Re: Email only accounts

John G. Thompson (jgt10@livingston.com)
Wed, 30 Jul 1997 16:04:10 -0700

At 01:20 PM 7/30/97 -0700, Dale E. Reed Jr. wrote:
>Robert Hiltibidal wrote:
>>
>> Howdy,
>>
>> My boss wants to try a different approach for email only accounts. Right
>> now for email only's we do not allow them to have dial in access. He wants
>> to change that.
>>
>> The goal is two fold:
>>
>> allow 15 minutes for the email's only
>>
>> have radius put a temporary filter in that limits the tcp/ip,icmp,udp et
>> al protocols to just pop only. More: limit the pop requests to one
>> particualr email server.
>>
>> Any ideas on how to do this?
>
>Its actually fairly simple. In RadiusNT ODBC mode you build an
>accounttype (typically called Email or Email only) and for the
>default attributed you associate:
>
>User-Service = Framed-User
>Framed-Protocol = PPP
>Framed-Filter = mailonly
>Session-Timeout = 900
>
>Then you create a filter in your Portmasters (or use choicenet)
>which only allows:
>
>1. DNS resolution to your DNS server
>2. SMTP and POP3 to your MAIL server

Careful here. You have to create the filters as mailonly.in and
mailonly.out in the Portmasters or choicenet as the ComOS add .in and .out
to the filter name and applies it to the inbound and outbound sides of the
network interface created. If the .out filter doesn't exist it is okay as
a non-existent filter permits all traffic, as does a filter with zero rules
in ComOS release 3.3.2 and later.

The mailonly.in filter MIGHT look something like the following:
(Substitute the address of your mail servers as appropriate.)

Command> add fil mailonly.in
Command> set fil mailonly.in 1 perm 0.0.0.0/0 10.1.1.1/32 tcp dst 25
Command> set fil mailonly.in 2 perm 0.0.0.0/0 10.1.1.1/32 tcp dst 110
Command> set fil mailonly.in 3 perm 0.0.0.0/0 0.0.0.0/0 udp dst eq 53
Command> set fil mailonly.in 4 perm 0.0.0.0/0 10.1.1.1/32 tcp dst eq 220
Command> set fil mailonly.in 5 perm 0.0.0.0/0 10.1.1.1/32 udp dst eq 220

Rule 1 does smtp, rule 2 does pop3, rules 4 and 5 do IMAP version 3 to a
single host.
Rule 3 permits dns lookups to any DNS server.

>With Livingston's RADIUS, you have to give the mailonly filter to each
>user you want to limit.

Not strictly true. A DEFAULT entry can be created with either a suffix or
group check item to do the job.

>With RadiusNT ODBC, you just make their
>AccountType the one with the filter. The nice thing about the later
>is when you want to change the session-limit, or other features you
>only change it once, not for each user. You could probably get away
>from something like suffix = ".mail" in Livingston's 2.0, though.

Actually, in 2.0.1 you can use the 'group' feature in both Unix and NT on a
DEFAULT entry. In that situation you have the same ability as Dale states
above to change the session timeout or whatever.

DEFAULT Auth-Type = System, Group = "mail"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Filter-Id = "mailonly",
Session-Timeout = 900

JGT
---------------------------------------------------------------------------
John G. Thompson Livingston Enterprises Inc. Phone: (800) 458-9966
JOAT(MON) 4464 Willow Road Fax: (510)737-2110
support@livingston.com Pleasanton, CA 94588 http://www.livingston.com/
---------------------------------------------------------------------------
******* The solution to any problem lies in its proper definition. *******