Skip to Content.
Sympa Menu

en - RE: [sympa-users] Help with scenari

Subject: The mailing list for listmasters using Sympa

List archive

RE: [sympa-users] Help with scenari

Chronological Thread  
    < Chronological >       < Thread >
  • From: Steve Shipway <address@concealed>
  • To: Pat Allen <address@concealed>, "address@concealed" <address@concealed>
  • Subject: RE: [sympa-users] Help with scenari
  • Date: Mon, 28 Sep 2015 22:36:53 +0000

The verify_netmask rule only checks REMOTE_ADDR, so it never works with SMTP.  Even if it did, you’d only be able to check the last hop which would likely be your mail gateway or Exchange server.

 

The way we do it is to add a custom header using our mail gateway – when a message arrives, we test the source IP and set a ‘X-External’ header to Y or N depending on the previous hop.  Then, we can test for this header in a rule and behave appropriately for messages not originating on our network.  As all messages go via the gateway, we can be sure that any externally-originating message will have this header.  Of course, we could make it add the whole IP address if we prefer and match against that, but in practice we’re only interested in internal/external.

 

equal([msg_header->X-External],'YES') smtp,md5  -> editorkey

 

Note that with the regexp match, you should put the end anchor to prevent people from using email addresses like address@concealed to get through it

 

match([sender],/@mbari\.org$/)        

 

Steve

 

Steve Shipway

T: +64 9 3737 599 ext 86487

E: address@concealed

(GNU Terry Pratchett)

 

From: address@concealed [mailto:address@concealed] On Behalf Of Pat Allen
Sent: Tuesday, 29 September 2015 5:16 a.m.
To: address@concealed
Subject: [sympa-users] Help with scenari

 

Hi everyone,

 

I need to tighten up the security on our server and restrict the sending of messages on some (but not all) lists based on IP address. It seems that I would really like to replace the

 

match([sender],/mbari\.org/)         smtp,smime,md5    -> do_it

 

in the send.intranetorprivate scenari with something that will match our class B network. Can I use the verify_netmask rule in the scenari to test the where the mail message is being sent from? I can't figure out from the documentation if this only works with the web interface.

 

Or does anybody have a better way of accomplishing this? Suggestions are certainly welcome.

 

Thanks!

Pat

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.19+.

Top of Page