Access mapping tables

From Messaging Server Technical Reference Wiki
Jump to: navigation, search

There are several MTA mapping tables that may be used to control who may or may not connect to the SMTP/SMTP SUBMIT/LMTP servers, what destination hosts and IP addresses may be sent to, what connections may use certain SMTP commands, who may send mail, who may receive mail, or control who may post to mailing lists. For general information on the format and usage of MTA mapping tables, see Mapping table format.

The PORT_ACCESS mapping table is used by the Dispatcher to control blocking of connections from particular IP addresses or IP address ranges, and to control use of different authentication mechanisms for different sorts of connections. The PORT_ACCESS mapping table in particular is relevant for certain techniques falling under the general category of see defending against denial of service attacks. Although the PORT_ACCESS mapping table does not have access to message address information and hence does not permit the fine level granularity of, for instance, the ORIG_MAIL_ACCESS mapping table, and although it only applies to incoming SMTP/SMTP SUBMIT/LMTP over TCP/IP messages, note that for what it does do it is a very efficient approach (more efficient than using one of the later, address-based access mapping tables) since it rejects a disallowed host's connection attempt at the TCP level, before the channel dialogue (the SMTP/SMTP SUBMIT/LMTP transaction) has even begun.

The FROM_ACCESS mapping table is probed at the point of attempted message submission where the envelope From address has been provided; in SMTP terms, at the stage of the MAIL FROM: command. In particular, this is after the PORT_ACCESS probe (that decides whether to allow an SMTP/SMTP SUBMIT/LMTP connection) but before the recipient address mapping tables probes (that decide whether to allow particular recipient addresses). Another feature of the FROM_ACCESS mapping table is that it also has access to the authenticated sender information (SMTP AUTH information in particular).

The four recipient access mapping tables, ORIG_SEND_ACCESS, SEND_ACCESS, ORIG_MAIL_ACCESS, and MAIL_ACCESS, can make use of envelope address information (as well as, in some cases, all the IP information available to the PORT_ACCESS mapping table). The nature of these mapping tables is very general, and allows per channel granularity, that is, channel-specific controls.

Of the recipient access control mapping tables applied at the SMTP RCPT TO command stage, the MAIL_ACCESS and ORIG_MAIL_ACCESS mapping tables are the most general, having available not only the address and channel information available to SEND_ACCESS and ORIG_SEND_ACCESS, but also any information that would be available via the PORT_ACCESS mapping table, including IP address and port number information. But when IP address information is not relevant to the desired controls, then use of SEND_ACCESS or ORIG_SEND_ACCESS may be simpler. And for some purposes, combining use of two or more of these tables may be convenient; see When access mapping table controls are applied for a discussion of the timing and ordering of when access mapping table controls are applied.

The AUTH_REWRITE mapping table is checked after the SMTP DATA is received, so that it has access not only to SMTP envelope fields but also to the header fields in the message itself. Thus while it is not usually the primary tool for checking sender access, as its check occurs later and thus is less efficient for outright blocking certain undesired senders, it can be very useful for enforcing site policy requirements regarding use of proper (perhaps authenticated) From: addresses, by rejecting messages that do not conform to policy.

See also: