limiting who can send to a group

[seancb]

Is there a way to restrict access to sending mail to specific groups? For instance, could I have a group called important_people where only members of important_people (or admins, or a single user etc) can send to that group? If we don't want unimportant_people or external email users to be able to send mass emails to this group, can we restrict that?

Thanks!

[Valerion]

Have a look at the man pages for the om*aci commands (omaddaci, ommodaci, etc). They will do what you want, but it is a bit time-consuming to configure. Doable, though, if you need to.

[seancb]

THanks! I actually stumbled across an earlier answer to a similar question here:
viewtopic.php?t=6336&highlight=groups

I have been looking into it and it looks like removing "read" access to a group for any given entity will disallow sending to that group. Still playing with it. I'll come back here once it's running (for the benefit of future forum searchers )

[seancb]

We cannot get this to work. Here is the scenario we are working on:
We have a "group" set up called "handheld". This is a group as set up in SAC with several members (I suppose it is known as a PDL in the command line). We want to restrict users so that only members can send to the group.

Since we do not want anyone to send to this group unless authorized, we started by executing the following:

Code: Select all

omdelaci -l handheld -g default

This seems to have successfully removed the ability of any non-admins to send to the group (wither internal or external). So far so good.

Then we tried explicitly allowing a user to "read" the list:

Code: Select all

omaddaci -l handheld -n "User Name" -c read

Which worked beautifully.

Now, let's say we want to allow only the people IN the handheld group to send to the handheld group. This is where it gets tricky!

Trying to add a group/pdl as a user:

Code: Select all

ommaddaci -l handheld -n "handheld" -c read

The system accepts this command, but you still cannot send from any users in "handheld". Upon further testing, we found that if we spoofed an email from an external source, and said it came from handheld@ourtestdomain.com, the email goes through. So it appears that by attempting to put a "group" in the ACI, it only allows read access to groupname@domain.com and there is no mechanism in place to cross-reference the actual sender against the PDL group member list.

Trying to add the group/pdl as a group:

Code: Select all

ommaddaci -l handheld -g "handheld" -c read

The system does not accept this command because handheld is not a recognized group. The term "group" is confusing because in the commandline sense, group refers to administrators versus default users whereas in the SAC, group refers to public distribution lists.

So far the only solution to automate this that we have come up with is to cron a script which uses omshowpdl to generate a list of members which would then be added to the ACI. However, how do we handle the case where someone is removed from the distribution list?

Is there any other way that we can set a distribution list up so that only the members of the said distribution list can send to it? Is there a way we can set up a true "Group" (akin to the administrators group) which coul dbe called "power senders" who can send to every PDL? Basically we want to avoid having to micro-manage the sending permissions from the command line.

Also, is there a way to add an external email address to a PDL without creating them as a "user" on the system?

Thanks!

[Valerion]

I don't think you can put a PDL into an ACI group at this time. ACI's is not something I've used in a while myself. This is something I think you should put in bugzilla.scalix.com as an enhancement request.

You can always run a cron job (5 minutes?) that checks the PDL memberships against the PDL ACI's and applies any changes to the ACI. That will take care of the removals, but I do agree with with you, it's ugly.

The easiest way to add an external address to a PDL is to add it to the system as an "Internet User" (I think), and then hide the entry from the address book. It is possible to add it directly into the PDL, but not via SAC, and the syntax does look ugly.

[seancb]

OK we are going to play with some scripts and see if we can come up with something workable. I do think however that restricting send-access for a distribution list to only its members is a pretty basic mailing list function, and one that people wold expect to be somewhere in the basic list settings, i.e.

Who can send to this list?
- Everyone
- Only list members
- Only list managers

Once my bugzilla account email comes through, I'll register a request there

edit:
posted here http://bugzilla.scalix.com/show_bug.cgi?id=14950

[tanclearas]

For the benefit of people looking for this in the future. Add this script to cron to have it limit PDL access to only those that are on the PDL. It will not change permissions for PDL managers.

Code: Select all

#!/bin/sh
echo "Removing ACI privilges from PDL for local and default groups."
/opt/scalix/bin/omdelaci -l <pdlname> -g local
/opt/scalix/bin/omdelaci -l <pdlname> -g default

echo "Removing all non-manager ACI privileges from PDL."
/opt/scalix/bin/omshowaci -l cn=<pdlname> | /usr/bin/grep -v " modify" | /usr/bin/grep " read$" | sed -e '/\s*read$/s//;/' | awk -F';' '{system("/opt/scalix/bin/omdelaci -l cn=<pdlname> -n \"" $1 "\"")}'

echo "Adding read privileges for PDL members."
/opt/scalix/bin/omshowpdln -l cn=<pdlname> | awk -F'\n' '{system("/opt/scalix/bin/omaddaci -l cn=<pdlname> -n \"" $1 "\" -c +read")}'

echo "Done."


Hope that helps.

