18.3.4 PORT_ACCESS Mapping Table (Sun Java System Messaging Server 6.3 Administration Guide)

Sun Java System Messaging Server 6.3 Administration Guide

18.3.4 PORT_ACCESS Mapping Table

The Dispatcher is able to selectively accept or reject incoming connections based on IP address and port number. At Dispatcher startup time, the Dispatcher will look for a mapping table named PORT_ACCESS. If present, the Dispatcher will format connection information in the following form:

TCP|server-address|server-port|client-address|client-port

The Dispatcher tries to match against all PORT_ACCESS mapping entries. If the result of the mapping contains $N or $F, the connection will be immediately closed. Any other result of the mapping indicates that the connection is to be accepted. $N or $F may optionally be followed by a rejection message. If present, the message will be sent back down the connection just prior to closure. Note that a CRLF terminator will be appended to the string before it is sent back down the connection.

Note –

The MMP does not make use of the PORT_ACCESS mapping table. If you wish to reject SMTP connections from certain IP addresses and you are using the MMP, you must use the TCPAccess option. See 7.5.1 To Configure Mail Access with MMP control SMTP connections using mapping tables, use the INTERNAL_IP mapping table (see 18.6.1 Allowing SMTP Relaying for External Sites

The flag $< followed by an optional string causes Messaging Server to send the string to syslog (UNIX) or to the event log (NT) if the mapping probe matches. The flag $> followed by an optional string causes Messaging Server to send the string as to syslog (UNIX) or to the event log (NT) if access is rejected. If bit 1 of the LOG_CONNECTION MTA option is set and the $N flag is set so that the connection is rejected, then also specifying the $T flag will cause a “T” entry to be written to the connection log. If bit 4 of the LOG_CONNECTION MTA option is set, then site-supplied text may be provided in the PORT_ACCESS entry to include in the “C” connection log entries. To specify such text, include two vertical bar characters in the right-hand side of the entry, followed by the desired text. Table 18–3 lists the available flags.

In earlier versions of Messaging Server (6.2 and before) the PORT_ACCESS mapping was only reevaluated by the SMTP server (as opposed to the dispatcher) when bit 4 (value 16) of the LOG_CONNECTION MTA option was set, SMTP auth was enabled, or both. Additionally, evaluation only occurred when an AUTH, EHLO, or HELO command was issued. This has now been changed; PORT_ACCESS is now evaluated unconditionally as soon as the SMTP server thread starts, before the banner is sent.

Table 18–3 PORT_ACCESS Mapping Flags


Flag	Description
$Y	Allow access.
$U	Selectively enable channel level debugging.
Flags with arguments, in argument reading order+
$< string	Send string to syslog (UNIX) or to the event log (NT) if probe matches.
$> string	Send string to syslog (UNIX) or to the event log (NT) if access is rejected.
$N string	Reject access with the optional error text string
$F string	Synonym for $N string; that is, reject access with the optional error text string
Ruleset	Not used, but you must enter an empty value (double bar with no space, “\|\|”) if you want to use any of the flags below.
Realm	Not used, but you must enter an empty value (double bar with no space, “\|\|”) if you want to use any of the flags below.
Application Info	If the `LOG_CONNECTION` MTA option is set to bit 4 (value 16), `PORT_ACCESS` is allowed to add text to application information string. This is where the string can be specified. If it is not used, you must enter an empty value (double bar with no space, “\|\|”) if you want to use any of the flags below.
$D	Causes an additional argument to be read from the template result after the mandatory SMTP `auth rulset` and realm, and optional application information addition. This value must be an integer with the same semantics as the `BANNER_PURGE_DELAY` value. That is, it specifies the number of centiseconds to delay before purging and sending the banner. A value of 0 disabled both the delay and purge. Note that any `PORT_ACCESS` mapping setting overrides the`BANNER_PURGE_DELAY` SMTP channel option. See 14.10.1 Anti-Spam Technique: Delay Sending the SMTP Banner for details on using this anti-spam feature.
$T text	If bit 1 (value 2) of the `LOG_CONNECTION` MTA option is set and the $N flag is set so that the connection is rejected, then $T outputs the entire right hand side text in a "T" record. The T log entry will include the entire mapping result string ($N and its string). In contrast, bit 4 of `LOG_CONNECTION` is a different effect: it will cause material after two vertical bars to be included in normal "C" (connection close) records.
+To use multiple flags with arguments, separate the arguments with the vertical bar character, \|, placing the arguments in the order listed in this table.

For example, the following mapping will only accept SMTP connections (to port 25, the normal SMTP port) from a single network, except for a particular host singled out for rejection without explanatory text:

PORT_ACCESS

  TCP|*|25|192.123.10.70|*  $N500
  TCP|*|25|192.123.10.*|*   $Y
  TCP|*|25|*|*              $N500$ Bzzzt$ thank$ you$ for$ playing.

Note that you will need to restart the Dispatcher after making any changes to the PORT_ACCESS mapping table so that the Dispatcher will see the changes. (If you are using a compiled MTA configuration, you will first need to recompile your configuration to get the change incorporated into the compiled configuration.)

The PORT_ACCESS mapping table is specifically intended for performing IP-based rejections. For more general control at the email address level, the SEND_ACCESS or MAIL_ACCESS mapping table, might be more appropriate.