PMDF System Manager's Guide

The MAIL_ACCESS mapping table is a superset of the SEND_ACCESS and PORT_ACCESS mapping tables; that is, it combines both the channel and address information of SEND_ACCESS, with the IP address and port number information of PORT_ACCESS. Similarly, the ORIG_MAIL_ACCESS mapping table is a superset of the ORIG_SEND_ACCESS and PORT_ACCESS mapping tables. The format for the probe string for MAIL_ACCESS is

port_access-probe-info|app-info|submit-type|send_access-probe-info

and similarly the format for the probe string for ORIG_MAIL_ACCESS is

port_access-probe-info|app-info|submit-type|orig_send_access-probe-info

Here port_access-probe-info consists of all the information usually included in a PORT_ACCESS mapping table probe in the case of incoming SMTP messages, or will be blank otherwise, and app-info will usually be SMTP in the case of messages submitted via SMTP, and blank otherwise. submit-type can be one of MAIL, SEND, SAML, or SOML, corresponding to how the message was submitted into PMDF. Normally the value is MAIL, meaning it was submitted as a message; SEND, SAML, or SOML can occur in the case of broadcast requests (or combined broadcast/message requests) submitted to the SMTP server. And for the MAIL_ACCESS mapping, send_access-probe-info consists of all the information usually included in a SEND_ACCESS mapping table probe. Similarly for the ORIG_MAIL_ACCESS mapping, orig_send_access-probe-info consists of all the information usually included in an ORIG_SEND_ACCESS mapping table probe.

Having the incoming TCP/IP connection information available in the same mapping table as the channel and address information makes it more convenient to impose certain sorts of controls, such as enforcing what envelope From: addresses are allowed to appear in messages from particular IP addresses. This can be desirable to limit cases of e-mail forgery, or to encourage users to configure their POP and IMAP clients' From: address appropriately. For instance, a site that wants to allow the envelope From: address vip@ourcorp.com to appear only on messages coming from the IP address 1.2.3.1 and 1.2.3.2, and to ensure that the envelope From: addresses on messages from any systems in the 1.2.0.0 subnet are from ourcorp.com, might use a MAIL_ACCESS mapping table along the lines shown in Example 16-2.

Example 16-2 Enforcing Use of Proper Source Addresses

MAIL_ACCESS ! Entries for vip's two systems ! TCP|*|25|1.2.3.1|*|SMTP|MAIL|tcp_*|vip@ourcorp.com|*|* $Y TCP|*|25|1.2.3.2|*|SMTP|MAIL|tcp_*|vip@ourcorp.com|*|* $Y ! ! Disallow attempts to use vip's From: address from other systems ! TCP|*|25|*|*|SMTP|MAIL|tcp_*|vip@ourcorp.com|*|* \ $N500$ Not$ authorized$ to$ use$ this$ From:$ address ! ! Allow sending from within our subnet with ourcorp.com From: addresses ! TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*|*@ourcorp.com|*|* $Y ! ! Allow notifications through ! TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*||*|* $Y ! ! Block sending from within our subnet with non-ourcorp.com addresses ! TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*|*|*|* \ $NOnly$ ourcorp.com$ From:$ addresses$ authorized