Edit: Following script will take PDL name from command line. Could use some cleaning up, but should be enough for people to work with.

Code: Select all

#!/bin/sh

PDLNAME=$1

echo "Removing ACI priveleges from PDL $PDLNAME for local and default groups."
/opt/scalix/bin/omdelaci -l cn="$PDLNAME" -g local
/opt/scalix/bin/omdelaci -l cn="$PDLNAME" -g default

echo "Removing ACI priveleges from PDL (for members with only read privelege)."
/opt/scalix/bin/omshowaci -l cn=$PDLNAME | /usr/bin/grep -v " modify" | /usr/bin/grep " read$" | sed -e '/\s*read$/s//;/' | awk -F';' '{system("/opt/scalix/bin/omdelaci -l cn=\"'"$PDLNAME"'\" -n \"" $1 "\"")}'

echo "Adding read priveleges for PDL members."
/opt/scalix/bin/omshowpdln -l cn=$PDLNAME | awk -F'\n' '{system("/opt/scalix/bin/omaddaci -l cn=\"'"$PDLNAME"'\" -n \"" $1 "\" -c +read")}'

echo "Done."


[kluss0]

I know that this is a few months old, but I just came across the thread because I am having issues with something similar. I have two scalix servers clustered, one in the US and one in India. All of the PDL's reside on the mail serer in the US. However, if I limit access to to the PDL's by removing read access for default, then people on the other mail node cannot send mail to that PDL. It would be nice if "Local" applied to all mail nodes in a cluster....

It would be even nicer to have "Mailing List" capabilities (think Mailman)for the PDL's, with more granular control in SAC.

[pault]

I found this topic looking for a solution to a similar problem, and of the few that mention omaddaci, it is the most detailed, so I will reply here...

Scalix 11.4.1 Enterprise
scalix_connect_outlook 11.4.1
Myself and the co-workers mentioned below are all premium account users, if that makes a difference, but this needs to work for all (even pop/imap) users we have....

We just want to restrict emails to PDLs to local Scalix users. Say our PDL is Test and it's mapped to test@example.com. I was able to accomplish what I wanted (I thought) with this:

omdelaci -l cn=test -g default

This looked to work--I was able to send an email to the PDL's address from my internal email address, but not from my external webmail.

However, when my co-workers try to send from their internal email addresses to test@example.com, it kicks back a message like this:

Code: Select all

----------------------------- ERROR REPORT ----------------------------- Message could not be delivered to the following recipient:

         / internet
                        DDT1=RFC-822; DDV1=test@example.com;

    because: 'Recipient name not found at destination'   [OM 9300]

Supplementary Information:

550 5.1.1 <test@example.com>... User unknown



    The message was forwarded to the local Error Manager:
            sxadmin / testserver/CN=sxadmin
------------------------------------------------------------------------

However, if they do the following in Outlook, it works:
Click the "To" button on a new email message
In the "Select Names" window, find the "Test" (bolded) PDL, select it
Send their email

So to summarize:
I can send either way, by manually typing test@example.com into the To field, or by selecting it from the list of contacts that Scalix populates

My co-workers can only send by selecting the PDL from Outlook's contact listing. If they type in the address manually, it bounces back, as above.

Ideas? What should we try next?

[schmoe90]

Check the ACI:

Code: Select all

# omshowaci -l <pdl>
Scalix Administrators                    config modify read remove
Local Users                              modify read remove
Default                                  none


[pault]

Check the ACI:

Code: Select all

# omshowaci -l <pdl>

Code: Select all

<each user in group>                     modify read

Scalix Administrators                    config modify read remove
Local Users                              read
Default                                  none

[schmoe90]

That's weird... I just tested here with Outlook, and it doesn't matter if I pull it from the directory or send it to the pdl@domain.com address, it works.

I can see why it's failing - it's sending it to the internet gateway, ie you're no longer a "local" user as it's going out and coming in again, but I don't know why it's sending it there.

If you shut down Local Delivery and the Internet Mail Gateway, and send a message to Test PDL and pdl@domain.com, they should both end up in the Local Delivery queue. Can you test that, plus make sure that test@example.com is absolutely the address for the PDL - I use omsearch -e s=pdl...

[kabalah]

did this ever get resolved? i'm still having problems with this.

here's what my output of omshowaci gives:

# omshowaci -l everyone
Derek /scalix/CN=Derek modify read
Jeffrey /scalix/CN=Jeffrey modify read
Michael /scalix/CN=Michael modify read
Julia /scalix/CN=Julia modify read
Melissa /scalix/CN=Melissa modify read
George /scalix/CN=George modify read

Scalix Administrators config modify read remove
Local Users none
Default none

so, the intent is to allow only those specific users be able to send to the pdl everyone, but it seems that only scalix administrators can use the pdl....how should this be setup?

jim

[schmoe90]

People sending to the PDL need read access, that's it. What client are you using?

[kabalah]

they are using outlook.
j