PMDF System Manager's Guide

The FROM_ACCESS mapping table can be used to control who can send mail, or to override purported From: addresses with authenticated addresses, or both.

The input probe string to the FROM_ACCESS mapping table is similar to that for a MAIL_ACCESS mapping table, minus the destination channel and address, and with the addition of authenticated sender information, if available. Thus if a FROM_ACCESS mapping table exists, then for each attempted message submission PMDF will probe the table with a probe string of the form (note the use of the vertical bar character, |)

port_access-probe-info|app-info|submit-type|src-channel|from-address|auth-from

Here port_access-probe-info consists of all the information usually included in a PORT_ACCESS mapping table probe in the case of incoming SMTP messages, or will be blank otherwise, and app-info will usually be SMTP in the case of messages submitted via SMTP, and blank otherwise. Note that if you are using TLS, that app-info contains the TLS information, for example SMTP/TLS-168-DES-CBC3-SHA, so we recommend you use SMTP*. submit-type can be one of MAIL, SEND, SAML, or SOML, corresponding to how the message was submitted into PMDF. Normally the value is MAIL, meaning it was submitted as a message; SEND, SAML, or SOML can occur in the case of broadcast requests (or combined broadcast/message requests) submitted to the SMTP server. src-channel is the channel originating the message (i.e., queueing the message); from-address is the address of the message's purported originator; and auth-from is the authenticated originator address, if such information is available, or blank if no authenticated information is available.

If the probe string matches a pattern (i.e., the left hand side of an entry in the table), then the resulting output of the mapping is checked. If the output contains the flags $Y or $y, then the enqueue for that particular To: address is permitted. If the mapping output contains any of the flags $N, $n, $F, or $f, then the enqueue to that particular address is rejected. In the case of a rejection, optional rejection text can be supplied in the mapping output. This string will be included in the rejection error PMDF issues.² If no string is output (other than the $N, $n, $F, or $f flag), then default rejection text will be used. See Table 16-1 for descriptions of additional flags.

Besides determining whether to allow a message to be submitted based on the originator, FROM_ACCESS can also be used to alter the envelope From: address via the $J flag, or to modify the effect of the authrewrite channel keyword (adding a Sender: header address on an accepted message) via the $K flag. For instance, this mapping table can be used to cause the original envelope From: address to simply be replaced by the authenticated address:

FROM_ACCESS *|SMTP*|*|tcp_local|*| $Y *|SMTP*|*|tcp_local|*|* $Y$J$4

When using the FROM_ACCESS mapping table to modify the effect on having authrewrite set to a nonzero value on some source channel, it is not necessary to use FROM_ACCESS if the authenticated address is going to be used verbatim. For instance, with authrewrite 2 set on the tcp_local channel, the following FROM_ACCESS mapping table would not be necessary:

FROM_ACCESS *|SMTP*|*|tcp_local|*| $Y *|SMTP*|*|tcp_local|*|* $Y$K$4

as authrewrite alone is sufficient to get this effect (adding the authenticated address verbatim). However, the real purpose of FROM_ACCESS is to permit more complex and subtle alterations. For instance, perhaps you want to force on a Sender: header only in cases where the authenticated address differs from the envelope From: address, with subaddresses not being considered to constitute a difference, as illustrated in the following table:

FROM_ACCESS ! If no authenticated address is available, do nothing *|SMTP*|*|tcp_local|*| $Y ! If authenticated address matches envelope From:, do nothing *|SMTP*|*|tcp_local|*|$3* $Y ! If authenticated address matches envelope From: sans subaddress, do nothing *|SMTP*|*|tcp_local|*+*@*|$3*@$5* $Y ! Fall though to... ! ...authenticated address present, but didn't match, so force Sender: header *|SMTP*|*|tcp_local|*|* $Y$ASender:$ $4