Sun Java System Messaging Server 6.3 Administration Guide

18.2 Controlling Access with Mapping Tables

You can control access to your mail services by configuring certain mapping tables. These mapping tables allow you to control who can or cannot send mail, receive mail, or both. Table 18–1 lists the mapping tables described in this section. The application information string supplied to the FROM_ACCESS, MAIL_ACCESS, and ORIG_MAIL_ACCESS mappings includes the system name claimed in the HELO/EHLO SMTP command. This name appears at the end of the string and is separated from the rest of the string (normally “SMTP*”) by a slash. The claimed system name can be useful in blocking some worms and viruses.

18.2.1 Access Control Mapping Tables—Operation

Like all mapping tables, access control mapping tables have the same general format (see 10.3 Mappings File). They consist of a mapping table name, followed by a line break, followed by one or more mapping entries. Mapping entries consist of a search pattern on the left side and a template on the right side. The search pattern filters specific messages and the template specifies actions to take on the message. For example:

SEND_ACCESS

 *|Elvis1@sesta.com|*|*      $Y
 *|Nelson7@sesta.com|*|*     $Y
 *|AkiraK@sesta.com|*|*      $Y
 *|*@sesta.com|*|*           $NMail$ Blocked

In this example all email from the domain sesta.com except those of Elvis1, Nelson, AkiraK are blocked.

The search pattern for access control mapping entries consist of a number of search criteria separated by vertical bars (|). The order of the search criteria depends on the access mapping table and is described in subsequent sections. But as an example, the SEND_ACCESS mapping table has the following search form:

src-channel|from-address|dst-channel|to-address

where src-channel is the channel queueing the message; from-address is the address of the message's originator; dst-channel is the channel to which the message will be queued; and to-address is the address to which the message is addressed. Use of an asterisk in any of these four fields causes that field to match any channel or address, as appropriate.


Note –

Whenever the mappings file is modified, you must recompile the configuration (see 10.1 Compiling the MTA Configuration).


Table 18–1 Access Control Mapping Tables

Mapping Table  

Description  

SEND_ACCESS(See 18.3.1 SEND_ACCESS and ORIG_SEND_ACCESS Tables.)

Used to block incoming connections based on envelope From address, envelope To address, source and destination channels. The To address is checked after rewriting, alias expansion, and so on, have been performed.

ORIG_SEND_ACCESS(See 18.3.1 SEND_ACCESS and ORIG_SEND_ACCESS Tables.)

Used to block incoming connections based on envelope From address, envelope To address, source and destination channels. The To address is checked after rewriting but before alias expansion.

MAIL_ACCESS(See 18.3.2 MAIL_ACCESS and ORIG_MAIL_ACCESS Mapping Tables.)

Used to block incoming connections based on combined information found in SEND_ACCESS and PORT_ACCESS tables: that is, the channel and address information found in SEND_ACCESS combined with the IP address and port number information found in PORT_ACCESS.

ORIG_MAIL_ACCESS(See 18.3.2 MAIL_ACCESS and ORIG_MAIL_ACCESS Mapping Tables.)

Used to block incoming connections based on combined information found in ORIG_SEND_ACCESS and PORT_ACCESS tables: that is, the channel and address information found in ORIG_SEND_ACCESS combined with the IP address and port number information found in PORT_ACCESS.

FROM_ACCESS(See 18.3.3 FROM_ACCESS Mapping Table.)

Used to filter mail based on envelope From addresses. Use this table if the To address is irrelevant.

PORT_ACCESS(See 18.3.4 PORT_ACCESS Mapping Table.)

Used to block incoming connections based on IP number. 

IP_ACCESS

Used to block incoming connections based on source channel, IP address count for remote server, index of current IP address being tried. See 18.3.5 IP_ACCESS Mapping Table.

The MAIL_ACCESS and ORIG_MAIL_ACCESS mappings are the most general, having available not only the address and channel information available to SEND_ACCESS and ORIG_SEND_ACCESS, but also any information that would be available via the PORT_ACCESS mapping table, including IP address and port number information.