Re: Email only accounts

Dale E. Reed Jr. (daler@iea.com)
Wed, 30 Jul 1997 13:20:59 -0700

Robert Hiltibidal wrote:
>
> Howdy,
>
> My boss wants to try a different approach for email only accounts. Right
> now for email only's we do not allow them to have dial in access. He wants
> to change that.
>
> The goal is two fold:
>
> allow 15 minutes for the email's only
>
> have radius put a temporary filter in that limits the tcp/ip,icmp,udp et
> al protocols to just pop only. More: limit the pop requests to one
> particualr email server.
>
> Any ideas on how to do this?

Its actually fairly simple. In RadiusNT ODBC mode you build an
accounttype (typically called Email or Email only) and for the
default attributed you associate:

User-Service = Framed-User
Framed-Protocol = PPP
Framed-Filter = mailonly
Session-Timeout = 900

Then you create a filter in your Portmasters (or use choicenet)
which only allows:

1. DNS resolution to your DNS server
2. SMTP and POP3 to your MAIL server

With Livingston's RADIUS, you have to give the mailonly filter to each
user you want to limit. With RadiusNT ODBC, you just make their
AccountType the one with the filter. The nice thing about the later
is when you want to change the session-limit, or other features you
only change it once, not for each user. You could probably get away
from something like suffix = ".mail" in Livingston's 2.0, though.

-- 
Dale E. Reed Jr.  (daler@iea.com)
_________________________________________________________________
       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs
 Internet Solutions for Today  |    http://www.emerald.iea.com