MS punishes my own modem pool

Kevin Spicer kevin at KEVINSPICER.CO.UK
Sun Jan 25 20:38:52 GMT 2004


On Sun, 2004-01-25 at 20:22, InvictaWiz Customer Support wrote:
> Perhaps someone can help with a variation of this question for me?
> 
> We have users that dial in from other ISPs. We use SMTP AUTH to ok them for Sendmail relay purposes.
> However, if I check against a DUL, they all get blocked even though they are providing AUTH details.
> Any ideas please?
> I daren't start whitelisting IP addresses as they are all dynamic

Where are you using the DUL?  in sendmail, in MailScanner or in
SpamAssassin?  If you do them in sendmail then I believe you can add
this line to your sendmail.mc...

FEATURE(delay_checks)dnl

and rebuild your sendmail.cf file.

For those that are interested here is the relevant extract from the
sendmail docs...

By using FEATURE(`delay_checks') the rulesets check_mail and check_relay
will not be called when a client connects or issues a MAIL command,
respectively.  Instead, those rulesets will be called by the check_rcpt
ruleset; they will be skipped if a sender has been authenticated using
a "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH().
If check_mail returns an error then the RCPT TO command will be rejected
with that error.  If it returns some other result starting with $# then
check_relay will be skipped.  If the sender address (or a part of it) is
listed in the access map and it has a RHS of OK or RELAY, then
check_relay
will be skipped.  This has an interesting side effect: if your domain is
my.domain and you have

  my.domain RELAY

in the access map, then all e-mail with a sender address of
<user at my.domain> gets through, even if check_relay would reject it
(e.g., based on the hostname or IP address).  This allows spammers
to get around DNS based blacklist by faking the sender address.  To
avoid this problem you have to use tagged entries:

  To:my.domain    RELAY
  Connect:my.domain RELAY

if you need those entries at all (class {R} may take care of them).


[There is more, but I stopped reading at this point!]



-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040125/38ae839d/attachment.bin


More information about the MailScanner mailing list