iPlanet Messaging Server 5.0 Administrator's Guide

Chapter 9   Mail Filtering and Access Control

This chapter discusses how to control access to mail services and how to filter mail using mapping tables and server-side rules (SSR).

You might want to reject messages from (or to) certain users at the system level, or to institute more complex restrictions of message traffic between certain users, or to allow users to set up filters on their own incoming messages (including rejecting messages based on contents of the message headers).

If envelope-level controls are desired, you can use mapping tables to filter mail. If header-based controls are desired or if users wish to implement their own personalized controls, the more general mail filtering approach using server-side rules is likely appropriate.

This chapter is divided into two parts:




Part 1 contains the following sections:

Controlling Access with Mapping Tables

You can control access to your mail services by configuring mapping tables. Mapping tables allow you to control who can or cannot send mail, receive mail, or both. For general information on the format and usage of the mapping files, see the Messaging Server Reference Manual.

Table 9-1 lists the mapping tables described in this section.

Table 9-1 Mapping Tables

Mapping Table



Used to block incoming connections based on envelope From address, envelope To address, source and destination channels. The To address is checked after rewriting, alias expansion, and so on, have been performed



Used to block incoming connections based on envelope From address, envelope To address, source and destination channels. The To address is checked after rewriting but before alias expansion.



Used to block incoming connections based on combined information found in SEND_ACCESS and PORT_ACCESS tables: that is, the channel and address information found in SEND_ACCESS combined with the IP address and port number information found in PORT_ACCESS.

See MAIL_ACCESS and ORIG_MAIL_ACCESS Mapping Tables.  


Used to block incoming connections based on combined information found in ORIG_SEND_ACCESS and PORT_ACCESS tables: that is, the channel and address information found in ORIG_SEND_ACCESS combined with the IP address and port number information found in PORT_ACCESS.

See MAIL_ACCESS and ORIG_MAIL_ACCESS Mapping Tables.  


Used to filter mail based on envelope From addresses. Use this table if the To address is irrelevant.

See FROM_ACCESS Mapping Table  


Used to block incoming connections based on IP number.

See PORT_ACCESS Mapping Table.  

The MAIL_ACCESS and ORIG_MAIL_ACCESS mappings are the most general, having available not only the address and channel information available to SEND_ACCESS and ORIG_SEND_ACCESS, but also any information that would be available via the PORT_ACCESS mapping table, including IP address and port number information.


You can use the SEND_ACCESS and ORIG_SEND_ACCESS mapping tables to control who can or cannot send mail, receive mail, or both. The access checks have available a message's envelope From: address and envelope To: addresses, and knowledge of what channel the message came in, and what channel it would attempt to go out.

If a SEND_ACCESS or ORIG_SEND_ACCESS mapping table exists, then for each recipient of every message passing through the MTA, the MTA will scan the table with a string of the following form (note the use of the vertical bar character, |):


The src-channel is the channel queueing the message; from-address is the address of the message's originator; dst-channel is the channel to which the message will be queued; and to-address is the address to which the message is addressed. Use of an asterisk in any of these four fields causes that field to match any channel or address, as appropriate.

The addresses here are envelope addresses; that is, envelope From: address and envelope To: address. In the case of SEND_ACCESS, the envelope To: address is checked after rewriting, alias expansion, etc., have been performed; in the case of ORIG_SEND_ACCESS the originally specified envelope To: address is checked after rewriting, but before alias expansion.

If the search string matches a pattern (that is, the left-hand side of an entry in the table), then the resulting output of the mapping is checked. If the output contains the flags $Y or $y, then the enqueue for that particular To: address is permitted. If the output contains any of the flags $N, $n, $F, or $f, then the enqueue to that particular address is rejected. In the case of a rejection, optional rejection text may be supplied in the mapping output. This string will be included in the rejection error the MTA issues. If no string is output (other than the $N, $n, $F, or $f flag), then default rejection text will be used. For descriptions of additional flags, see Mapping Table Flags.

In the following example, mail sent from UNIX user agents such as mail, Pine, and so on, originates from the local, l, channel and messages to the Internet go out a TCP/IP channel of some sort. Suppose that local users, with the exception of the postmaster, are not allowed to send mail to the Internet but can receive mail from there. Then the SEND_ACCESS mapping table shown in Figure 9-1 is one possible way to enforce this restriction. In the mapping table, the local host name is assumed to be In the channel name "tcp_*", a wild card is used so as to match any possible TCP/IP channel name (for example, tcp_local).

In the rejection message, dollar signs are used to quote spaces in the message. Without those dollar signs, the rejection would be ended prematurely and only read "Internet" instead of "Internet postings are not permitted." Note that this example ignores other possible sources of "local" postings such as from PC-based mail systems or from POP or IMAP clients.

Figure 9-1    SEND_ACCESS Mapping Table


  *||*|*    $Y
  *|*|*|    $Y
  l|*|tcp_*|*         $NInternet$ postings$ are$ not$ \

Note The client attempting to send the message determines whether the MTA rejection error text is actually presented to the user who attempted to send the message. If SEND_ACCESS is used to reject an incoming SMTP message, the MTA merely issues an SMTP rejection code including the optional rejection text; it is up to the sending SMTP client to use that information to construct a bounce message to send back to the original sender.


