Initial situation:
LFT is to be used on the SEPPmail Secure E-Mail Gateway. The preconditions for this purpose (valid licence/additional storage) have already been created, and the configuration has been implemented (see Large File Transfer). However, the use of this feature is to be restricted according to specific criteria (e.g. AD group affiliation, specific email addresses, sending email addresses).
Solution
The authorised persons should be grouped together in a Microsoft Active Directory (AD) group. The affiliation of the sender can be checked via a LDAP query in AD. Only if the sender is entitled to use the LFT delivery will LFT be carried out. Otherwise, an action to be defined (delivery as a "normal" email/bounce) will be executed.
Configuration suggestion:
Query of a specific AD group affiliation of a sender
•Navigate to Mail Processing Ruleset generator Custom commands Custom Macros And Commands For All Emails BEFORE Processing
•Activating the option and insertion of the following code into the input field below:
Line |
Code |
|---|---|
01 |
# Begin: Custom macros and commands for all e-mails BEFORE processing |
02 |
log(1,'Begin: Custom macros and commands for all e-mails BEFORE processing'); |
|
|
03 |
# Begin: Check if e-mail is LFT and user is allowed to send LFT |
04 |
log(1,'Begin: Check if e-mail is LFT and user is allowed to send LFT'); |
|
|
05 |
if(!incoming()) { |
06 |
if (!internal()) { |
07 |
if (compareattr('use_lfm','equal','1')) { |
08 |
log(1,'Mail is LFT, check if user is allowed to use'); |
09 |
if (ldap_compare('192.168.10.10;CN=Peter Mueller,OU=Users,OU=MyBusiness,DC=Firma,DC=local;mypassword;OU=Users,OU=MyBusiness,DC=Firma,DC=local;(mail=$sender)','memberOF','LFT-Benutzer')) { |
10 |
log(1,'User is allowed to send large files, proceeding'); |
11 |
} else { |
12 |
log(1,'User is not allowed to send large files, e-mail will be dropped'); |
13 |
drop('500','User is not allowed to send large files'); |
14 |
} |
15 |
} |
16 |
} |
17 |
} |
|
|
18 |
log(1,'End: Check if e-mail is LFT and user is allowed to send LFT'); |
19 |
# End: Check if e-mail is LFT and user is allowed to send LFT |
|
|
20 |
log(1,'End: Custom macros and commands for all e-mails BEFORE processing'); |
21 |
# End: Custom macros and commands for all e-mails BEFORE processing |
Description
In this example, it is initially checked whether the email is an outgoing "LFT" email (lines 05 - 07). If this is the case, an LDAP query (in this case AD) is used to check whether the sender belongs to the authorised group (line 09). If the sender is authorised, this is entered in the log and continued in the ruleset (line 10). Otherwise, this is entered in the log (line 12), while the email is discarded (line 13).
Variations
Instead of the LDAP comparison in line 09 by clicking on ldap_compare(), it is also possible to use compare() or compareattr().
Line |
Code |
|---|---|
09 |
if (compare('to','match','mail@address')) { |
Line |
Code |
|---|---|
09 |
if (compareattr('connect_from','equal','192.168.139.1')) { |
Instead of the command drop() in line 13, the email can be rejected via the command bounce()using a corresponding template (here bounce_LFT).
Line |
Code |
|---|---|
12 |
log(1,'User is not allowed to send large files, e-mail will be bounced'); |
13 |
bounce('bounce_LFT'); |
If the sending as LFT message is to be simply suppressed, instead of the command drop() the presumed LFT can be converted back to a "normal" SMTP email.
Line |
Code |
|---|---|
12 |
log(1,'User is not allowed to send large files, e-mail will be sent as "normal" SMTP-mail); |
13 |
flag('nolfm', true); |
13a |
flag('x-smlfm', false); |
13b |
setheader('X-ESWmail-LFM','NO'); |
Used
commands
