Block email access?

[kingcu]

Greetings! Just wonder how one would block email access for a LAN with Zentyal configured as a gateway. For example, block mail.yahoo.com, but leave the access to news.yahoo.com available.

[christian]

What do you mean exactly?
Blocking outgoing mails or incoming mails? or both 
And what is your point with mail.yahoo.com vs. news.yahoo.com ? This is not clear to me.

In any case, you have to be sure (if I understand well) that "pop transparent proxy" is not enabled because this will permit users to use external POP server where they may receive "uncontrolled" mails.

Then, assuming you do want to apply such control (please think twice), then you can easily customize postfix conf (I never saw such option in Zentyal interface) so that main.cf contains these lines:

Code: [Select]

smtpd_sender_restrictions = hash:/etc/postfix/mycontrol
reject_unauth_destination = hash:/etc/postfix/mycontrol"mycontrol" being hash storing domain you want to block.
Have a look there:
http://www.postfix.org/postconf.5.html

and think again: once you will have implemented such filter, next question could be: "Nice but what if I want this applied for some users only?" 

[jjmontes]

Depending on what you mean:

You can block email access (to POP3, SMTP, IMAP..) using firewall rules. You can even transparently POP3 traffic.

If what you want to do is to filter access to some webmail providers (Yahoo! Webmail, Google Mail, etc...), then you can use the HTTP Proxy module to filter the domains of your choice (check http://doc.zentyal.org/en/proxy.html ).

[kingcu]

Sorry for not being clear in my original post. And thanks for the responses.

What I am trying to do is actually two things:

1. Block mail protocols (POP3, SMTP, etc) to external servers, which means an internal user can't access his gmail/yahoo mail account through an email client (outlook/thunderbird) installed on his PC.

2. Block access to all the webmail providers (Yahoo, Google, Hotmail, etc), but only block the webmail part, and leave everything else open. So an internal user can't access mail.yahoo.com, but can still access news.yahoo.com, maps.yahoo.com, etc.

So, for #1, since there are only a few mail protocols, as jjmontes suggested, which can be done through firewall rules. BTW, what do you mean by:

You can even transparently POP3 traffic.

For #2, is there any shortcut for me to block access to all the webmail providers? Or do I have to list them one by one? And I doubt I can enumerate every one of them.

One last question, can the above access restrictions be applied to only certain IPs within the domain?

[christian]

Much clearer now 

Regarding mail related protocols, this is pretty easy: be sure that firewall doesn't permit internal users to access external mail servers using either POP or IMAP (these protocols are used to read mail from mail client). Be sure that POP proxy is NOT activated (POP proxy intercepts POP requests at Zentyal level to apply anti-spam and anti-virus clean-up. Enabling it would workaround FW rules)

Regarding webmail feature, basic answer is that you can't  except if you deny web access 
Let me explain:
- you will have to maintain list of webmail servers to be denied (and keyword like webmail.domain.com will not work very well)
- even if you maintain such list, this is very difficult to prevent use of external HTTP "proxy" (or anonymizer) that will relay request to webmail server.

So you can try to make it as painful as possible for your users until they give up but you can't ensure 100% access to webmail will be blocked.

[kingcu]

Thanks. As you said, I also realized that maintaining a complete list of all webmail sites is very difficult, if not impossible. Plus if a user uses a proxy, it'll bypass the URL restriction. So, instead of maintaining a black list, I am thinking the other way around - maintain a "white list". In other words, I'll maintain a list of allowed websites and deny everything else. Should there be an access need for a new website, that website can be added into the white list.

[christian]

This works