The MAIL_ACCESS mapping table is a superset of the SEND_ACCESS and PORT_ACCESS mapping tables. It combines both the channel and address information of SEND_ACCESS with the IP address and port number information of PORT_ACCESS. Similarly, the ORIG_MAIL_ACCESS mapping table is a superset of the ORIG_SEND_ACCESS and PORT_ACCESS mapping tables. The format for the probe string for MAIL_ACCESS is:


Similarly, the format for the probe string for ORIG_MAIL_ACCESS is:


Here port-access-probe-info consists of all the information usually included in a PORT_ACCESS mapping table probe in the case of incoming SMTP messages; otherwise, it is blank. app-info is usually SMTP in the case of messages submitted via SMTP; otherwise it is blank. submit-type may be one of MAIL, SEND, SAML, or SOML, corresponding to how the message was submitted into Messaging Server. Normally the value is MAIL, meaning it was submitted as a message; SEND, SAML, or SOML can occur in the case of broadcast requests (or combined broadcast/message requests) submitted to the SMTP server. And for the MAIL_ACCESS mapping, send-access-probe-info consists of all the information usually included in a SEND_ACCESS mapping table probe. Similarly for the ORIG_MAIL_ACCESS mapping, orig-send-access-probe-info consists of all the information usually included in an ORIG_SEND_ACCESS mapping table probe.

Having the incoming TCP/IP connection information available in the same mapping table as the channel and address information makes it more convenient to impose certain sorts of controls, such as enforcing what envelope From: addresses are allowed to appear in messages from particular IP addresses. This can be desirable to limit cases of email forgery, or to encourage users to configure their POP and IMAP clients' From: address appropriately. For example, a site that wishes to allow the envelope From: address to appear only on messages coming from the IP address and, and to ensure that the envelope From: addresses on messages from any systems in the subnet are from, might use a MAIL_ACCESS mapping table as shown in Figure 9-2.

Figure 9-2    MAIL_ACCESS Mapping Table


  ! Entries for vip's two systems
  TCP|*|25||*|SMTP|MAIL|tcp_*||*|* $Y
  TCP|*|25||*|SMTP|MAIL|tcp_*||*|* $Y
  ! Disallow attempts to use vip's From: address from other
  ! systems
  TCP|*|25|*|*|SMTP|MAIL|tcp_*||*|* \
      $N500$ Not$ authorized$ to$ use$ this$ From:$ address
  ! Allow sending from within our subnet with From:
  ! addresses
  TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*|*|*|* $Y
  ! Allow notifications through
  TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*||*|* $Y
  ! Block sending from within our subnet with
  ! addresses
  TCP|*|25|1.2.*.*|*|SMTP|MAIL|tcp_*|*|*|* \
      $NOnly$$ From:$ addresses$ authorized

FROM_ACCESS Mapping Table

The FROM_ACCESS mapping table may be used to control who can send mail, or to override purported From: addresses with authenticated addresses, or both.

The input probe string to the FROM_ACCESS mapping table is similar to that for a MAIL_ACCESS mapping table, minus the destination channel and address, and with the addition of authenticated sender information, if available. Thus, if a FROM_ACCESS mapping table exists, then for each attempted message submission, Messaging Server will search the table with a string of the form (note the use of the vertical bar character, |):


Here port-access-probe-info consists of all the information usually included in a PORT_ACCESS mapping table probe in the case of incoming SMTP messages; otherwise, it is blank. app-info is usually SMTP in the case of messages submitted via SMTP; otherwise, it is blank. submit-type may be one of MAIL, SEND, SAML, or SOML, corresponding to how the message was submitted into the MTA. Normally the value is MAIL, meaning it was submitted as a message; SEND, SAML, or SOML can occur in the case of broadcast requests (or combined broadcast/message requests) submitted to the SMTP server. src-channel is the channel originating the message (i.e., queueing the message); from-address is the address of the message's purported originator; and auth-from is the authenticated originator address, if such information is available, or blank if no authenticated information is available.

If the probe string matches a pattern (that is, the left-hand side of an entry in the table), the resulting output of the mapping is checked. If the output contains the flags $Y or $y, then the enqueue for that particular To: address is permitted. If the output contains any of the flags $N, $n, $F, or $f, then the enqueue to that particular address is rejected. In the case of a rejection, optional rejection text may be supplied in the mapping output. This string will be included in the rejection error Messaging Server issues. If no string is output (other than the $N, $n, $F, or $f flag), then default rejection text will be used. For descriptions of additional flags, seeMapping Table Flags.

Besides determining whether to allow a message to be submitted based on the originator, FROM_ACCESS can also be used to alter the envelope From: address via the $J flag, or to modify the effect of the authrewrite channel keyword (adding a Sender: header address on an accepted message) via the $K flag. For instance, this mapping table can be used to cause the original envelope From: address to simply be replaced by the authenticated address:


  *|SMTP|*|tcp_local|*|       $Y
  *|SMTP|*|tcp_local|*|*      $Y$J$3

When using the FROM_ACCESS mapping table to modify the effect on having authrewrite set to a nonzero value on some source channel, it is not necessary to use FROM_ACCESS if the authenticated address is going to be used verbatim.

