OK, thanks
I've learned something from this thread. I understand the delay in your answer, and I am anyway impressed by your "mail answering throughput" !
Lasse
On Friday 28 March 2003 14.13, Jiri Kuthan wrote:
Looks reasonable to me. My apologies it has taken so long to reply -- I've been traveling too much.
-Jiri
At 12:01 AM 3/16/2003, Lasse Jansson wrote:
Or perhaps I understand a little bit better now. I think the following script passage will work better. /Lasse P.S. To other beginners at SIP: Several clients can't handle the qop parameter correctly so it is safer to change the "1" to "0" in the challenges.
# REQUESTS DIRECTED TO MY DOMAIN if (uri=~"[@:]mydomain.com") {
# Challenge registrations if (method=="REGISTER") { if (!www_authorize("mydomain.com", "subscriber")) { www_challenge("mydomain.com", "1"); break; }; save("location"); break; };
# Challenge INVITE request where the sender has my domain in From if (method=="INVITE") { if (search("(f|From).*mydomain.com")) { if (!proxy_authorize("mydomain.com", "subscriber")) { proxy_challenge("mydomain.com", "1"); break; }; }; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; };
# REQUESTS DIRECTED TO OTHER DOMAINS } else {
# Challenge any INVITE request where the sender has my domain in From if (method=="INVITE") { if (search("(f|From).*mydomain.com")) { if (!proxy_authorize("mydomain.com", "subscriber")) { proxy_challenge("mydomain.com", "1"); break; };
# Drop INVITE requests where the sender does not have my domain in From } else { sl_send_reply("403", "Forbidden"); break; }; }; }; # forward to current uri now if (!t_relay()) { sl_reply_error(); };
On Friday 07 March 2003 00.49, Lasse Jansson wrote:
OK, I see what you mean.
<snip>
I see two limitations:
- if you only challenge INVITEs to outside domain, people out of your domain can call people in your domain and claim shamelessly your
domain name in From, which is then sort of rubberstamped by the proxy; so I think you can combine challenging based on From along with "anti-spam" policy "drop invites which have my domain neither in From nor in r-uri" - if you apply such policies to other requests than BYE, you will run into troubles, better be permissive about non-INVITEs. See
http://www.ietf.org/mail-archive/working-groups/sipping/current/msg040 02. ht ml
-Jiri
At 10:10 PM 3/5/2003, Lasse Jansson wrote:
Thanks,
One last question: I guess that if I want my server to offer <forwarding of requests to other domains> only to authorized users in my domain I should restrict the last part more, as follows:
# For requests to other domains if (!proxy_authorize("mydomain.com", "subscriber")) { proxy_challenge("mydomain.com", "1"); break; };
(i.e. I can skip the (search("(f|From).*mydomain.com")) condition in this case)
Lasse
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Jiri Kuthan http://iptel.org/~jiri/
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers