restricting access to e-mail, etc.

[Albert Lunde]

If you want restrict a group of systems to using only e-mail, (or
conversely allow the use of web clients but not e-mail software), put them
on a subnet behind a router configured to pass traffic only on the ports
required by the services you want to allow, but nothing else. (This ignores
the question of why you'd want to make such restrictions.)

For POP/SMTP e-mail, I think this would be port 25 TCP (SMTP), port 110 TCP
(POP3), the ports used by DNS (I forget), and maybe some other stuff to
allow access to your file servers.

There are plenty of commercial routers that can do this much, though as you
ask for more you get into the realm of "firewalls".

(The reverse, "web but not e-mail", is less effective because of the
existence of web-based free e-mail services.)

The advantage of this general approach is that it can't be byassed by
people installing any sort of software on the client systems; the
disadvantage is the need for a configurable router and someone to set it
up. If they are too restrictive, some things just won't work, and it will
not be obvious why.


---
    Albert Lunde                      Albert-Lunde at nwu.edu