eMail Messaging Policy Framework (eMPF)
eMPF follows a set of administrator-defined rules describing who can message whom. With this, administrators can segregate various parts of their organizations email activities, as well as provide a variety of security-enhancing services. Because of this, eMPF can help to support HIPAA and Sarbanes-Oxley compliance.
During an SMTP session, when a sender identifies themselves, either via SMTP_AUTH, or via the message envelope, as well as a recipient, eMPF loads applicable message policies to determine if the sender is allowed to message the sender, and if the recipient is allowed to receive mail from the sender.
What it can’t do
Because mail from outside your mail server cannot be authenticated, the policy framework cannot be entirely sure about the identities of senders messaging local users. However, if SMTP authentication is required by local users, eMPF can prevent remote users from masquerading as local users to bypass policies.
We have only tested eMPF with our own custom tarballs, however, we have packaged eMPF as a tarball with source, and we have provided documentation on patching the qmail source manually. Currently, the patch requires vpopmail, or any backend authentication module which does SMTP authentication with usernames in the format user@domain.
Please send all patches to the eMPF mailing list. You can subscribe by sending an email to email@example.com.
Subscribe to the mailing lists for annoucements and discussions by sending a blank email to firstname.lastname@example.org