SMTP AUTH and no Scanning
sandro at e-den.it
Mon Mar 31 10:00:15 IST 2008
On Mon, Mar 31, 2008 at 12:05:33AM +0200, Hugo van der Kooij wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Glenn Steen wrote:
> | Unfortunately this likely will not work that well... Rather better to
> | do something completely different. Like demanding taht the ones doing
> | authenticated SMTP use an alternate port ... and have an instance of
> | PF listening there that don't include the HOLD thing. ... That's how
> | I'd do it if I needed it:-).
> In fact port 587 is intended for this purpose. The trick is to make it
> listen for authenticated traffic only and then go out straight away and
> not hit MailScanner on the way out.
> So the first bit is to make it listen by activating this in the
> $POSTFIX/master.cf file:
> submission inet n - n - - smtpd
> ~ -o smtpd_enforce_tls=yes
> ~ -o smtpd_sasl_auth_enable=yes
> ~ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> This was the bit I could find straight away. But how can one make sure
> the normal hold trick does not apply here? Because that one still is
> applied at the moment.
wouldn't a simple:
-o header_checks =
added to the lines before do the trick?
My concern now is different. Are we generally sure we don't want MailScanner
on all authenticated traffic? That means no controlon possible viruses that
a custemer has not checked, no control on worms and the like.
Probably what I really want is to let MS but avoid that it drops e-mail due
to the sending IP being in an RBL. As Glenn pointed out Postfix already does
the right think in this reguard, if we correctly set order in rules. We
simply don't want MS (and spamassassin?) drops it afterwords.
More information about the MailScanner