[Mimedefang] Limiting delivery by *nix group

Jeff Rife mimedefang at nabs.net
Fri Oct 1 01:09:59 EDT 2004


On 30 Sep 2004 at 16:27, Jason Gurtz wrote:

> Are you getting your users via LDAP?

No.

On 30 Sep 2004 at 13:51, Matthew.van.Eerde at hbinc.com wrote:

> We do something similar.  Instead of checking from MIMEDefang, we
> have a cron.hourly job query the AD server using LDAP, and build a
> sendmail /etc/mail/access file (and hash it as well.) 

We query the Active Directory live using winbind integrated into 
/etc/nsswitch.conf:

passwd:     files winbind
group:      files winbind

This makes checks by sendmail that think they only look at /etc/passwd 
for user info actually have "ghost" entries created on the fly by 
winbind.

This works well for SMTP AUTH, because I merely add to 
/etc/pam.d/smtp.sendmail:

auth        requisite     pam_succeed_if.so user ingroup smtp-users

I can create any number of groups and restrict logins using PAM and 
this same technique to have "ftp-users", "pop3-users", "www-private-
users", etc.  There isn't any way like this that makes the actual 
account invisible to sendmail, though.

I guess I was just asking if there was an already written Perl function 
that does something like is_user_in_group()?


--
Jeff Rife        | "When I first heard that Marge was joining the 
SPAM bait:       |  police academy, I thought it would be fun and 
AskDOJ at usdoj.gov |  zany, like that movie: Spaceballs.  But instead 
spam at ftc.gov     |  it was dark and disturbing, like that movie: 
                 |  Police Academy." 
                 |         -- Homer Simpson 




More information about the MIMEDefang mailing list