PMDF System Manager's Guide


Previous Next Contents Index

16.1.2 The MAIL_ACCESS and ORIG_MAIL_ACCESS Mappings

The MAIL_ACCESS mapping table is a superset of the SEND_ACCESS and PORT_ACCESS mapping tables; that is, it combines both the channel and address information of SEND_ACCESS, with the IP address and port number information of PORT_ACCESS. Similarly, the ORIG_MAIL_ACCESS mapping table is a superset of the ORIG_SEND_ACCESS and PORT_ACCESS mapping tables. The format for the probe string for MAIL_ACCESS is


port_access-probe-info|app-info|submit-type|send_access-probe-info
and similarly the format for the probe string for ORIG_MAIL_ACCESS is


port_access-probe-info|app-info|submit-type|orig_send_access-probe-info
Here port_access-probe-info consists of all the information usually included in a PORT_ACCESS mapping table probe in the case of incoming SMTP messages, or will be blank otherwise, and app-info will usually be SMTP in the case of messages submitted via SMTP, and blank otherwise. submit-type can be one of MAIL, SEND, SAML, or SOML, corresponding to how the message was submitted into PMDF. Normally the value is MAIL, meaning it was submitted as a message; SEND, SAML, or SOML can occur in the case of broadcast requests (or combined broadcast/message requests) submitted to the SMTP server. And for the MAIL_ACCESS mapping, send_access-probe-info consists of all the information usually included in a SEND_ACCESS mapping table probe. Similarly for the ORIG_MAIL_ACCESS mapping, orig_send_access-probe-info consists of all the information usually included in an ORIG_SEND_ACCESS mapping table probe.

Having the incoming TCP/IP connection information available in the same mapping table as the channel and address information makes it more convenient to impose certain sorts of controls, such as enforcing what envelope From: addresses are allowed to appear in messages from particular IP addresses. This can be desirable to limit cases of e-mail forgery, or to encourage users to configure their POP and IMAP clients' From: address appropriately. For instance, a site that wants to allow the envelope From: address vip@ourcorp.com to appear only on messages coming from the IP address 1.2.3.1 and 1.2.3.2, and to ensure that the envelope From: addresses on messages from any systems in the 1.2.0.0 subnet are from ourcorp.com, might use a MAIL_ACCESS mapping table along the lines shown in Example 16-2.

Example 16-2 Enforcing Use of Proper Source Addresses

MAIL_ACCESS 
 
! Entries for vip's two systems 
! 
  TCP|*|25|1.2.3.1|*|SMTP|MAIL|tcp_*|vip@ourcorp.com|*|*  $Y 
  TCP|*|25|1.2.3.2|*|SMTP|MAIL|tcp_*|vip@ourcorp.com|*|*  $Y 
! 
! Disallow attempts to use vip's From: address from other systems 
! 
  TCP|*|25|*|*|SMTP|MAIL|tcp_*|vip@ourcorp.com|*|*  \
          $N500$ Not$ authorized$ to$ use$ this$ From:$ address 
! 
! Allow sending from within our subnet with ourcorp.com From: addresses 
! 
  TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*|*@ourcorp.com|*|*  $Y 
! 
! Allow notifications through 
! 
  TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*||*|*  $Y 
! 
! Block sending from within our subnet with non-ourcorp.com addresses 
! 
  TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*|*|*|*  \
          $NOnly$ ourcorp.com$ From:$ addresses$ authorized 
 


Previous Next Contents Index