For example, with authrewrite 2 set on the tcp_local channel, the following FROM_ACCESS mapping table would not be necessary because authrewrite alone is sufficient to get this effect (adding the authenticated address verbatim):


  *|SMTP|*|tcp_local|*|     $Y
  *|SMTP|*|tcp_local|*|*    $Y$K$3

However, the real purpose of FROM_ACCESS is to permit more complex and subtle alterations, as shown in Figure 9-3. The authrewrite keyword alone is appropriate if you want to add a Sender: header line (showing the SMTP AUTH authenticated submitter address) to incoming messages. However, suppose you want to force the addition of such a Sender: header line to incoming messages only if the SMTP AUTH authenticated submitter address differs from the envelope From: address (that is, not bother to add a Sender: header line if the addresses match), and suppose further that you wish the SMTP AUTH and envelope From: addresses will not be considered to differ merely because the envelope From: includes optional subaddress information.

Figure 9-3    FROM_ACCESS Mapping Table


  ! If no authenticated address is available, do nothing
  *|SMTP|*|tcp_local|*| $Y
  ! If authenticated address matches envelope From:, do nothing
  *|SMTP|*|tcp_local|*|$2* $Y
  ! If authenticated address matches envelope From: sans
  ! subaddress, do nothing
  *|SMTP|*|tcp_local|*+*@*|$2*@$4* $Y
  ! Fall though to...
  ! ...authenticated address present, but didn't match, so force
  ! Sender: header
  *|SMTP|*|tcp_local|*|* $Y$K$3

PORT_ACCESS Mapping Table

The Dispatcher is able to selectively accept or reject incoming connections based on IP address and port number. At Dispatcher startup time, the Dispatcher will look for a mapping table named PORT_ACCESS. If present, the Dispatcher will format connection information in the following form:


The Dispatcher tries to match against all PORT_ACCESS mapping entries. If the result of the mapping contains $N or $F, the connection will be immediately closed. Any other result of the mapping indicates that the connection is to be accepted. $N or $F may optionally be followed by a rejection message. If present, the message will be sent back down the connection just prior to closure. Note that a CRLF terminator will be appended to the string before it is sent back down the connection.

The flag $< followed by an optional string causes Messaging Server to send the string to syslog (UNIX) or to the event log (NT) if the mapping probe matches. The flag $> followed by an optional string causes Messaging Server to send the string as to syslog (UNIX) or to the event log (NT) if access is rejected. If bit 1 of the LOG_CONNECTION MTA option is set and the $N flag is set so that the connection is rejected, then also specifying the $T flag will cause a "T" entry to be written to the connection log. If bit 4 of the LOG_CONNECTION MTA option is set, then site-supplied text may be provided in the PORT_ACCESS entry to include in the "C" connection log entries. To specify such text, include two vertical bar characters in the right-hand side of the entry, followed by the desired text. Table 9-2 lists the available flags.

Table 9-2 PORT_ACCESS Mapping Flags




Allow access.  

Flags with arguments, in argument reading order+

$< string  

Send string to syslog (UNIX) or to the event log (NT) if probe matches.  

$> string  

Send string to syslog (UNIX) or to the event log (NT) if access is rejected.  

$N string  

Reject access with the optional error text string  

$F string  

Synonym for $N string; that is, reject access with the optional error text string  

$T text  

If bit 1 of the LOG_CONNECTION MTA option is set and the $N flag is set so that the connection is rejected, then $T causes a "T" entry to be written to the connection log; the optional text (which must appear subsequent to two vertical bar characters) may be included in the connection log entry.  

+To use multiple flags with arguments, separate the arguments with the vertical bar character, |, placing the arguments in the order listed in this table.

For example, the following mapping will only accept SMTP connections (to port 25, the normal SMTP port) from a single network, except for a particular host singled out for rejection without explanatory text:


  TCP|*|25||*  $N500
  TCP|*|25|192.123.10.*|*   $Y
  TCP|*|25|*|*              $N500$ Bzzzt$ thank$ you$ for$ \

Note that you will need to restart the Dispatcher after making any changes to the PORT_ACCESS mapping table so that the Dispatcher will see the changes. (If you are using a compiled MTA configuration, you will first need to recompile your configuration to get the change incorporated into the compiled configuration.)

The PORT_ACCESS mapping table is specifically intended for performing IP-based rejections. For more general control at the email address level, the SEND_ACCESS or MAIL_ACCESS mapping table, might be more appropriate.

When Access Controls Are Applied

Messaging Server checks access control mappings as early as possible. Exactly when this happens depends upon the email protocol in use—when the information that must be checked becomes available.

For the SMTP protocol, a FROM_ACCESS rejection occurs in response to the MAIL FROM: command, before the sending side can send the recipient information or the message data. A SEND_ACCESS or MAIL_ACCESS rejection occurs in response to the RCPT TO: command, before the sending side gets to send the message data. If an SMTP message is rejected, Messaging Server never accepts or sees the message data, thus minimizing the overhead of performing such rejections.

