail, or both. The access checks have available by default:

a message's envelope From: address
a message's envelope To: address
what channel the message came in on
what channel the message would attempt to go out on

If the ACCESS_ORCPT option is specified as 1 in the PMDF option file, then a fifth piece of information is added to the probe: the original recipient information (the value of the ORCPT option in the SMTP protocol exchange).

Note that when the To: addresses are irrelevant and only the From: address matters, then use of the FROM_ACCESS mapping table, described below in Section 16.1.3, can be more convenient and efficient.

If a SEND_ACCESS or ORIG_SEND_ACCESS mapping table exists, then for each recipient of every message passing through PMDF, PMDF will probe the table by default with a probe string of the form (note the use of the vertical bar character, |):

src-channel|from-address|dst-channel|to-address

If the ACCESS_ORCPT option is set to 1, then the probe string form is:

src-channel|from-address|dst-channel|to-address|orcpt-address

where

src-channel is the channel originating the message (i.e., queueing the message);
from-address is the address of the message's originator;
dst-channel is the channel to which the message will be queued;
to-address is the address to which the message is addressed;
orcpt-address is the original recipient address (ORCPT).

The use of an asterisk in any of these fields causes that field to match any channel or address, as appropriate.

The addresses here are envelope addresses, that is, envelope From: address and envelope To: address. In the case of SEND_ACCESS, the envelope To: address is checked after rewriting, alias expansion, etc., have been performed; in the case of ORIG_SEND_ACCESS the originally specified envelope To: address is checked after rewriting, but before alias expansion.

If the probe string matches a pattern (i.e., the left hand side of an entry in the table), then the resulting output of the mapping is checked. If the output contains the flags $Y or $y, then the enqueue for that particular To: address is permitted. If the mapping output contains any of the flags $N, $n, $F, or $f, then the enqueue to that particular address is rejected. In the case of a rejection, optional rejection text can be supplied in the mapping output. This string will be included in the rejection error PMDF issues.¹ If no string is output (other than the $N, $n, $F, or $f flag), then default rejection text will be used. See Table 16-1 for descriptions of additional flags.

In the following example, note that mail sent from OpenVMS user agents such as VMS MAIL, PMDF MAIL, etc., or from UNIX user agents such as mail, Pine, etc., originates from the local, l, channel and messages to the Internet go out a TCP/IP channel of some sort. Now, suppose that local users, with the exception of the postmaster, are not allowed to send mail to the Internet but can receive mail from there. Then the SEND_ACCESS mapping table shown in Example 16-1 is one possible way to enforce this restriction. In that example, the local host name is assumed to be example.com. In the channel name "tcp_*", a wild card is used so as to match any possible TCP/IP channel name (e.g., tcp_local, tcp_gateway, etc.). In the rejection message, dollar signs are used to quote spaces in the message. Without those dollar signs, the rejection would be ended prematurely and only read "Internet" instead of "Internet postings are not permitted". Note that this example ignores other possible sources of "local" postings such as from PC based mail systems or POP or IMAP clients.

Example 16-1 Restricting Internet Mail Access

SEND_ACCESS *|postmaster@example.com|*|* $Y *|*|*|postmaster@example.com $Y l|*@example.com|tcp_*|* $NInternet$ postings$ are$ not$ permitted

Table 16-1 Access Mapping Flags®
Flag Description

$B Redirect the message to the bitbucket

$H Hold the message as a .HELD file

$Y Allow access

Flags with arguments, in argument reading order+

$J address Replace original envelope From: address with specified address §

$K address Replace original Sender: address with specified address §

$I user| identifier Check specified user for specified identifier (OpenVMS) or groupid (UNIX)

$ < string Send string as an OPCOM broadcast (OpenVMS) or to syslog (UNIX) or to the event log (NT) if probe matches++

$> string Send string as an OPCOM broadcast (OpenVMS) or to syslog (UNIX) or to the event log (NT) if access is rejected ++

$D delay Delay response for an interval of delay hundredths of seconds; a positive value causes the delay to be imposed on each command in the transaction; a negative value causes the delay to be imposed only on the address handover (SMTP MAIL FROM: command for the FROM_ACCESS table; SMTP RCPT TO: command for the other tables)

$T tag Prefix with tag tag

$A header Add the header line header to the message

$X error-code Issue the specified error-code extended SMTP error code if rejecting the message

$N string Reject access with the optional error text string

$F string Synonym for $N string , i.e., reject access with the optional error text string

**Table 16-1 Access Mapping Flags®**
Flag	Description
`$B`	Redirect the message to the bitbucket
`$H`	Hold the message as a `.HELD` file
`$Y`	Allow access
	Flags with arguments, in argument reading order+
`$J address`	Replace original envelope From: address with specified `address` §
`$K address`	Replace original Sender: address with specified `address` §
`$I user\| identifier`	Check specified user for specified identifier (OpenVMS) or groupid (UNIX)
`$ < string`	Send `string` as an OPCOM broadcast (OpenVMS) or to syslog (UNIX) or to the event log (NT) if probe matches++
`$> string`	Send `string` as an OPCOM broadcast (OpenVMS) or to syslog (UNIX) or to the event log (NT) if access is rejected ++
`$D delay`	Delay response for an interval of `delay` hundredths of seconds; a positive value causes the delay to be imposed on each command in the transaction; a negative value causes the delay to be imposed only on the address handover (SMTP MAIL FROM: command for the FROM_ACCESS table; SMTP RCPT TO: command for the other tables)
`$T tag`	Prefix with tag `tag`
`$A header`	Add the header line `header` to the message
`$X error-code`	Issue the specified `error-code` extended SMTP error code if rejecting the message
`$N string`	Reject access with the optional error text `string`
`$F string`	Synonym for `$N string` , i.e., reject access with the optional error text `string`

®These flags are relevant for the SEND_ACCESS, ORIG_SEND_ACCESS, MAIL_ACCESS, ORIG_MAIL_ACCESS, and FROM_ACCESS mapping table. Note that the PORT_ACCESS mapping table, discussed in Section 11.5, supports a somewhat different set of flags.
§Available for FROM_ACCESS table only
+To use multiple flags with arguments, separate the arguments with the vertical bar character, |, placing the arguments in the order listed in this table.
++It is a good idea to use the $D flag when dealing with problem senders, to prevent a denial of service attack. In particular, it is a good idea to use $D in any $> entry or $< entry rejecting access.

Note

¹ Note that it is up to whatever is attempting to send the message whether the PMDF rejection error text is actually presented to the user who attempted to send the message. In particular, in the case when SEND_ACCESS is used to reject an incoming SMTP message, PMDF merely issues an SMTP rejection code including the optional rejection text; it is up to the sending SMTP client to use that information to construct a bounce message to send back to the original sender.

Contents

Index