HOW TO: Allow or block some accounts sending external email

This section contains scripts that hMailServer has contributed with. hMailServer 5 is needed to use these.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 8077
Joined: 2011-09-08 17:48

HOW TO: Allow or block some accounts sending external email

Post by jimimaseye » 2015-04-05 16:33

How to block some accounts from sending email to external accounts

It may be that you have a requirement to allow some users to send emails to external addresses whilst restricting other users (permitting only internal mails).

The scripts operate by referring to a specific DISTRIBUTION LIST against your domain containing the member addresses of the users that you wish to allow/block (depending on the script chosen). They work on the proviso that senders AUTHENTICATE to send emails and that you authenticate using the full 'user@domain.com' format.

Either of the following scripts should be used depending on your chosen scenario:

a, "ALLOWEDSENDERS" : the MAJORITY of users are RESTRICTED from sending external emails by default, and so it is easier to maintain a list of users that are allowed (for example, maybe only managers of a company are allowed, and all others are restricted)

b, "NONSENDERS" : this should be used where MAJORITY are ALLOWED by default, yet you want to restrict a minority of users from sending to external addresses. (eg, everyone is allowed except the hooky bloke in the warehouse :-) )

Once you have decided on which method applies to your business, you create a Distribution List titled accordingly, either:
"AllowedSenders" or
"NonSenders"

Remember to keep the identity/existence of this distribution list secret from users to avoid it being sent to.

Within that distribution list you then enter the email member addresses of the people THAT APPLY to the list (according to the title). Remember that users that do NOT appear on the list will be allowed to do the contrary. You do not need to maintain BOTH lists - you only need to implement one.

Once you have created the relevant distribution list, then you copy the code FROM ONLY ONE of the scripts below ensuring you choose the correct script according to the choice/title of your distribution list. The script should be added to the 'eventhandlers.vbs' script. DONT FORGET to change the password to match your HMS system password (currently coded as "*secretpassword*").

Script 1:

ALLOWEDSENDERS - blocking all except those entered in the distribution list

Code: Select all

Sub OnSMTPData(oClient, oMessage)
   If oClient.Username <> "" and instr(oClient.Username, "@") > 0 Then
      Dim k, i, j, aUsername, oApp, oDomain, oDistributionList
      Set oApp = CreateObject("hMailServer.Application")
      Call oApp.Authenticate("Administrator", "*secretpassword*")
      aUsername = Split(oClient.Username,"@")
      Set oDomain = oApp.Domains.ItemByName(aUsername(1))
      For k = 0 To oDomain.DistributionLists.Count -1
         If lcase(oDomain.DistributionLists.Item(k).Address) = lcase("AllowedSenders@" & aUsername(1)) Then
            Set oDistributionList = oDomain.DistributionLists.Item(k)
            if oDistributionList.Active then
               For j = 0 To oMessage.Recipients.Count -1
                  If (Not oMessage.Recipients(j).IsLocalUser) Then
                     For i = 0 To oDistributionList.Recipients.Count -1
                        If lcase(oDistributionList.Recipients.Item(i).RecipientAddress) = lcase(oClient.Username) Then
                           Exit Sub
                        End If
                     Next
                     Result.Value = 2
                     Result.Message = "You are only allowed to send internally"
                  End If
               Next
            End If
            Exit For
         End If
      Next
   End If
End Sub

or

Script 2:

NONSENDERS - Allowing all except those listed in the distribution list.