If multiple access control mapping tables exist, Messaging Server checks them all. That is, a FROM_ACCESS, a SEND_ACCESS, an ORIG_SEND_ACCESS, a MAIL_ACCESS, and ORIG_MAIL_ACCESS mapping tables may all be in effect.

Testing Access Control Mappings

The imsimta test -rewrite utility—particularly with the -from, -source_channel, and -destination_channel options—can be useful in testing access control mappings. For example, Figure 9-4 shows a sample SEND_ACCESS mapping table and the resulting probe.

Figure 9-4    Sample SEND_ACCESS Mapping Table and Probe


  tcp_local||l|     $Y
  tcp_local||l|  $NGo$ away!


_$ /SOURCE=tcp_local/DESTINATION=l
Submitted address list:
    User (SESTA.COM) *NOTIFY FAILURES* *NOTIFY DELAYS* Submitted notifications list:

_$ /SOURCE=tcp_local/DESTINATION=l
Submitted address list:
Address list error -- 5.7.1 Go away!

Submitted notifications list:

Configuring SMTP Relay Blocking

You can use access control mappings to prevent people from relaying SMTP mail through your Messaging Server system. For example, you can prevent people from using your mail system to relay junk mail to hundreds or thousands of Internet mailboxes.

By default, Messaging Server prevents all SMTP relaying activity, including relaying by local POP and IMAP users.

Blocking unauthorized relaying while allowing it for legitimate local users requires configuring Messaging Server to know how to distinguish between the two classes of users. For example, local users using POP or IMAP depend upon Messaging Server to act as an SMTP relay.

To prevent SMTP relay, you must be able to:

To enable SMTP relay by internal hosts and clients, you must add your "internal" IP addresses or subnets to the INTERVAL_IP mapping table.

Differentiate Between Internal and External Mail

In order to block mail relaying activities, you must first be able to differentiate between internal mail originated at your site and external mail originated out on the Internet and passing through your system back out to the Internet. The former class of mail you want to permit; the latter class you want to block. This differentiation is achieved using the switchchannel keyword on your inbound SMTP channel, usually the tcp_local channel.

The switchchannel keyword works by causing the SMTP server to look at the actual IP address associated with the incoming SMTP connection. Messaging Server uses that IP address, in conjunction with your rewrite rules, to differentiate between an SMTP connection originated within your domain and a connection from outside of your domain. This information can then be used to segregate the message traffic between internal and external traffic.

The following steps describe how to change your MTA configuration so that the server can differentiate between your internal and external message traffic.

  1. In your configuration file, locate your local store channel. Immediately before the local channel, add a defaults channel with the noswitchchannel keyword, as shown in the following example:

    ! final rewrite rules
    defaults noswitchchannel
    ! Local store
    ims-ms ...

    If you already have a defaults channel at this point in your configuration file, then simply add the noswitchchannel keyword to it.

  2. Modify your incoming TCP/IP channel to specify the switchchannel and remotehost keywords; for example:

    tcp_local smtp single_sys mx switchchannel remotehost

  3. After your incoming TCP/IP channel definition, add a similar new channel but with a different name; for example:

    tcp_internal smtp single_sys mx allowswitchchannel routelocal

    The routelocal channel keyword is used to cause short-circuited rewriting of source routed addresses through this channel, thereby blocking possible attempts to relay by means of looping through internal SMTP hosts via explicitly source routed addresses.

  4. Add rewrite rules to route hosts and IP addresses in your domain to the tcp_internal channel. For instance, if your domain name is and your domain's IP numbers are in the [a.b.subnet] range, then add to the top of your configuration file the following rewrite rules      $U%$H$D@TCP-INTERNAL
    [a.b.]           $U%[a.b.$L]@TCP-INTERNAL$E$R

With the above configuration changes, SMTP mail generated within your domain will come in via the tcp_internal channel. All other SMTP mail will come in via the tcp_local channel. You can therefore distinguish between internal and external mail based upon which channel it comes in on.

How does the above work? The key is the switchchannel keyword. In Step 2, the keyword is applied to the tcp_local channel. When a message comes in your SMTP server, that keyword causes the server to look at the source IP address associated with the incoming connection. The server attempts a reverse-pointing envelope rewrite of the literal IP address of the incoming connection, looking for an associated channel. If that rewrite matches a local host of yours, then the rewrite rules added in Step 4 cause the address to rewrite to the tcp_internal channel added in Step 3.

Since the tcp_internal channel is marked with the allowswitchchannel keyword, the message is switched to the tcp_internal channel and comes in on that channel. If the message comes in from an external source, the IP address will not correspond to an internal source. In that case the reverse-pointing envelope rewrite will either rewrite to the tcp_local channel or to some other channel. However, it will not rewrite to the tcp_internal channel and since all other channels were marked noswitchchannel in Step 1, the message will not switch to another channel and will remain with the tcp_local channel.

Note Note that any mapping table or conversion file entries which use the string "tcp_local" may need to be changed to either "tcp_*" or "tcp_internal" depending upon the usage.

