Scalix Forums

How are others implementing a staff email list?
I would like to only allow certain users to email this. Mailman was our old approach but if we use it on the old machine pointing the mail to the new one the service router ends up with hundreds of messages and all mail delivery lags.

sgreen,

you can use a pdl, containing all the users (have a script that recreates the pdl every night, using the output fom omshowu -m all), the have an acl on the pdl, only allowing certain users acess to send to it.

Mick

Not directly related, but is there anyway to get more service router processes?

sgreen wrote:Not directly related, but is there anyway to get more service router processes?

Check out the man page for "omsetsvc -x" and see if that's what you're looking for.

Thanks Leslie, it looks like it will. The auxiliary processes are just more of the same right, they process the queue in the same manner?

omaddacl wants a type, what would I choose in this instance?

Or is there just a nice document on how to put an acl on a pdl or user. The omaddacl stuff seems to only do printers, requests and services.

sgreen, right, the auxiliary processes are just more of the same thing.
Do monitor your system after adding an auxiliary process, to make sure you're not going to run out of memory or bog down the CPU or similar. It is possible to try and speed things up by creating auxiliary processes... and bring the system to its knees as a result.

Mick had a good point about using a PDL but darned if I can put my finger on how to do that with a PDL at the moment. Here's another option. More convoluted, but it will work.

If you have all your staff on a mailnode by themselves, you can write a script as Mick suggested that does something like this (not tested):
omdelpdl
omaddpdl
omshowu -m 'staff' | while read u
do
omaddpdln -l PDL -n "$u"
ommodu -o "$u" -s <service-level>
done

service-level is just any number you make up other than zero.

If you're not keeping the members on their own mailnode, then when the PDL is built you can do something like this:

omshowpdln -l "staff/mailnode" | while read u
do
ommodu -o "$u" -s <service-level>
done


Then you give the allowed senders their own service level, if they're not members of the Staff PDL (if they are, they already have a service-level we can use).

You can then use the service-levels in a Service Router rule. It would look something like this (not tested), assuming:
- the PDL members have a service-level of 1
- the PDL members are allowed to send to the PDL
- non-PDL members who are allowed to send to the PDL have a service-level of 2

RECIPIENT-SERVICE-LEVEL=1 SENDER-SERVICE-LEVEL=1 ACTION=ALLOW
RECIPIENT-SERVICE-LEVEL=1 SENDER-SERVICE-LEVEL=2 ACTION=ALLOW
RECIPIENT-SERVICE-LEVEL=1 ACTION=RETURN NOTIFY="You are not authorized to send emails to this list."

For information on how to create and implement a Service Router rule, see the Scalix Administration Guide; there is a section called "Setting Message Delivery Rules on the Router".

I have about 20GB of free ram right now, so that should be fine.

I do not have staff on it's own mailnode.

Are aci's still working?

Hi,

sorry, yes, I meant aci, not acl

Lesley has a good solution, but I would still use the aci.
rather than deleting the pdl each night, which would effectively lose the aci, modify the pdl by removing the members (omshowpdln -l listname |while read line;do
omdelpdln -l listname -n "$line"
done

may take a bit of time, depends how many members there are.

then

omshowu -m <mailnode> |while read name;do
ommaddpdln -l listname -n "$name"
done

that sort of thing.

or you could delete the pdl, then recreate, add the users, and apply the aci

either way, simple scripts, and like I say depends on how many users.

I used to just ommodent -e s=listname -n dl-members=
but I used the add users to pdls, using the -x option so as not to add the "parent-dl" attribute.

Mick

That's IT!!! I couldn't remember aci and I was stuck thinking about ACLs.

Yes, they should be working though I haven't tested them recently. Give it a try and if you encounter problems post them here.

Boy, I knew that Service Router rule was doing things the hard way.

I have a pdl teststaff.
So I did a:
omdelaci -l teststaff -n default.
Now no one can mail it, which is correct.

Then I did a:
omaddaci -l teststaff -n "Steven Green /scalix/CN=Steven Green" -c "read"

omshowaci -l teststaff
Steven Green /scalix/CN=Steven Green read

Scalix Administrators config modify read remove
Local Users modify read remove
Default none



I still cannot email it. SWA gives an error:
Unable to send mail to:
teststaff <teststaff@domain.com>

Thoughts?

maybe the syntax of your name is incorrect?

look in the audit log, for the router record of you sending to the pdl.
Use the "originator" name when adding yourself to the aci
just out of interest, what version of scalix are you using?

Mick

I am running 11.4.2.
And the audit log does not seem to say anything about this.

I attempted to add myself as steven.green@domain.com and it told me initials too long.

I just tested this and the audit log won't log anything if you don't have access to the PDL. Not only that, but when you are creating the message in SWA, if you scroll through the System Directory you won't see 'teststaff'; if you do a search for 'teststaff' in the system directory it will say "No Search Results Returned".

So ensure you have audit logging set to 9 or so on the router
# omshowaud
# omconfaud router 9

Then send a message to someone (not teststaff, because you can't see it yet) and /var/opt/scalix/??/s/logs/audit should show something like the following:

routing
time 1238609375 Wed Apr 1 14:09:35 2009 -240
type 0 message
priority 0 normal
sensitivity 0 normal
importance 0 normal
created-locally 1
hop-count 1
originator Leslie Ward / sxlab/CN=Leslie Ward <<<<<<<<<<<<<use this value <<<<<<<<<<<
ua-message-id H0000067000006d3.1238609375.sxlab.mydomain.net
mta-message-id H0000067000006d3.1238609375.sxlab.mydomain.net
recipient-to someone / sxlab
ack-req 0 none
queue LOCAL
message-size 795
delivered-count 1

Maybe you have an initial in your CN or something.