Re: Email only accounts

Stephen Fisher (lithium@cia-g.com)
Thu, 31 Jul 1997 00:09:50 -0600 (MDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tom Samplonius: "Re: PM3 Multichassis MPPP on ISDN and Modem connections"
Previous message: Tom Samplonius: "Re: 56k Cards"

First of all our normal method of giving accounts is that we add the
username to the Unix boxes and then in Radius allow a user to log in to
their shell account with that username or, using Prefix = "P", they can
log in to their PPP account.

All of the normal shell&ppp accounts are in a particular Unix group (from
/etc/group) and the e-mail only accounts are in a different group. I have
yet a third DEFAULT entry in the users file which is only used on e-mail
only accounts by using the Group = "mailonly" check-item:

DEFAULT Auth-Type = System, Prefix = "P", Group = "mailonly"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = None,
Framed-MTU = 1500,
Filter-Id = "mailonly",
Idle-Timeout = 1800

(There is another just like it for PAP logins actually). This further
allows e-mail only accounts to log in through a shell where their default
shell is a mail reader. They can also login through PPP and they are
dynamically assigned the "mailonly" filter through ChoiceNet. I am using
some default filters from Livingston that came with ChoiceNet:

# mailonly.in - allows users to use their e-mail only accounts in PPP mode
# while restricting them to accessing DNS and the mail server.
#
# List approved mail servers in ../lists/mailbox, one per line
#
# Add this line to user's RADIUS 2.0 reply-items (without the leading #):
# Filter-Id = "mailonly"
#
permit tcp established
permit 0.0.0.0/0 =mailbox tcp dst eq 25
permit 0.0.0.0/0 =mailbox tcp dst eq 110
permit udp dst eq 53
permit tcp dst eq 53
permit icmp
deny notify

This filter allows DNS lookups using any nameserver and then POP3 and SMTP
only to the server(s) listed in /etc/choicenet/lists/mailbox. All other
traffic is denied.

This method works great for us..

On Wed, 30 Jul 1997, Robert Hiltibidal wrote:

> My boss wants to try a different approach for email only accounts. Right
> now for email only's we do not allow them to have dial in access. He
> wants to change that.
>
> We have a customer base of over 5000 with 12 different pop sites. We're
> running linux 2.0.29 with radius 2.01
>
> The users file is hashed by builddbm
>
> The goal is two fold:
>
> allow 15 minutes for the email's only
>
> have radius put a temporary filter in that limits the tcp/ip,icmp,udp et
> al protocols to just pop only. More: limit the pop requests to one
> particualr email server.

Next message: Tom Samplonius: "Re: PM3 Multichassis MPPP on ISDN and Modem connections"
Previous message: Tom Samplonius: "Re: 56k Cards"