Differentiate Authenticated Users' Mail

Your site might have "local" client users who are not part of your physical network. When these users submit mail, the message submissions come in from an external IP address—for instance, arbitrary Internet Service Providers. If your users use mail clients that can perform SASL authentication, then their authenticated connections can be distinguished from arbitrary other external connections. The authenticated submissions you can then permit, while denying non-authenticated relay submission attempts. Differentiating between authenticated and non-authenticated connections is achieved using the saslswitchchannel keyword on your inbound SMTP channel, usually the tcp_local channel.

The saslswitchchannel keyword takes an argument specifying the channel to switch to; if an SMTP sender succeeds in authenticating, then their submitted messages are considered to come in the specified switched to channel.

To add distinguishing authenticated submissions:

  1. In your configuration file, add a new TCP/IP channel definition with a distinct name; for example:

    tcp_auth smtp single_sys mx mustsaslserver noswitchchannel

    This channel should not allow regular channel switching (that is, it should have noswitchchannel on it either explicitly or implied by a prior defaults line). This channel should have mustsaslserver on it.

  2. Modify your tcp_local channel by adding maysaslserver and saslswitchchannel tcp_auth, as shown in the following example:

    tcp_local smtp mx single_sys maysaslserver saslswitchchannel tcp_auth \

With this configuration, SMTP mail sent by users who can authenticate with a local password will now come in the tcp_auth channel. Unauthenticated SMTP mail sent from internal hosts will still come in tcp_internal. All other SMTP mail will come in tcp_local.

Prevent Mail Relay

Now to the point of this example: preventing unauthorized people from relaying SMTP mail through your system. First, keep in mind that you want to allow local users to relay SMTP mail. For instance, POP and IMAP users rely upon using Messaging Server to send their mail. Note that local users may either be physically local, in which case their messages come in from an internal IP address, or may be physically remote but able to authenticate themselves as local users.

You want to prevent random people out on the Internet from using your server as a relay. With the configuration described in the following sections, you can differentiate between these classes of users and block the correct class. Specifically, you want to block mail from coming in your tcp_local channel and going back out that same channel. To that end, an ORIG_SEND_ACCESS mapping table is used.

An ORIG_SEND_ACCESS mapping table may be used to block traffic based upon the source and destination channel. In this case, traffic from and back to the tcp_local channel is to be blocked. This is realized with the following ORIG_SEND_ACCESS mapping table:


   tcp_local|*|tcp_local|*        $NRelaying$ not$ permitted

In this example, the entry states that messages cannot come in the tcp_local channel and go right back out it. That is, this entry disallows external mail from coming in your SMTP server and being relayed right back out to the Internet.

An ORIG_SEND_ACCESS mapping table is used rather than a SEND_ACCESS mapping table so that the blocking will not apply to addresses that originally match the ims-ms channel (but which may expand via an alias or mailing list definition back to an external address). With a SEND_ACCESS mapping table one would have to go to extra lengths to allow outsiders to send to mailing lists that expand back out to external users, or to send to users who forward their messages back out to external addresses.

Allowing localhost Submissions to the SMTP Port

This section discusses a further refinement of the SMTP relay blocking approach described above.

Some sites might want to disallow submissions to the SMTP port from clients running on the system itself; for instance, if no legitimate applications are expected to attempt this, then blocking such submissions closes one avenue by which users can spoof (forge) email.

Other sites, however, might have legitimate applications that perform message submission by making a TCP/IP connection to the SMTP port of their own system. For instance, some third party mailing list expansion applications (though not Messaging Server's own mailing list expansion) operate in this way.

Further, to simplify their configuration such applications may connect using a loopback name or address, such as LOCALHOST or [], rather than using the system's domain name. Depending on the underlying TCP/IP package, this may result in the incoming connection also appearing to come from LOCALHOST or [], rather than coming from the system's specific domain name or IP address.

Using merely the internal versus external differentiation as described previously would result in treating SMTP submissions from clients on the host system itself as coming in the tcp_local channel. Thus if tcp_local to tcp_local message traffic is prevented, then any users or applications attempting to submit messages in such a way would not be allowed to submit messages to external addressees.

If you wish to treat such submissions as "internal" submissions, for instance, in order to allow third party mailing list applications to operate even if SMTP relay blocking has been implemented, then an additional configuration step should be performed.

At the top of the MTA configuration file, add rewrite rules for the local host name (or LOCALHOST or [], depending on from where the underlying TCP/IP package sees the connection as having originated) of the following form:

localhostname           $E$R$U%localhostname@TCP-INTERNAL
[localhostipnumber]     $E$R$U%localhostname@TCP-INTERNAL
LOCALHOST               $E$R$U%localhostname@TCP-INTERNAL
[]             $E$R$U%localhostname@TCP-INTERNAL

where localhostname is the official host name on the ims-ms channel.

The $E and $R control sequences on these rewrite rules, which limit their effect to envelope From: address rewriting, mean that normal rewriting will still apply to addresses addressed to the local system. Yet switchchannel rewriting will use these rules also, and hence will see message submissions from the system to its own SMTP port as internal submissions.

