|
|
|
|
|
|
| Author |
Message |
Philip Rhoades
*nix forums beginner
Joined: 07 Feb 2005
Posts: 9
|
 Posted: Fri Jul 14, 2006 6:41 am Post subject:
Preventing a user from mailing outside the domain?
|
|
|
People,
I have been asked by one of the managers to prevent a particular
employee from being able to mail outside the organisation (we can stop
incoming mail easily from a NetBox gateway) - is it possible to do this?
Thanks,
Phil.
--
Philip Rhoades
Pricom Pty Limited (ACN 003 252 275 ABN 91 003 252 275)
GPO Box 3411
Sydney NSW 2001
Australia
Mobile: +61:0411-185-652
Fax: +61:2:8923-5363
E-mail: phil@chu.com.au |
|
| Back to top |
|
 |
Kyle Wheeler
*nix forums Guru Wannabe
Joined: 07 Jan 2005
Posts: 208
|
| Posted: Sun Jul 16, 2006 6:54 am Post subject:
Re: Preventing a user from mailing outside the domain?
|
|
|
On Friday, July 14 at 04:41 PM, quoth Philip Rhoades:
| Quote: | I have been asked by one of the managers to prevent a particular
employee from being able to mail outside the organisation (we can stop
incoming mail easily from a NetBox gateway) - is it possible to do this?
|
Strictly speaking? No.
In one sense, you can put up all kinds of filters, and you can
manipulate your mail routing in all sorts of ways to stop a sender.
BUT a determined employee can find a way around just about any block
you put up: for example, by sending with a return address of someone
else, and/or by sending from a different machine, and/or by sending to
a different machine, and/or by using another email system (gmail?),
and the list goes on and on.
The real problem your company seems to have is in the hiring of people
they do not trust, and giving them internet access.
Probably the best you can do is tell the employee that they’re not
allowed to send mail outside the company. Then, set up a message tap
(search the archives) such that if they try, you will receive a copy
of what they send. (This way they will be less likely to use evasion
techniques.) Then, treat sending email despite being told not to as a
firing offense.
This has actually been asked several times on the list, and there have
been far more eloquent explanations of why it’s not only a bad idea
but nearly impossible to do thoroughly (as well as what minimal steps
you can take and what’s wrong with them). Search the archives and you
will find plenty.
~Kyle
--
It is a dogma of faith that the demons can produce wind, storms, and
rain of fire from heaven.
-- St. Thomas Aquinas |
|
| Back to top |
|
|
Chris Berry
*nix forums addict
Joined: 08 Jan 2005
Posts: 81
|
| Posted: Mon Jul 17, 2006 8:18 pm Post subject:
Re: Preventing a user from mailing outside the domain?
|
|
|
Kyle Wheeler wrote:
| Quote: | On Friday, July 14 at 04:41 PM, quoth Philip Rhoades:
I have been asked by one of the managers to prevent a particular
employee from being able to mail outside the organisation (we can stop
incoming mail easily from a NetBox gateway) - is it possible to do this?
Strictly speaking? No.
In one sense, you can put up all kinds of filters, and you can
manipulate your mail routing in all sorts of ways to stop a sender. BUT
a determined employee can find a way around just about any block you put
up: for example, by sending with a return address of someone else,
and/or by sending from a different machine, and/or by sending to a
different machine, and/or by using another email system (gmail?), and
the list goes on and on.
The real problem your company seems to have is in the hiring of people
they do not trust, and giving them internet access.
Probably the best you can do is tell the employee that they’re not
allowed to send mail outside the company. Then, set up a message tap
(search the archives) such that if they try, you will receive a copy of
what they send. (This way they will be less likely to use evasion
techniques.) Then, treat sending email despite being told not to as a
firing offense.
This has actually been asked several times on the list, and there have
been far more eloquent explanations of why it’s not only a bad idea but
nearly impossible to do thoroughly (as well as what minimal steps you
can take and what’s wrong with them). Search the archives and you will
find plenty.
~Kyle
|
Although I agree with most of what Kyle had to say, I feel that imposing
some minimal safeguards is worth the effort. By using an authenticating
firewall and two seperate qmail listeners it's fairly easy to set up a
situation where only certain people are allowed to email outside the
company. Obviously this is contingent on your having web restrictions
as well, but since many companies do this already, it will prevent most
forms of problems. In addition, since this takes a fair amount of
effort to bypass, it's very difficult for people to make excuses that
they did it by accident, thus easing the burden on HR.
--
Chris Berry
chris_berry@jm-associates.com
Information Advisory Manager
JM Associates
"If we don't believe in freedom of expression for people we despise, we
don't believe in it at all." --Noam Chomsky |
|
| Back to top |
|
|
Philip Rhoades
*nix forums beginner
Joined: 07 Feb 2005
Posts: 9
|
| Posted: Tue Jul 18, 2006 3:44 am Post subject:
Re: Preventing a user from mailing outside the domain?
|
|
|
Chris,
See inline comments:
On Mon, 2006-07-17 at 13:18 -0700, Chris Berry wrote:
| Quote: | Kyle Wheeler wrote:
On Friday, July 14 at 04:41 PM, quoth Philip Rhoades:
I have been asked by one of the managers to prevent a particular
employee from being able to mail outside the organisation (we can stop
incoming mail easily from a NetBox gateway) - is it possible to do this?
Strictly speaking? No.
In one sense, you can put up all kinds of filters, and you can
manipulate your mail routing in all sorts of ways to stop a sender. BUT
a determined employee can find a way around just about any block you put
up: for example, by sending with a return address of someone else,
and/or by sending from a different machine, and/or by sending to a
different machine, and/or by using another email system (gmail?), and
the list goes on and on.
The real problem your company seems to have is in the hiring of people
they do not trust, and giving them internet access.
|
This person has been warned not to abuse this resource on five occasions
apparently - next time is a firing offence . .
| Quote: | Probably the best you can do is tell the employee that theyÿre not
allowed to send mail outside the company. Then, set up a message tap
(search the archives) such that if they try, you will receive a copy of
what they send. (This way they will be less likely to use evasion
techniques.) Then, treat sending email despite being told not to as a
firing offense.
This has actually been asked several times on the list, and there have
been far more eloquent explanations of why itÿs not only a bad idea but
nearly impossible to do thoroughly (as well as what minimal steps you
can take and whatÿs wrong with them). Search the archives and you will
find plenty.
~Kyle
Although I agree with most of what Kyle had to say, I feel that imposing
some minimal safeguards is worth the effort. By using an authenticating
firewall and two seperate qmail listeners it's fairly easy to set up a
situation where only certain people are allowed to email outside the
company. Obviously this is contingent on your having web restrictions
as well, but since many companies do this already, it will prevent most
forms of problems. In addition, since this takes a fair amount of
effort to bypass, it's very difficult for people to make excuses that
they did it by accident, thus easing the burden on HR.
|
Do you have URL pointers for that suggestion?
Thanks,
Phil.
--
Philip Rhoades
Pricom Pty Limited (ACN 003 252 275 ABN 91 003 252 275)
GPO Box 3411
Sydney NSW 2001
Australia
Mobile: +61:0411-185-652
Fax: +61:2:8923-5363
E-mail: phil@chu.com.au |
|
| Back to top |
|
|
Chris Berry
*nix forums addict
Joined: 08 Jan 2005
Posts: 81
|
| Posted: Tue Jul 18, 2006 5:52 pm Post subject:
Re: Preventing a user from mailing outside the domain?
|
|
|
Philip Rhoades wrote:
| Quote: | Although I agree with most of what Kyle had to say, I feel that imposing
some minimal safeguards is worth the effort. By using an authenticating
firewall and two seperate qmail listeners it's fairly easy to set up a
situation where only certain people are allowed to email outside the
company. Obviously this is contingent on your having web restrictions
as well, but since many companies do this already, it will prevent most
forms of problems. In addition, since this takes a fair amount of
effort to bypass, it's very difficult for people to make excuses that
they did it by accident, thus easing the burden on HR.
Do you have URL pointers for that suggestion?
Thanks,
Phil.
|
Sure, see FAQ-6.0 here:
http://www.jm-associates.com/admin/qmail_list_faq.html
--
Chris Berry
chris_berry@jm-associates.com
Information Advisory Manager
JM Associates
"If we don't believe in freedom of expression for people we despise, we
don't believe in it at all." --Noam Chomsky |
|
| Back to top |
|
|
Philip Rhoades
*nix forums beginner
Joined: 07 Feb 2005
Posts: 9
|
| Posted: Wed Jul 19, 2006 8:54 am Post subject:
Re: Preventing a user from mailing outside the domain?
|
|
|
Chris,
On Tue, 2006-07-18 at 10:52 -0700, Chris Berry wrote:
| Quote: | Philip Rhoades wrote:
Although I agree with most of what Kyle had to say, I feel that imposing
some minimal safeguards is worth the effort. By using an authenticating
firewall and two seperate qmail listeners it's fairly easy to set up a
situation where only certain people are allowed to email outside the
company. Obviously this is contingent on your having web restrictions
as well, but since many companies do this already, it will prevent most
forms of problems. In addition, since this takes a fair amount of
effort to bypass, it's very difficult for people to make excuses that
they did it by accident, thus easing the burden on HR.
Do you have URL pointers for that suggestion?
Thanks,
Phil.
Sure, see FAQ-6.0 here:
http://www.jm-associates.com/admin/qmail_list_faq.html
|
There is a comment at the end:
"Then all you have to do is set up the email clients for restricted
users to point to port 26 instead of 25 for sending mail, and block
those users from accessing port 25."
I presume you mean blocking by IP address (not by user) in iptables?
Thanks,
Phil.
--
Philip Rhoades
Pricom Pty Limited (ACN 003 252 275 ABN 91 003 252 275)
GPO Box 3411
Sydney NSW 2001
Australia
Mobile: +61:0411-185-652
Fax: +61:2:8923-5363
E-mail: phil@chu.com.au |
|
| Back to top |
|
|
Chris Berry
*nix forums addict
Joined: 08 Jan 2005
Posts: 81
|
| Posted: Wed Jul 19, 2006 7:22 pm Post subject:
Re: Preventing a user from mailing outside the domain?
|
|
|
Philip Rhoades wrote:
| Quote: | Chris,
On Tue, 2006-07-18 at 10:52 -0700, Chris Berry wrote:
Philip Rhoades wrote:
Although I agree with most of what Kyle had to say, I feel that imposing
some minimal safeguards is worth the effort. By using an authenticating
firewall and two seperate qmail listeners it's fairly easy to set up a
situation where only certain people are allowed to email outside the
company. Obviously this is contingent on your having web restrictions
as well, but since many companies do this already, it will prevent most
forms of problems. In addition, since this takes a fair amount of
effort to bypass, it's very difficult for people to make excuses that
they did it by accident, thus easing the burden on HR.
Do you have URL pointers for that suggestion?
Thanks,
Phil.
Sure, see FAQ-6.0 here:
http://www.jm-associates.com/admin/qmail_list_faq.html
There is a comment at the end:
"Then all you have to do is set up the email clients for restricted
users to point to port 26 instead of 25 for sending mail, and block
those users from accessing port 25."
I presume you mean blocking by IP address (not by user) in iptables?
Thanks,
Phil.
|
If you have a 1:1 mapping of users and IP addresses at your location
that would work.
--
Chris Berry
chris_berry@jm-associates.com
Information Advisory Manager
JM Associates
"If we don't believe in freedom of expression for people we despise, we
don't believe in it at all." --Noam Chomsky |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Fri Nov 21, 2008 12:14 am | All times are GMT
|
|
Credit Card Consolidation | Apply for Credit Card | Free Ringtones | Business Credit Card | Hackers
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Qmail
