email config

Printable View

October 15th, 2002, 06:59 PM
souleman

email config

In our current situation we have 2 email servers. Internally, we have a Microsoft Mail server
that handles all our mail between employees. Every employee has an account on that server.
Externally, our ISP is hosting our SMTP server to handle our Internet mail. Only certain employees
have accounts with our ISP.

Here is the situation. We want to replace Microsoft Mail with a Linux solution. Sendmail, qmail, postfix,
etc. doesn't matter. Every employee will need an account on this server to handle the internal mail system.
We also want this machine to pull email in from our ISP's POP server. Here is the problem. Since this
machine will be running SMTP, how do we restrict which employees have the ability to send mail out of our
system? We don't want everyone sending messages to the Internet, but some people still have to. But everyone
still needs to be able to send internal messages.
October 15th, 2002, 08:17 PM
DjM

This is just a thought and may be more work than you planned on but I think you might be able to control it via a Firewall rule(s). My thought here would be to create a rule for those who allowed to send and receive Internet mail which would require the user to authenticate to the firewall (out-bound), once authenticated, those users would be allow to send & receive SMTP, all other users would be dropped at the firewall.
The downside is the 'authorized' users would have to be trained and remember to authenticate or their mail would be stopped, also, it would have a degree of administration associated to this solution.

Just a thought Souleman.

Cheers:
October 15th, 2002, 10:37 PM
slarty

Don't know exactly how you would do it - but presumably it would be possible to write some sort of filter which prevents relaying of messages to an external address if their return path isn't an authorised internal address.

This doesn't prevent forged messsages from getting out, but stops the users with internal access only from trivially sending messages out to the internet.

I suppose the next level up would be to insist that all messages relayed out to the internet are digitally signed by a key that has been certified - which makes it difficult to forge. This would also require some effort on the part of admin and users - however it might be desirable for messages to be signed anyway.

Users of other external mail systems that don't understand the signatures would be ok though they'd just see a bit of cruft along with the messages.
October 15th, 2002, 10:56 PM
Tedob1

make sure the people who need to send external mail have win2k. configure the smtp server on each mach to send, and point their client to loopback. Everyone else internelly can use the linux smtp server and everyone uses the pop server. You interal DNS machines should send internel mail from the 2k machines to the destinations on the linux box without passing you gateway.

your firewall would need to be set for any outgoing smtp or list all the allowed machines
October 16th, 2002, 06:38 AM
Tedob1

argosoft has a freeware version of their mail sever that would also work. you could also keep the ms server on the network just for outgoing mail, set a password to athentacate and set it in the clients.