Handling Large Numbers of Access Entries

Sites that use very large numbers of entries in mapping tables should consider organizing their mapping tables to have a few general wildcarded entries that call out to the general database for the specific lookups. It is much more efficient to have a few mapping table entries calling out to the general database for specific lookups than to have huge numbers of entries directly in the mapping table.

One case in particular is that some sites like to have per user controls on who can send and receive Internet email. Such controls are conveniently implemented using an access mapping table such as ORIG_SEND_ACCESS. For such uses, efficiency and performance can be greatly improved by storing the bulk of the specific information (e.g., specific addresses) in the general database with mapping table entries structured to call out appropriately to the general database.

For example, consider the mapping table shown in Figure 9-5.

Figure 9-5    ORIG_SEND_ACCESS Mapping Table


  ! Users allowed to send to Internet
  *||*|tcp_local $Y
  *||*|tcp_local $Y
  ! ...etc...
  ! Users not allowed to send to Internet
  *||*|tcp_local $NInternet$ access$ not$
  *||*|tcp_local $NInternet$ access$ not$
  ! ...etc...
  ! Users allowed to receive from the Internet
  tcp_*|*|*| $Y
  tcp_*|*|*| $Y
  ! ...etc...
  ! Users not allowed to receive from the Internet
  tcp_*|*|*| $NInternet$ e-mail$ not$
  tcp_*|*|*| $NInternet$ e-mail$ not$
  ! ...etc...

Rather than using such a mapping table with each user individually entered into the table, a more efficient setup (much more efficient if hundreds or thousands of user entries are involved) is shown in Figure 9-6, which shows sample general database entries and a sample ORIG_SEND_ACCESS mapping table.

Figure 9-6    Sample Database Entries and Mapping Table


! ...etc...
SEND| $NInternet$ access$ not$ permitted
SEND| $NInternet$ access$ not$ permitted
! ...etc...
! ...etc...
RECV| $NInternet$ e-mail$ not$ accepted
RECV| $NInternet$ e-mail$ not$ accepted



  ! Check if may send to Internet
  *|*|*|tcp_local $C${SEND|$1}$E
  ! Check if may receive from Internet
  tcp_*|*|*|* $C${RECV|$3}$E

In this example, the use of the arbitrary strings SEND| and RECV| in the general database left-hand sides (and hence in the general database probes generated by the mapping table) provides a way to distinguish between the two sorts of probes being made. The wrapping of the general database probes with the $C and $E flags, as shown, is typical of mapping table callouts to the general database.

The above example showed a case of simple mapping table probes getting checked against general database entries. Mapping tables with much more complex probes can also benefit from use of the general database.

Mapping Table Flags

Table 9-3 shows the access mapping flags relevant for the SEND_ACCESS, ORIG_SEND_ACCESS, MAIL_ACCESS, ORIG_MAIL_ACCESS, and FROM_ACCESS mapping tables. Note that the PORT_ACCESS mapping table, supports a somewhat different set of flags (see Table 9-2).

Table 9-3 Access Mapping Flags




Redirect the message to the bitbucket.  


Hold the message as a .HELD file.  


Allow access.  

Flags with Arguments, in Argument Reading Order+


Replace original envelope From: address with specified address.*  


Replace original Sender: address with specified address.* ++  


Check specified user for groupid.  


Send string to syslog (UNIX) or to the event log (NT) if probe matches.+++  


Send string to syslog (UNIX) or to the event log (NT) if access is rejected. +++  


Delay response for an interval of delay hundredths of seconds; a positive value causes the delay to be imposed on each command in the transaction; a negative value causes the delay to be imposed only on the address handover (SMTP MAIL FROM: command for the FROM_ACCESS table; SMTP RCPT TO: command for the other tables).  


Prefix with tag.  


Add the header line header to the message.  


Issue the specified error-code extended SMTP error code if rejecting the message.  


Reject access with the optional error text string.  


Synonym for $N string; that is, reject access with the optional error text string.  

* Available for FROM_ACCESS table only.

+ To use multiple flags with arguments, separate the arguments with the vertical bar character, |, placing the arguments in the order listed in this table.

++ For the $K flag to take effect in the FROM_ACCESS mapping table, the source channel must include the authrewrite keyword.

+++ It is a good idea to use the $D flag when dealing with problem senders, to prevent a denial of service attack. In particular, it is a good idea to use $D in any $> entry or $< entry rejecting access.


This part contains the following sections:


A filter consists of one or more conditional actions to apply to a mail message. Messaging Server filters are stored on the server and evaluated by the server. Hence, they are sometimes called server-side rules (SSR). Messaging Server filters are based on the Sieve filtering language, Draft 9 of the Sieve Internet Draft.

As an administrator, you can create channel-level filters and MTA-wide filters to prevent delivery of unwanted mail. You can also create filter templates and make them available to end users via the Delegated Administrator for Messaging interface. End users use the templates to build personal mailbox filters to prevent delivery of unwanted mail messages to their mailboxes.

The server applies filters in the following priority:

  1. Per-user filters

    If a personal mailbox filter explicitly accepts or rejects a message, then filter processing for that message finishes. But if the recipient user had no mailbox filter—or if the user's mailbox filter did not explicitly apply to the message in question—Messaging Server next applies the channel-level filter.

