SMTP AUTH and no Scanning

Glenn Steen glenn.steen at
Sun Mar 30 20:11:46 IST 2008

On 30/03/2008, Alessandro Dentella <sandro at> wrote:
> On Fri, Mar 28, 2008 at 04:00:38PM +0100, Marcel Blenkers wrote:
>  > Hi there,
>  >
>  > this question is really easy..i guess.. .)
>  >
>  > As i am now using SMTP Auth and got almost every user on the system to do
>  > so, i would love to skip those mails, sended by those users who used smtp
>  > auth, for scanning.
>  >
>  > Means,
>  >
>  > a user sends a mail with smtp auth and the mail will go through unscanned.
>  > Or do you think this is a bad idea?
> I'm also interested in this. But... can we talk to the MTA if we put rbl at
>  the MTA level as I do now? Does the MTA (postfix in my case) accept smtp
>  auth from an rbld-ed IP? I have:
>  smtpd_recipient_restrictions =
>   permit_mynetworks
>   permit_sasl_authenticated
>   reject_rbl_client
>   ...
In your case, since the permit is before the reject, the rbl action
will not happen.

>  Does any 'permit' come *before* a 'reject'? How can I test (I gues I should
>  setup a test zone in my dns configuration...)?
Not "any permit wins over rejects", no... The order is _very_ important here.
To test things out, try setting up your own BL... With a test client
(outside your networks, or the permit_mynetworks will override it) in
it... Then vary the order...:-). Or find an IP on the sbl-xbl and
spoof that IP (locally, of course...:-)... Rather too much work to
determine if this works, but ... you can if you want to:-):-).

>  After the MTA puts the message in the queue, I think there is no more
>  evidence that it received the message via smtp-auth. So I guess it's the MTA
>  that should take care not to handle it to mailscanner. If that's true I
>  should turn
There is some traces, but not usable for the below, no.

>   /^Received:/ HOLD
>  into a more sofisticated one that puts the flag only in case it has been
>  received from an smtp authenticated connection. Does that make sense?
Unfortunately this likely will not work that well... Rather better to
do something completely different. Like demanding taht the ones doing
authenticated SMTP use an alternate port ... and have an instance of
PF listening there that don't include the HOLD thing. ... That's how
I'd do it if I needed it:-).

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list