Hi folks, has anybody a simple solution for the following request? I have a group alias (all at company.com). (1) Only company.com accounts should be able to send an email to everybody in that company via all at company.com. (2) - rather optional: refine the restrictions, e.g. two groups, grp1 at company.com and grp2 at company.com. Grp1 members should be able to send mails to grp2 but not vice versa. What else than sieve would keep dealing with that demands as simple as possible? Thanks in advance and sorry for abusing this list for this kind of ?problem? which is not a bug. Regards, -M
Can the groups send and receive from outside the domain ? If so, it's going to be difficult to prevent groups from seeing each others emails because an email that originated from group A could be sent to some other domain (out on the internet), then get forwarded to a user in group B. Just a thought. On Wed, 2018-12-05 at 18:57 +0100, admin wrote:> Hi folks, > > has anybody a simple solution for the following request? > > I have a group alias (all at company.com). > (1) Only company.com accounts should be able to send an email to everybody in that company via all at company.com. > (2) - rather optional: refine the restrictions, e.g. two groups, grp1 at company.com and grp2 at company.com. Grp1 members should be able to send mails to grp2 but not vice versa. > > What else than sieve would keep dealing with that demands as simple as possible? > > Thanks in advance and sorry for abusing this list for this kind of ?problem? which is not a bug. > > Regards, > -M
Yes, all members are full accounts being able to send and receive inside and outside. Technically I need an account/alias that is only able to receive mails from a defined subset of users. Ideally there is an approach which saves me from caring for several lists of redudant data. Am Mittwoch, den 05.12.2018, 13:09 -0500 schrieb John Tulp:> Can the groups send and receive from outside the domain ? If so, > it's > going to be difficult to prevent groups from seeing each others > emails > because an email that originated from group A could be sent to some > other domain (out on the internet), then get forwarded to a user in > group B. Just a thought. > > On Wed, 2018-12-05 at 18:57 +0100, admin wrote: > > Hi folks, > > > > has anybody a simple solution for the following request? > > > > I have a group alias (all at company.com). > > (1) Only company.com accounts should be able to send an email to > > everybody in that company via all at company.com. > > (2) - rather optional: refine the restrictions, e.g. two groups, > > grp1 at company.com and grp2 at company.com. Grp1 members should be able > > to send mails to grp2 but not vice versa. > > > > What else than sieve would keep dealing with that demands as simple > > as possible? > > > > Thanks in advance and sorry for abusing this list for this kind of > > ?problem? which is not a bug. > > > > Regards, > > -M > >-- awib IT Solutions Manuel Knitza info at awib.it +49 (0) 7531 804 55 11
Am 05.12.2018 um 18:57 schrieb admin:> Hi folks, > > has anybody a simple solution for the following request? > > I have a group alias (all at company.com). > (1) Only company.com accounts should be able to send an email to everybody in that company via all at company.com. > (2) - rather optional: refine the restrictions, e.g. two groups, grp1 at company.com and grp2 at company.com. Grp1 members should be able to send mails to grp2 but not vice versa.Both to be setup on MTA side.> What else than sieve would keep dealing with that demands as simple as possible? > > Thanks in advance and sorry for abusing this list for this kind of ?problem? which is not a bug. > > Regards, > -MAlexander
On Wed, 5 Dec 2018, Alexander Dalloz wrote:>> I have a group alias (all at company.com). >> (1) Only company.com accounts should be able to send an email to everybody >> in that company via all at company.com. >> (2) - rather optional: refine the restrictions, e.g. two groups, >> grp1 at company.com and grp2 at company.com. Grp1 members should be able to send >> mails to grp2 but not vice versa. > > Both to be setup on MTA side.Agreed. You can manage your mailing lists with software (e.g. mailman), or hack in a filter between the (public) external and (secret) internal mailing list e.g. # Forwards to grp1-secret@ if sender is approved grp1: |/path/to/check-sender-filter grp1-secret: :include:/path/to/grp1.list If spoofing is a concern, you'll have to endow your filter with more intelligence. Joseph Tam <jtam.home at gmail.com>
On 12/05/2018 06:57 PM, admin (@awib.it) wrote:> I have a group alias (all at company.com). > (1) Only company.com accounts should be able to send an email to > everybody in that company via all at company.com.Do you have a means to identify "some suitable account was used" - as opposed to a trivially forged sender address - *other* than by watching the actual MUA-to-MSA login happen? (E.g., you might impose a requirement that such e-mails be cryptographically *signed* - per S/MIME, DKIM, or whatever method can be verified automatically later on. Or your MSA might not accept e-mail from outside the LAN and you can globally assign trust to all e-mails that come from it.) If not, then grabbing that info on the MSA and somehow forwarding it securely to all@'s final MTA / MDA to base the filtering on is the best you can do. (And ideally, your organization's MSA and MDA reside within one and the same MTA and you'll have a filtering config/API where you already can evaluate *both* parts of the input information - sending account and that it's to be delivered to all@ - at once.) Regards, -- Jochen Bern Systemingenieur www.binect.de www.facebook.de/binect -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20181205/77313183/attachment.p7s>
Am Mittwoch, den 05.12.2018, 22:31 +0000 schrieb Jochen Bern:> On 12/05/2018 06:57 PM, admin (@awib.it) wrote: > > I have a group alias (all at company.com). > > (1) Only company.com accounts should be able to send an email to > > everybody in that company via all at company.com. > > Do you have a means to identify "some suitable account was used" - as > opposed to a trivially forged sender address - *other* than by > watching > the actual MUA-to-MSA login happen?Either way would suffice - the simpler the better. Restricting the sender to be on the same domain if mail is sent to the company group alias would be fine. All I try to achieve is to protect those in the group from unwanted "SPAM", so no one from outside the domain should be able to send to that alias (all at company.com is quite generic...). Optionally only chosen senders (whitelist) should be able to send to that alias. We do not want our mail system to become a craigslist or everbody being able to reach thousdands of people with only one email being sent. We are rather generous thinking of mail attachments (up to 100MB). I do not want to see an email like this copied over to thousands of accounts...> [...] > > Regards,Thanks four your thoughts! -M