  2. Channel-level filter

    If the channel-level filter explicitly accepts or rejects a message, then filter processing for that message finishes. Otherwise, Messaging Server next applies the MTA-wide filter, if there is one.

  3. MTA-wide filter

By default, each user has no mailbox filter. When a user uses the Delegated Administrator interface to create one or more filters, then their filters are stored in the Directory and retrieved by the MTA during the directory synchronization process.

Creating Per-User Filters

Per-user filters apply to messages destined for a particular user's mailbox. As an administrator, you can create filter templates and make them available to end users via the Delegated Administrator for Messaging interface. End users use the templates to build personal server filters to manipulate the delivery of mail messages to their mailboxes; that is, to reject unwanted messages, redirect mail, filter messages into mailbox folders, and so on.

A filter template generalizes a Sieve script by replacing "hard-coded" elements of the Sieve script with prompts and input fields. A Java servlet is used to parse the sieve templates and generate the UI pages in the browser. When an end user supplies values in the input fields, the servlet takes those values and saves them in a sieve script in the user's directory profile entry. The prompts and input fields are presented to the end user through the Delegated Administrator interface.

A set of sample templates is provided and installed with Delegated Administrator. The template files are located in the following directory:


You can modify these filter templates or create new ones using the Sieve language. If you create new filter templates, you must save the filter template in a text file in the ssr directory described above. You must ensure that the file is word readable and you must add an LDAP entry for the filter template, as shown in the following example:

dn: cn=Subject Discard,cn=ssrconf,cn=en,
objectclass: top
objectclass: nsValueItem
cn: Subject Discard
nsvaluetype: nsValueCIS
nsvaluecis: ../templates/enduser/ssr/subject-discard.txt

Figure 9-7 shows a sample template.

Figure 9-7    Sample Sieve Template

     #RULE: $Template="File To Folder"
require "fileinto";
if header :contains # Q1
# Q2
fileinto # Q3

#PRE: "This rule files messages into a folder."
#PRE: "Choose the header line to search on"
#PRE: "And specify the phrase you wish to search for"
#Q1: header "If the header line"
#Q2: value "Contains the phrase"
#Q3: folder "Then file into the folder"

In the above example, Q1, Q2, and Q3 serve as place holders for input values, where the UI can locate the position to substitute the value. Each token will map to a question and a data type for the input value.

The data type and associated question are defined in the comment lines for each token. They are defined as the form token : data-type-variable, and followed by a quoted string which contains the actual question. In the above example, header value, and folder are all data types that will either present a drop-down list, edit box, or otherwise. These data type variables tell the UI what type of information to get from the user.

When the template is parsed a dialog is generated and presented to the end user as shown in Figure 9-8. In the example, brackets indicate a drop-down list.

Figure 9-8    Sample Template Output

| Template: File To Folder Name: _________________             |
|           This rule files messages to a folder               |
|           Choose the header line to search on                |
|       And specify the phrase you wish to search for          |
|                                                              |
|   If the header line: [From       ]                          |
|   Contains the phrase: _____________________________         |
|   Then file into the folder: _________________               |

After the user enters the data, the rule is stored in the user's mailSieveRuleSource attribute.

The syntax of the template has the following restrictions:

  • The #RULE line needs to appear before any other line, with $Template specified.

  • Any comment line starting with #PRE is displayed before the input fields in the GUI page.

    #PRE statements need to be enclosed in double quote strings.

  • Any comment line starting with #POST is displayed at the end of the GUI page.

    #POST statements mus be enclosed in double quote strings.

  • Other comment lines are not be displayed in the GUI page.

  • Tokens are ASCII strings and are case-insensitive; tokens cannot contain white spaces.

  • Data-type variables follow the token string in the comment lines; these are also case insensitive.

  • The actual question is defined in a comment line right after a data-type variable, and is enclosed by double quotes.

The following data-type variables are supported in the Sieve templates:

  • header - When represented in GUI, a list box is used, and the following values are available: Subject, To, From.

    When the sieve rule is saved to the user entry, the Subject value is expanded to Subject, Comments, Keywords; the From value is expanded to From, Sender, Resent-from, Resent-sender, Return-path; and the To value is expanded to To, Cc, Bcc, Resent-to, Resent-cc, Reset-bcc.

  • value - A text field is used to represent this.

  • address - A text field is used to represent this. Addresses' syntax will be checked against RFC 822 mail addresses format.

  • folder - A text field is used to represent this.

  • size - Users can choose from Kilobyte, Megabyte, or specify any number.

  • message - A text area is used to represent this.

Creating Channel-Level Filters

Channel-level filters apply to each message enqueued to a channel. A typical use for this type of filter is to block messages going through a specific channel.

To create a channel-level filter:

  1. Write the filter using Sieve.

  2. Store the filter in a file in the following directory:


    The file must be world readable and owned by the MTA's uid.

  3. Include the following in the channel configuration:

    destinationfilter file:IMTA_TABLE:file.filter

  4. Recompile the configuration and restart the Dispatcher.

    Note that changes to the filter file do not require a recompile or restart of the Dispatcher.

