1 Topic by lakmal

  • lakmal
  • Member
  • Offline
  • Registered: 2011-09-11
  • Posts: 3

Topic: LDAP configuration for access restrctions

Hi,

I am using iRedmail free version. i want to enable some restrictions as given below.

assume there are 4 users call A,B,C & D @example.com

A can send emails to any domain, can receive emails from any domain
B can send emails only to given domains and its sub domains (eg. example.com, test.com), can receive emails from any domain.
C can send and receive emails only to & from given domains and its sub doamins (eg. example.com, test.com)
D can send and receive emails only to & from given email addresses. (eg. admin@example.com, user@test.com)

please help me to configure above given in LDAP directory.

thanks in advance.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: LDAP configuration for access restrctions

To be clear, we have only one edition of iRedMail, it's free and open source, that's what you're running.
The web-based admin panel, iRedAdmin, has two editions: open source edition (free) and Pro edition (commercial).

To enable restrictions:
1) Enable throttling in Policyd: http://iredmail.org/wiki/index.php?titl … Throttling
2) Manage throttling via MySQL command line manually: http://policyd.sf.net/readme.html

3 Reply by lakmal

  • lakmal
  • Member
  • Offline
  • Registered: 2011-09-11
  • Posts: 3

Re: LDAP configuration for access restrctions

Thank you for the clarification and support. I installed recommended services for this purpose as per the given instructions. those services are running perfectly. i have accessed MySQL database. that's also there. But i am struggling, how to configure my requirement. i do not know, how can i apply conditional blacklisting/white-listing. as per my requirement given earlier, user "B" can send emails to a few given domains, other domains should not be accessible. user "C" has restricted to send and receive emails only for a few given domains. To implement this controls, please let me know what tables should i update with what values?

thank you

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: LDAP configuration for access restrctions

lakmal wrote:

how can i apply conditional blacklisting/white-listing. as per my requirement given earlier, user "B" can send emails to a few given domains, other domains should not be accessible. user "C" has restricted to send and receive emails only for a few given domains. To implement this controls, please let me know what tables should i update with what values?

This is per-user black/whitelist.

*) Make sure you have iRedAPD enabled in Postfix. It's enabled by default since iRedMail-0.7.0.

smtpd_recipient_restrictions = ..., check_policy_server inet:127.0.0.1:7777, permit_mynetworks, ...

*) Make sure you have plugin 'block_amavisd_blacklisted_senders' enabled in /opt/iredapd/etc/iredapd.ini:

[ldap]
...
plugins = block_amavisd_blacklisted_senders, ...

It's now ready to configure per-user blacklist/whitelist.

lakmal wrote:

B can send emails only to given domains and its sub domains (eg. example.com, test.com), can receive emails from any domain.

Add below LDAP attributes/values in LDAP server for user B:

mailBlacklistRecipient: @.          # <-- Reject mails sent to all accounts.
mailWhitelistRecipient: @.example.com          # <-- Bypass mails sent to domain "example.com" and its sub-domains.
mailWhitelistRecipient: @.test.com
lakmal wrote:

C can send and receive emails only to & from given domains and its sub doamins (eg. example.com, test.com)

Add below LDAP attributes/values in LDAP server for user C:

amavisBlacklistSender: @.          # <-- Reject mails sent FROM all accounts.
amavisWhitelistSender: @.example.com   # <-- Bypass mails sent FROM domain 'example.com' and its sub-domains.
amavisWhitelistSender: @.test.com

mailBlacklistRecipient: @.          # <-- Reject mails sent to all accounts.
mailWhitelistRecipient: @.example.com          # <-- Bypass mails sent to domain "example.com" and its sub-domains.
mailWhitelistRecipient: @.test.com
lakmal wrote:

D can send and receive emails only to & from given email addresses. (eg. admin@example.com, user@test.com)

Add below LDAP attributes/values in LDAP server for user C:

amavisBlacklistSender: @.          # <-- Reject mails sent FROM all accounts.
amavisWhitelistSender: admin@example.com   # <-- Bypass mails sent FROM user 'admin@example.com'
amavisWhitelistSender: user@test.com

mailBlacklistRecipient: @.          # <-- Reject mails sent to all accounts.
mailWhitelistRecipient: admin@example.com          # <-- Bypass mails sent to user 'admin@example.com'
mailWhitelistRecipient: user@test.com

You can easily manage per-user whitelist/blacklist with iRedAdmin-Pro admin panel. Screenshot:
http://screenshots.iredmail.googlecode.com/hg/iredadmin/user_profile_restrictions.png

5 Reply by lakmal

  • lakmal
  • Member
  • Offline
  • Registered: 2011-09-11
  • Posts: 3

Re: LDAP configuration for access restrctions

Hi,

still no luck...i have done everything as per your instructions..but some confusions are there in my mind. appreciate if you could clarify those. I am not sure the role and the relationship of policyd, iredapd, iredapd-rr, amavis with regard to this postfix implementation. i tried to find a document, which explains how an email pass those services and their responsibility, but i could not..because different posts give different instructions and recommendations.  i have done fresh installations and followed your instructions, still mails are passing system without any halm, even though I applied "@." in amavisBlacklistSender and mailBlacklistRecipient attributes . I am giving you the output of "netstat -ant". Coz, i found some places, it says listener in 7778, where not in my one.. appreciate your help and support.

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:4190          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:7777          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9998          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:10031         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:10032         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          127.0.0.1:46911         ESTABLISHED
tcp        0      0 127.0.0.1:48388         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:143           127.0.0.1:38845         TIME_WAIT
tcp        0      0 127.0.0.1:46911         127.0.0.1:3306          ESTABLISHED
tcp        0      0 127.0.0.1:48496         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:46996         127.0.0.1:3306          ESTABLISHED
tcp        0      0 127.0.0.1:3306          127.0.0.1:46801         ESTABLISHED
tcp        0      0 127.0.0.1:3306          127.0.0.1:46809         ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:48496         ESTABLISHED
tcp        0      0 127.0.0.1:3306          127.0.0.1:47075         TIME_WAIT
tcp        0      0 127.0.0.1:389           127.0.0.1:48388         ESTABLISHED
tcp        0      0 127.0.0.1:46809         127.0.0.1:3306          ESTABLISHED
tcp        0     96 192.168.137.97:22       192.168.137.1:53689     ESTABLISHED
tcp        0      0 127.0.0.1:48413         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:46801         127.0.0.1:3306          ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:48413         ESTABLISHED
tcp        0      0 127.0.0.1:46828         127.0.0.1:3306          ESTABLISHED
tcp        0      0 127.0.0.1:3306          127.0.0.1:46828         ESTABLISHED
tcp        0      0 127.0.0.1:3306          127.0.0.1:46996         ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
tcp6       0      0 :::389                  :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: LDAP configuration for access restrctions

Could you please post output of command "postconf -n" here? Also, which version of iRedMail are you running (This is important)?

- Policyd is a postfix policy server, refer to this page for more detail: http://policyd.sourceforge.net/readme.html
- iRedAPD and iRedAPD-rr are addition postfix policy servers, they're developed by iRedMail project, used to implement some features which not achieved in Policyd.
- Amavisd is an interface between Postfix and SpamAssassin+ClamAV. Refer to its homepage for more detail: http://www.ijs.si/software/amavisd/