Code: Select all

Sub OnSMTPData(oClient, oMessage)
   If oClient.Username <> "" and instr(oClient.Username, "@") > 0  Then
      Dim k, i, j, aUsername, oApp, oDomain, oDistributionList
      Set oApp = CreateObject("hMailServer.Application")
      Call oApp.Authenticate("Administrator", "*secret password*")
      aUsername = Split(oClient.Username,"@")
      Set oDomain = oApp.Domains.ItemByName(aUsername(1))
      For k = 0 To oDomain.DistributionLists.Count -1
         If lcase(oDomain.DistributionLists.Item(k).Address) = lcase("NonSenders@" & aUsername(1)) Then
            Set oDistributionList = oDomain.DistributionLists.Item(k)
            if oDistributionList.Active then
               For j = 0 To oMessage.Recipients.Count -1
                  If (Not oMessage.Recipients(j).IsLocalUser) Then
                     For i = 0 To oDistributionList.Recipients.Count -1
                        If lcase(oDistributionList.Recipients.Item(i).RecipientAddress) = lcase(oClient.Username) Then
                           Result.Value = 2
                           Result.Message = "You are only allowed to send internally"
                           Exit Sub
                        End If
                     Next
                  End If
               Next
            End If
            Exit For
         End If
      Next
   End If
End Sub
Thanks and acknowledgement goes to SorenR for the main contribution.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

kborowy
New user
New user
Posts: 19
Joined: 2015-04-29 12:44

Re: HOW TO: Allow or block some accounts sending external email

Post by kborowy » 2016-10-13 17:16

Hi,
Where in your scipt i can write in the name of distribution group?
Is this here?:
If lcase(oDomain.DistributionLists.Item(k).Address) = lcase("AllowedSenders@" & aUsername(1)) Then

This is what i want from this topic - viewtopic.php?f=7&t=28146&p=190191#p190191.

I got lets say 5 mailboxes (accounts) on hmail.
ALL of them are forwarded to one mailbox, where plp got access and can see if testserver is generating mails when they want it.
For example:
email1@mydomain.com, email2@mydomain.com, email3@mydomain.com, email4@mydomain.com and email5@mydomain.com are my mailboxes.
email2-4 are forwarded to email1@mydomain.com and plp got it on Thunderbird (this email1 mailbox).
Email5 is beeing used by the test system and it generates emails.
So in test environment plp "generate" mail and it is always Sender. They can manually write Recipient address - for example xxx@google.com - or any address they want and it will never be delivered cause i do not use Relay server in hmail.
I have defined rules from old post from this topic to achieve it this environment and it is working.

Now i got external server, exchange. Exchange forward emails to Postfix and Postix sends it to all the world.
Can i leave all this configuration and add smth to allow my email5@mydoman.com to send emails to exchange but only when Recipients address are defined (for example we can only send email to xxx@externaldomain.com and yyy@externaldomain.com). ?

All other mails can work like i said or can be blocked if there is no solution for my idea.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8077
Joined: 2011-09-08 17:48

Re: HOW TO: Allow or block some accounts sending external email

Post by jimimaseye » 2016-10-13 21:05

This script does what it says in the write-up - I dont thin I can make it any clearer. Having 'AllowedSenders' list with email5@mydomain.com as an entry will allow email5 only to be able to send out to external and will block all other accounts from sending externally.

In addition, the script in its current form doesnt check the recipient addresses but you can script in the extra functionality if you wish.

Or, if you only have a few external addresses you allow delivery too, you could set routes to those addresses (with the individual address being listed as an allowed 'Delivery to Addresses' entry) with each route always pointing to your exchange box. The combination of the above script and these routes would therefore only allow email5@ to send OUT, and then only to spcific addresses (as detailed in the 'route' addresses list).......I think.

(Further discussion on your specific requirement should be carried on on another thread please... lets keep this one clear for the title script)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

vawwjioa
New user
New user
Posts: 6
Joined: 2017-11-19 13:17

Re: HOW TO: Allow or block some accounts sending external email

Post by vawwjioa » 2017-11-19 13:29

Hello,
i am new to this forum.

First: Thank you very much for this tutorial.

I want to use the second script but it doesnt work..

This error is in the log file after i send a test mail to someone i should not be able to send to.
The message is delivered...

"Script Error: Source: Microsoft VBScript runtime error - Error: 800A0009 - Description: Subscript out of range: '[number: 1]' - Line: 13 Column: 6 - Code: (null)"

Line 13 is this one:
Set oDomain = oApp.Domains.ItemByName(aUsername(1))

Can you please help me?

EDIT:

I found the solution by myself :-D
The username in my mail client was "abc", so it can login to the default domain. But the script doesnt recognise a default domain.
I changed the username in my mail client to "abc@mydomain.com" and now it works.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8077
Joined: 2011-09-08 17:48

Re: HOW TO: Allow or block some accounts sending external email

Post by jimimaseye » 2017-11-19 14:02

Did you change the password on line 11?

Are you properly authenticating with 'user@domain.com' format?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

vawwjioa
New user
New user
Posts: 6
Joined: 2017-11-19 13:17

Re: HOW TO: Allow or block some accounts sending external email

Post by vawwjioa » 2017-11-19 14:21

Thank you for your fast answer.
Yes i changed the password.

And as i said in my post edit

Code: Select all

EDIT:

I found the solution by myself :-D
The username in my mail client was "abc", so it can login to the default domain. But the script doesnt recognise a default domain.
I changed the username in my mail client to "abc@mydomain.com" and now it works.
I didnt authenticated "the right way".


But now i have two questions:
1: How can i disable the default domain for authentication? So that all clients must authenticate with a abc@mydomain.com?

2: Can you please update the script so that it could work with default domain enabled?
Maybe with an "if" command so that the script check if the authentication is in the format "abc@mydomain.com" and if it is not in this format (for example "abc") it should use a default domain that could be stored as a variable?
That would be very nice.

EDIT:

Forget about my first Question.
Settings->Advanced->General->Default Domain

User avatar
mattg
Moderator
Moderator
Posts: 20000
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Allow or block some accounts sending external email

Post by mattg » 2017-11-19 23:28

FWIW, default domains do little except increase incoming amount of spam, and increase the likelihood of an account being hacked (most hackers try without the domain attached to the end) , and so should be avoided unless you really, really, really need to use it
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8077
Joined: 2011-09-08 17:48

Re: HOW TO: Allow or block some accounts sending external email

Post by jimimaseye » 2017-11-21 09:55

Instructions have been modified to make it clear that full authentication must be made instead of using the default domain. (Ive also changed the script to simply do nothing instead of erroring if you dont).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

vawwjioa
New user
New user
Posts: 6
Joined: 2017-11-19 13:17

Re: HOW TO: Allow or block some accounts sending external email

Post by vawwjioa » 2017-11-21 20:02

mattg wrote:FWIW, default domains do little except increase incoming amount of spam, and increase the likelihood of an account being hacked (most hackers try without the domain attached to the end) , and so should be avoided unless you really, really, really need to use it
Thank you very much for your information. I will disable the default domain in the next days..

jimimaseye wrote:Instructions have been modified to make it clear that full authentication must be made instead of using the default domain. (Ive also changed the script to simply do nothing instead of erroring if you dont).
Thank you very much for the update :-)

JuCo
New user
New user
Posts: 1
Joined: 2018-01-16 22:38

Re: HOW TO: Allow or block some accounts sending external email

Post by JuCo » 2018-01-16 23:52

Hi!
Very interesting and helpful.
How to adapt this script when you want to restrict sending messages from a group of accounts to a single external domain. For example: To myhome.net

Regards!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8077
Joined: 2011-09-08 17:48

Re: HOW TO: Allow or block some accounts sending external email

Post by jimimaseye » 2018-01-17 09:58

JuCo wrote:Hi!
Very interesting and helpful.
How to adapt this script when you want to restrict sending messages from a group of accounts to a single external domain. For example: To myhome.net

Regards!
Use the NONSENDERS script with the following 2 line changes:

Code: Select all

               For j = 0 To oMessage.Recipients.Count -1
                  If instr(oMessage.Recipients(j).address, "@DOMAIN.COM") > 0 then       '<< ---  (change this to the blocked domain)
                     For i = 0 To oDistributionList.Recipients.Count -1
                        If lcase(oDistributionList.Recipients.Item(i).RecipientAddress) = lcase(oClient.Username) Then
                           Result.Value = 2
                           Result.Message = "You are not allowed to send to this domain."     '<<<----   (and choose your message.)
                           Exit Sub
                        End If
(untested!)

This will block users in a list trying to send to a single domain "@DOMAIN.COM".

If you want a list of domains blocked then you will have to tailor the script yourself to adapt it (in another thread).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply