TCP wrappers

Access control for clients connecting to Message Store servers (or MMP or proxies) is implemented using the TCP wrapper concept. A TCP wrapper is a program that listens at the same port as the TCP daemon it serves. It uses access filters to verify client identity, and it gives the client access to the daemon if the client passes the filtering process. The design of the Messaging Server TCP wrapper is based on the Unix Tcpd access-control facility (created by Wietse Venema).

As part of its processing, the Messaging Server TCP client access-control system performs (when necessary) the following analyses of the socket end-point addresses:



 Reverse DNS lookups of both end points (to perform name-based access control) 

 Forward DNS lookups of both end points (to detect DNS spoofing) 



The system compares this information against access-control statements called filters to decide whether to grant or deny access. For each service, separate sets of Allow filters and Deny filters control access. Allow filters explicitly grant access. Deny filters explicitly forbid access.

When a client requests access to a service, the access-control system compares the client&#x27;s address or name information to each of that service&#x27;s filters, in order, by using these criteria:



 The search stops at the first match. Because Allow filters are processed before Deny filters, Allow filters take precedence. 

 Access is granted if the client information matches an Allow filter for that service. 

 Access is denied if the client information matches a Deny filter for that service. 

 If no match with any Allow or Deny filter occurs, access is granted, except in the case where there are Allow filters but no Deny filters, in which case lack of a match means that access is denied. 



The filter syntax described here is flexible enough that you should be able to implement many different kinds of access-control policies in a simple and straightforward manner. You can use both Allow filters and Deny filters in any combination, even though you can probably implement most policies by using almost exclusively Allows or almost exclusively Denies.

See TCP wrapper filter syntax for a discussion of TCP wrapper filter syntax. Note that MMP and the proxies use a general   option to set any combination of Allow and Deny filters, whereas the  IMAP and POP servers, the ENS server, and the eval_ldapd server, instead use a   option and a   option to set, respectively, Allow and Deny filters.

There are also LDAP attributes at the user level,, and domain level,  , that are available to specify  per-user or per-domain TCP wrapper access filters. (Note that the MMP and its proxies permit revectoring of exactly what LDAP attribute is used at the user level, via their  option.)  See the   option for a discussion of the caching of domain level LDAP attributes such as.

See also:
 * Client access to Message Store servers
 * TCP wrapper filter syntax
 * TCP wrapper filter examples
 * TCP wrapper filter creation
 * Component domainallowed and domainnotallowed options
 * MMP and IMAP Proxy and POP Proxy and vdomain options
 * IMAP options
 * POP options
 * ENS options
 * eval_ldapd options
 * tcpaccess Option
 * domainallowed Option
 * domainnotallowed Option
 * tcpaccessattr Option
 * ldap_domain_timeout Option
 * Configuration syntax