Some organizations grant different amounts of access to email to different users. In particular, some are allowed to send mail outside the organization and some can’t.
One approach that’s a little harder to set up but easier to administer is to use a single copy of qmail but to check the mail as users send it. If you use the old-fashioned fixup scheme to handle injected mail, you can check whether a user is allowed to send external mail in the fixup script. Modify ~alias/.qmail-fixup-default to something like this:
| bouncesaying ‘Permission denied’ [ "@$HOST" != "@fixme" ]
| qmail-inject -f “$SENDER” — “$DEFAULT”
checks whether the sender is in a list of authorized users.
Example:- checkrestrict script for .qmail-fixme
# inherit $SENDER and $DEFAULT from the .qmail file
case “$DEFAULT” in
*@example.com) # our domain, always permitted
exit 0 ;;
*@*) # external address
if egrep -q “^($SENDER)$” authorized-users
bouncesaying “You cannot send external mail.”
*) # local mail, always permitted
exit 0 ;;
This script needs to be ruggedized a little, because mail from user fred might have a sender of fred or firstname.lastname@example.org depending on how his mail program is set up, and a local recipient address might be mary@EXAMPLE.COM in uppercase, but the checking remains quite simple.