On 4-Sep-08, at 3:00 PM, Christos Zoulas wrote:
In article <48C023EB.4050104%christiantena.net@localhost>, Philip <subs%christiantena.net@localhost> wrote:I have three small children who would like an email account to email their friends. I have my own domain which points to a netbsd 3.1 mail server running postfix, postgrey and dovecot.What I would like to do is set up email accounts on the server for thechildren which will only receive email from a white list of From: addresses, but which will not affect other users normal accounts.I guess I don't need a whitelist per child if that makes any difference.I can't figure out how to do this, does anyone here know how to?One way to do this is using procmail.
Perhaps, but why would one ever want to use procmail? :-)Seriously I think procmail is one of those things that should probably be lost, buried, and forgotten at the bottom of the toolchest.
I think a better way this could be done would be using Sieve scripts, though perhaps not with the most ideal level/manner of error reporting (depending on what you want to do with rejected e-mail). Doing so may pre-suppose that you switch to using Cyrus IMAPd as your local mail store though, unless perhaps there's a good Sieve implementation for dovecot. (I think switching to Cyrus IMAPd is a good idea too)
One could also use some form of a content_filter, or better yet an smtp_proxy_filter in Postfix. This would be a little more complicated to implement (Sieve scripts are very easy to write), but it would also offer the proper error reporting (through bounce messages generated and returned by Postfix itself for content_filters, and even better through SMTP-level responses sent directly to the sender for smtp_proxy_filters -- you don't ever want to generate bounce messages if you can possibly avoid it). See the Postfix FILTER_README and SMTPD_PROXY_README documents.
Note of course that there are several security considerations with all of this. One is that with such a filtering scheme you're trusting the "from:" header which is network data. The only truly right way to do this is with some form of end-to-end cryptographic security, such as PGP (only accept mail for controlled access accounts if the message has a valid signature by a known sender -- one could even implement the signature verification as a postfix filter, though that won't work securely for PGP encrypted mail, just for signed messages). Another issue may be who you trust to be able to control the filtering -- some sieve implementations might allow the account owner to change the filter, but with a content filter inside the MTA then the admin controls the filtering and who has access to change the filters.
-- Greg A. Woods; Planix, Inc. <woods%planix.ca@localhost>
Description: This is a digitally signed message part