Port forwarding control options

[tmassey@obscorp.com]

Hello!

I'm looking at using Dropbear to encapsulate non-encrypted protocol 
traffic (like SMTP).  I would like to limit users' ability to port 
forwarding to specific hosts and ports.  I have a couple of questions:

1) Does Dropbear support this?  I know that the Dropbear website says: 
"Compatible with OpenSSH ~/.ssh/authorized_keys public key 
authentication".  But does that mean that it actually obeys "permitopen" 
information?

2) Is there a more centralized way of controlling this, preferably 
server-wide?  I would love to be able to limit the entire SSH server to 
forward to only the specific ports on the specific hosts that I want to 
access, and use the ~/.ssh/authorized_keys file to define, if necessary, a 
*subset* of those ports on a per-user basis.

I've thought about using Shorewall/iptables to do the centralized 
port/host control, but that seems like a fair bit of a hassle, when all I 
want to do is limit *Dropbear*, not the entire system...

I'm surprised that this seems to be such an undocumented area of limiting 
SSH's power.  Giving users the ability to port forward to *any* host and 
*any* port from the outside seems to be significantly dangerous.  What am 
I missing?

Thank you very much for your thoughts.  I appreciate your help.

Tim Massey