The destinationfilter channel keyword enables message filtering on messages enqueued to the channel to which it is applied. The sourcefilter channel keyword enables message filtering on messages enqueued by (from) the channel to which it is applied. These keywords each have one required parameter which specifies the path to the corresponding channel filter file associated with the channel.

The syntax for the destinationfilter channel keyword is:

destinationfilter URL-pattern

The syntax for the sourcefilter channel keyword is:

sourcefilter URL-pattern

where URL-pattern is a URL specifying the path to the filter file for the channel in question. In the following example, channel-name is the name of the channel.

destinationfilter file:///imta/config/channel-name.filter

The filter channel keyword enables message filtering on the channels to which it is applied. The keyword has one required parameter which specifies the path to the filter files associated with each envelope recipient who receives mail via the channel.

The syntax for the filter channel keyword is

filter URL-pattern

URL-pattern is a URL that, after processing special substitution sequences, yields the path to the filter file for a given recipient address. URL-pattern can contain special substitution sequences that, when encountered, are replaced with strings derived from the recipient address, local-part@host.domain in question. These substitution sequences are shown in Table 9-4.

The fileinto keyword specifies how to alter an address when a mailbox filter fileinto operator is applied. The following example specifies that the folder name should be inserted as a subaddress into the original address, replacing any originally present subaddress:

fileinto $U+$S@$D

Table 9-4 Substitution Sequences


Substitution String


Substitute in the $ character  

$A, $a  

Substitute in the address, local-part@ host.domain  

$D, $d  

Substitute in host.domain  

$H, $h  

Substitute in host  

$L, $l  

Substitute in local-part  

$U, $u  

Substitute in local-part less any underscore or tilde prefixes and less any subaddress postfix  


Substitute in the file path for the home directory associated with the local part of the address  

Creating MTA-Wide Filters

MTA-wide filters apply to all messages enqueued to the MTA. A typical use for this type of filter is to block unsolicited bulk email or other unwanted messages regardless of the messages' destinations. To create an MTA-wide filter:

  1. Write the filter using Sieve

  2. Store the filter in the following file:


    This filter file must be world readable. It is used automatically, if it exists.

  3. Recompile the configuration and restart the Dispatcher

When using a compiled configuration, the MTA-wide filter file is incorporated into the compiled configuration.

Routing Discarded Messages out The FILTER_DISCARD Channel

By default, messages discarded via a mailbox filter are immediately discarded (deleted) from the system. However, when users are first setting up mailbox filters (and perhaps making mistakes), or for debugging purposes, it can be useful to have the deletion operation delayed for a period.

To have mailbox filter discarded messages temporarily retained on the system for later deletion, first add a filter_discard channel to your MTA configuration with the notices channel keyword specifying the length of time (normally number of days) to retain the messages before deleting them, as shown in the following example:

filter_discard notices 7

Then set the option FILTER_DISCARD=2 in the MTA option file. Messages in the filter_discard queue area should be considered to be in an extension of users' personal wastebasket folders. As such, note that warning messages are never sent for messages in the filter_discard queue area, nor are such messages returned to their senders when a bounce or return is requested. Rather, the only action taken for such messages is to eventually silently delete them, either when the final notices value expires, or if a manual bounce is requested using a utility such as imsimta return.

Debugging User Filters

The following information will help you if you are having problems with the user filters on your system.

The dirsync process updates the MTA's SSR database with information about the users' filters. Short filters are stored in the database. For long filters, the database stores an LDAP dn. Note that the MTA doesn't see changes to a user's filters until the dirsync process has updated the database.

To facilitate debugging problems with filters, follow these steps:

  • In the file imta.cnf, make sure that the ims-ms channel is marked as follows:

    filter ssrd:$a fileinto $u+$s@$d

  • Ensure that the dirsync process knows to synchronize filter information by using the configutil command as follows:

    configutil -l -o service.imta.ssrenabled -v true

    OK SET

    configutil | fgrep ssr

    service.imta.ssrenabled = true

  • To test filters, use the imsimta test command as follow:

    imsimta test -rewrite -debug -filter user@domain

    In the output, look for the following:

    mmc_open_url called to open ssrd:user@ims-ms
       URL with quotes stripped: ssrd:user@ims-ms
    Determined to be an SSRD URL.
       Identifier: user@ims-ms-daemon
    Filter successfully obtained.

  • If there's a syntax problem with the filter, look for the following:

    Error parsing filter expression:...

  • If the filter is good, the test command displays the filter at the end of the output.

  • If there are problems with the filter, the test command displays the following at the end of the output:

    Address list error -- 4.7.1 Filter syntax error:

    Also, the SMTP RCPT TO command will return a temporary error response code, such as:

    RCPT TO:<>
    452 4.7.1 Filter syntax error

  • If you know the final rewritten form of the user's address, you can use the imsimta test -url command to see what the MTA is using as filters for the user:

    imsimta test -url ssrd:user@ims-ms-daemon

    You can use the imsimta test -rewrite command to find the final rewritten form of the user's address.

