PDL ACIs mailnodes and who is local

[pete]

I am trying to establish an ACI on a PDL. I only want internal users to be able to access the PDL, so I use

omaddaci -l cn=testing -g default -c "-read"

to remove permissions from non-local users.

I would like all internal users to be able to use this PDL, but I have multiple mailnodes (on
different physical systems). The problem is that only users on the mailnode that the PDL is
defined on seems to be considered local - users from other mailnodes cannot access it.

Is there a way to allow all internal users access - that is to say all users defined in
the SYSTEM directory to have access?

P

[ls-al]

I dont know if theres a way to add all from SYSTEM, but depending on the amount of mailnodes you should give a try to:

Code: Select all

omaddaci -l pdlname -n /mailnode -c capability

HTH
Dirk

[pete]

Hey - that looks like it works! Thanks a bunch!!!

[pete]

One more thing on this - can I add a specific external system (or user on a system) to the
aci? For example, I want to allow a non-scalix server (call it system.domain.com) to
send to a PDL on (for example) mail.domain.com (which is running Scalix)? And one step
further, can I restrict the Scalix system to restrict access to only a specific external email
address?

Thanks

[jg]

I think this is possible, but you will have to do some config to get the incoming address of your "special" non-scalix to be "stamped" with mailnodes that you can then use to control access.

Typically when an external mail arrives onto a scalix server the address that Scalix passes around the system is something like:

S=JG/OU1=internet/INTERNET-ADDR=jg@foobar.com

OU1=internet is the mailnode of the default internet mail gateway, see:

omshowrt -q unix

So, what you could do is add a specific directory entry for your external user, e.g.

G=Special/S=User/CN=Display Name/OU1=InternetAllow/INTERNET-ADDR=jg@foobar.com

when jg@foobar.com sends mail to the Scalix server the From: address will be specificed as above.

Now you have a way to differentiate this "external" user from others. You can now add specific ACIs for this mailnode (i.e. OU1=InternetAllow), which should then enable this external user to use the PDL.

One last step you will need is to add a route for the above mailnode to ensure that any replies from Scalix users are sent back to the internet, i.e.

omaddrt -m "InternetAllow" -q unix

If you have have multiple users on the external mailserver that you wish to allow then things become a little more complicated. You could add directory entries for each of these users but this maybe problematic. There are some "old" configuration files that can be used to map internet domains to mailnodes, but you are getting into deep water here and this type of configuration hasn't been tested for a while.

Hope that gives you some ideas to play with.
Cheers,
JG

[pete]

That may work, but looks kind of complicated. Do you think that this would work?

Add an aci like this:

omaddaci -l cn=maillinglist -n '/internet (rfc-822|user@external.com)' -c +read

/P

[jg]

Good solution!

I've just tried this and it appeared to work. I setup the aci with the following:

Code: Select all

# omshowaci -l "cn=post 1110"
/internet (RFC-822|user@external.com)        read

Scalix Administrators                    config modify read remove
Local Users                              modify read remove
Default                                  none



The thing I wanted to check was that the incoming address would contain a "surname" derived from the incoming internet address e.g. the address would look something like:
user / internet DDT1=RFC-822; DDV1=user@external.com

so I wasn't sure the address would be considered a match for the ACI.

I think this will generally work, but of course any variation in the incoming address that causes a mis-match on the ACI will end up being non-delivered.

Spoofing a mail via SMTP from user@external.com was successfully delivered to the PDL. Spoofing from another address (foobar@acme.com) resulted in non-delivery report, stating:

Code: Select all

Message could not be delivered to the following recipient:

        post 1110 / localmailnode/CN=post 1110
                       

    because: 'Recipient name not found at destination'    [OM 9300]


Note: I had to remove the "Default: Read" permission for this to work, so if you wanted other external users, or users on other Scalix servers to use the PDL you would have to explictly grant them permission.

Cheers,
JG

[pete]

This is all great stuff!! Now, how about only allowing mail from a specific domain (or host)?
Any ideas?

P

[jg]

So, you can map a domain to a set of mailnodes for an incoming message using a file called

Code: Select all

unixmap.gw

This doesn't exist by default and needs to be created in ~scalix/sys readable by the user/group scalix/scalix

The format of this file is described in the Scalix Administration Guide.

As an example, if you create unixmap.gw that contains the lines:

Code: Select all

foobar.com#OU$foobar.OU$internet.#
acme.com#OU$acme.OU$internet.#


Then for incoming messages the following will happen.

Domain: foobar.com will map to mailnodes "internet,foobar"
Domain: acme.com will map to mailnodes "internet,acme"

Any other domain will pick up the default mailnode of the internet gateway.

You'll need to restart the unix gateway for the change to take effect and also add routes for the above mailnodes to ensure that mail can be replied to.

The ACIs on the PDL should then just grant access based on the mailnodes above, as per my original response.

Hope that helps.

Cheers,
JG

[pete]

I know that this thread is a little stale, but....

I have multiple servers and each server is an MX for our domain.
I assume that have to map the required domains using unixmap.gw etc on every server, correct?

/P

[pbcadmin]

I am trying to do the same thing for one of my pdls, but I can't get it to work.

the results for the command omshowaci is as follows:

omshowaci -l pdl
/internet (rfc-822|user@example.net) read

Scalix Administrators config modify read remove
Local Users modify read remove
Default none


the user@example.net is an external email address like a yahoo.com or gmail.com. user@example.com still can't send emails to the pdl. What am I missing, or where can I look.

[pete]

You speicifed user@example.com, then quoted user@example.net -
is that a typo or is that the problem?

[pbcadmin]

Sorry, that was a typo. both emails should be the same.

[pete]

Are you getting any notices sent to your Error Manager account? This might at least narrow down what is going on. Also, are you getting a bounce bac kto the sender?

[pbcadmin]

Yes, the sender does get a bounce back message.

This is the message that goes to the Error manager account:


Message could not be delivered to the following recipient:

pdl@pbc.org

because: Recipient name not found at destination
----- Inline Attachment Follows ----- ----------------------------- TRACE REPORT -----------------------------

08/30/06 16:27:13 Passive Routing Record: ** Message Relayed
Node: scalix.pbc.local Address: scalix,pbc
08/30/06 16:27:13 Active Operation Record: ** Message Submission
08/30/06 16:27:13 Active Routing Record: ** Message Relayed
Node: scalix.pbc.local Address: scalix,pbc

-------------------------------------------------------------------------




----- Inline Message Follows -----
To: pdl
From: Zeid
Subject: tasfa