78 lines
2.9 KiB
Markdown
78 lines
2.9 KiB
Markdown
# SQL: Per-user inbound and outbound restrictions
|
|
|
|
> This tutorial is applicable to all SQL backends: MySQL, MariaDB, PostgreSQL.
|
|
|
|
> There's another way to achieve per-user inbound/outbound restriction, it's
|
|
> called per-user white/blacklists (stored in SQL table `amavisd.wblist`,
|
|
> implemented by iRedAPD plugin `amavisd_wblist`), but per-user white/blacklists
|
|
> are manageable by user themselves.
|
|
|
|
iRedAPD (a simple Postfix policy server developed by iRedMail team) provides
|
|
for per-user plugin `sql_user_restrictions` for per-user inbound/outbound
|
|
restrictions.
|
|
|
|
Please make sure plugin `sql_user_restrictions` is enabled in iRedAPD config
|
|
file `/opt/iredapd/settings.py` like below:
|
|
|
|
```
|
|
# Part of file: /opt/iredapd/settings.py
|
|
|
|
plugins = [..., 'sql_user_restrictions']
|
|
```
|
|
|
|
Restarting iRedAPD service is required if you modified `/opt/iredapd/settings.py`.
|
|
|
|
You can store allowed or disallowed senders in 4 SQL columns in `vmail` database:
|
|
|
|
* `mailbox.rejectedsenders`: disallowed to receive email from listed senders.
|
|
* `mailbox.allowedsenders`: allowed to receive email from listed senders.
|
|
* `mailbox.rejectedrecipients`: disallow user to send email to listed recipients.
|
|
* `mailbox.allowedrecipients`: allow user to send email to listed recipients.
|
|
|
|
Valid sender/recipient formats are:
|
|
|
|
* `@.`: all addresses (user, domain, sub-domain). Be careful: There's a dot after `@`.
|
|
* `@domain.com`: entire domain.
|
|
* `@.domain.com`: entire domain and all its sub-domains. Be careful: There's a dot after `@`.
|
|
* `user@domain.com`: single email address
|
|
* empty value means no restriction.
|
|
|
|
NOTES:
|
|
|
|
* Multiple senders/recipients must be separated by comma (`,`).
|
|
* `mailbox.allowedsenders` has higher priority than `mailbox.rejectedsenders`.
|
|
* `mailbox.allowedrecipients` has higher priority than `mailbox.rejectedrecipients`.
|
|
|
|
Sample usage:
|
|
|
|
* allow local mail user `user@example.com` to send to and receive from the same
|
|
domain (`example.com`) and `gmail.com`, but not others.
|
|
|
|
```
|
|
sql> USE vmail;
|
|
sql> UPDATE mailbox \
|
|
SET \
|
|
rejectedsenders='@.', \
|
|
allowedsenders='@example.com,@gmail.com', \
|
|
rejectedrecipients='' \
|
|
allowedrecipients='@example.com,@gmail.com', \
|
|
WHERE \
|
|
username='user@example.com';
|
|
```
|
|
|
|
## OpenLDAP backend special
|
|
|
|
OpenLDAP backend requires iRedAPD plugin `ldap_amavisd_block_blacklisted_senders`.
|
|
|
|
* If you have iRedAdmin-Pro, you can manage this restriction in user profile page.
|
|
|
|
* If you don't have iRedAdmin-Pro, you can manage it with phpLDAPadmin or other
|
|
LDAP management tools. Related LDAP attributes are:
|
|
|
|
* `mailWhitelistRecipient`: same as SQL `mailbox.allowedrecipients`
|
|
* `mailBlacklistRecipient`: same as `mailbox.rejectedrecipients`
|
|
* `amavisWhitelistSender`: same as `mailbox.allowedsenders`
|
|
* `amavisBlacklistSender`: same as `mailbox.rejectedsenders`
|
|
|
|
Values for these LDAP attributes use the same format as mentioned above.
|