Access mapping tables
There are several MTA mapping tables that may be used to control who may or may not connect to the SMTP/SMTP SUBMIT/LMTP servers, what destination hosts and IP addresses may be sent to, what connections may use certain SMTP commands, who may send mail, who may receive mail, or control who may post to mailing lists. For general information on the format and usage of MTA mapping tables, see Mapping table format.
PORT_ACCESS mapping table is used by the Dispatcher to control blocking of connections from particular IP addresses or IP address ranges, and to control use of different authentication mechanisms for different sorts of connections. The
PORT_ACCESS mapping table in particular is relevant for certain techniques falling under the general category of see defending against denial of service attacks. Although the
PORT_ACCESS mapping table does not have access to message address information and hence does not permit the fine level granularity of, for instance, the
ORIG_MAIL_ACCESS mapping table, and although it only applies to incoming SMTP/SMTP SUBMIT/LMTP over TCP/IP messages, note that for what it does do it is a very efficient approach (more efficient than using one of the later, address-based access mapping tables) since it rejects a disallowed host's connection attempt at the TCP level, before the channel dialogue (the SMTP/SMTP SUBMIT/LMTP transaction) has even begun.
FROM_ACCESS mapping table is probed at the point of attempted message submission where the envelope From address has been provided; in SMTP terms, at the stage of the MAIL FROM: command. In particular, this is after the
PORT_ACCESS probe (that decides whether to allow an SMTP/SMTP SUBMIT/LMTP connection) but before the recipient address mapping tables probes (that decide whether to allow particular recipient addresses). Another feature of the
FROM_ACCESS mapping table is that it also has access to the authenticated sender information (SMTP AUTH information in particular).
The four recipient access mapping tables,
MAIL_ACCESS, can make use of envelope address information (as well as, in some cases, all the IP information available to the
PORT_ACCESS mapping table). The nature of these mapping tables is very general, and allows per channel granularity, that is, channel-specific controls.
Of the recipient access control mapping tables applied at the SMTP RCPT TO command stage, the
ORIG_MAIL_ACCESS mapping tables are the most general, having available not only the address and channel information available to
ORIG_SEND_ACCESS, but also any information that would be available via the
PORT_ACCESS mapping table, including IP address and port number information. But when IP address information is not relevant to the desired controls, then use of
ORIG_SEND_ACCESS may be simpler. And for some purposes, combining use of two or more of these tables may be convenient; see When access mapping table controls are applied for a discussion of the timing and ordering of when access mapping table controls are applied.
AUTH_REWRITE mapping table is checked after the SMTP DATA is received, so that it has access not only to SMTP envelope fields but also to the header fields in the message itself. Thus while it is not usually the primary tool for checking sender access, as its check occurs later and thus is less efficient for outright blocking certain undesired senders, it can be very useful for enforcing site policy requirements regarding use of proper (perhaps authenticated) From: addresses, by rejecting messages that do not conform to policy.
- PORT_ACCESS mapping table
- Recipient access mapping tables
- FROM_ACCESS mapping table
- AUTH_REWRITE mapping table
- ETRN_ACCESS mapping table
- BURL_ACCESS mapping table
- SASL_ACCESS mapping table
- TLS_ACCESS mapping table
- DEQUEUE_ACCESS mapping table
- AUTH_ACCESS mapping table
- IP_ACCESS mapping table
- When access mapping table controls are applied
- Defending against denial of service attacks
- Handling large numbers of mapping table entries
- Mail filtering and access control
- Mapping table format
- Mapping tables
- Access mapping table MTA options