Active Directory Mail Groups
Posted: 27 Jan 2016 18:10
*Note - there are downsides to this - see bottom of the post*
This is a continuation of the Active Directory (AD) user integration (see viewtopic.php?f=14&t=498#p1076). I have a number of distribution groups that I want to deliver quarantine reports to (such as Sales or Marketing groups). Once I had the AD integration working for users via the cron script (/usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh), I copied the script and modified it to pull in the groups.
The change is simple - on line 64 (a few lines below the "DON'T TOUCH..." text), modify the value of ObjectClass to group:
Save and test the script, then check Users - the AD groups should be listed.
Now for the bad part... any of these groups can be logged into by passing the group name (username) and a random password (as long as it isn't blank). In my particular environment,a small organization where the EFA protects a single MS Exchange server and is not externally accessible, I don't mind (yet). I've configured Mailscanner to not store non-spam emails, so as long as a confidential email isn't tagged spam the content won't be available. I'm going to play with this, though, and see how to best block these mail groups from gaining access to the interface while still delivering quarantine reports.
(For those of you who see the security risks in this... I do as well. This is currently a non-production system, and I took a snapshot of the machine prior to the AD Group integration so I can roll this back if I can't get it to work as I want. In an ideal world, I see only members of the particular group being able to log into the Mailwatch interface).
This is a continuation of the Active Directory (AD) user integration (see viewtopic.php?f=14&t=498#p1076). I have a number of distribution groups that I want to deliver quarantine reports to (such as Sales or Marketing groups). Once I had the AD integration working for users via the cron script (/usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh), I copied the script and modified it to pull in the groups.
The change is simple - on line 64 (a few lines below the "DON'T TOUCH..." text), modify the value of ObjectClass to group:
Code: Select all
"(&
(objectClass=group)
(proxyAddresses=*)Now for the bad part... any of these groups can be logged into by passing the group name (username) and a random password (as long as it isn't blank). In my particular environment,a small organization where the EFA protects a single MS Exchange server and is not externally accessible, I don't mind (yet). I've configured Mailscanner to not store non-spam emails, so as long as a confidential email isn't tagged spam the content won't be available. I'm going to play with this, though, and see how to best block these mail groups from gaining access to the interface while still delivering quarantine reports.
(For those of you who see the security risks in this... I do as well. This is currently a non-production system, and I took a snapshot of the machine prior to the AD Group integration so I can roll this back if I can't get it to work as I want. In an ideal world, I see only members of the particular group being able to log into the Mailwatch interface).