home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!wupost!zaphod.mps.ohio-state.edu!hobbes.physics.uiowa.edu!news.iastate.edu!bvc.edu!kraftjoel
- From: kraftjoel@bvc.edu
- Newsgroups: vmsnet.mail.pmdf
- Subject: RE: Limiting access to outgoing mail.
- Message-ID: <1992Sep10.220644.1914@bvc.edu>
- Date: 10 Sep 92 22:06:44 CDT
- References: <01GOKRXC7ASI9TCNH3@INNOSOFT.COM>
- Organization: Buena Vista College, Storm Lake, IA
- Lines: 51
-
- In article <01GOKRXC7ASI9TCNH3@INNOSOFT.COM>, dan@innosoft.com (Daniel C. Newman) writes:
- >> I'd like to be able to limit access to non-local (off-node) email.
- >> I'm thinking that I can define a rights id, say 'NO_OUTMAIL' for example,
- >> and set the appropriate image with an ACL such that anyone holding that id
- >> cannot send internet mail messages. My questions are simple: Will this
- >> work? and, which image(s) should be set this way?
- >
- > This won't work since the users only run VMS MAIL or DECWindows MAIL. They
- > don't run the actual images which send outbound mail. Instead, you probably
- > want to associated this rightlist identifier with, say, your TCP/IP channel.
- > You do this by merely specifying the rightlist id as a channel keyword; e.g.,
- >
- > mtcp_local single smtp mx no_outmail
- >
- > Then, only processes with the no_outmail rightslist id can queue mail to
- > the mtcp_local channel. Be sure to grant this rightslist id to whatever
- > accounts PMDF may run under!
-
- We have the exact same situation here on our campus, and I think that the
- solution is just a bit impractical. On our campus, there are over 1000
- accounts that *should* be able to use mail, but only about 50 that should
- not. Our system would be a rightslist nightmare if we tried this.
-
- What we do isn't extremely graceful, but it certainly works. Try putting an
- ACL on the PMDF_MAILSHR image. You can put this in your startup file or do it
- anytime that PMDF is not installed:
-
- $ SET ACL/ACL=(ID=DISINMAIL,ACCESS=NONE) PMDF_MAILSHR
-
- Then we grant the DISINMAIL identifier to the users that should not be able to
- send mail. They can still receive it, but they wouldn't be able to subscribe
- to any lists so the volume here is minimal. Whenever these users try to use
- the IN% transport, they get the following message:
-
- MAIL> send
- To: in%postmaster
- %MAIL-E-ERRACTRNS, error activating transport IN
- %LIB-E-ACTIMAGE, error activating image $1$DUA0:[PMDF.][EXE]IN_MAILSHR_V5.EXE;
- -RMS-F-NOPRIV, no privilege for attempted operation
-
-
- If these class accounts don't need NETMBX privilege for anything, you could
- also try using the 'netmbx' option on the channel (if I am remembering this
- correctly) and then anyone without that priv will not be able to queue mail to
- the channel.
-
- --------------------------------------------------------------------------
- Joel D. Kraft | It's not quite the middle of nowhere...
- System Manager | but you can see it from here...
- Buena Vista College | I think it's called NEBRASKA!
- --------------------------------------------------------------------------
-