SMTP AUTH and no Scanning

Pascal Maes pascal.maes at
Mon Mar 31 10:52:23 IST 2008

Le 31-mars-08 à 11:13, Jason Ede a écrit :
> Surely a customfunction applied to the Spam Check option should do  
> this? It can check for authenticated headers to that box and  
> providing it meets all the requirements don't check it for spam?  
> Would need to be able to use a ruleset as well at a guess for quite  
> a few systems...
> Jason
> ________________________________________
> From: mailscanner-bounces at [mailscanner-bounces at 
> ] On Behalf Of Alessandro Dentella [sandro at]
> Sent: 31 March 2008 10:00
> To: MailScanner discussion
> Subject: Re: SMTP AUTH and no Scanning
> On Mon, Mar 31, 2008 at 12:05:33AM +0200, Hugo van der Kooij wrote:
>> Hash: SHA1
>> Glenn Steen wrote:
>> | Unfortunately this likely will not work that well... Rather  
>> better to
>> | do something completely different. Like demanding taht the ones  
>> doing
>> | authenticated SMTP use an alternate port ... and have an instance  
>> of
>> | PF listening there that don't include the HOLD thing. ... That's  
>> how
>> | I'd do it if I needed it:-).
>> In fact port 587 is intended for this purpose. The trick is to make  
>> it
>> listen for authenticated traffic only and then go out straight away  
>> and
>> not hit MailScanner on the way out.
>> So the first bit is to make it listen by activating this in the
>> $POSTFIX/ file:
>> submission inet n       -       n       -       -       smtpd
>> ~  -o smtpd_enforce_tls=yes
>> ~  -o smtpd_sasl_auth_enable=yes
>> ~  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> This was the bit I could find straight away. But how can one make  
>> sure
>> the normal hold trick does not apply here? Because that one still is
>> applied at the moment.
> wouldn't a simple:
>   -o header_checks =
> added to the lines before do the trick?
> My concern now is different. Are we generally sure we don't want  
> MailScanner
> on all authenticated traffic? That means no controlon possible  
> viruses that
> a custemer has not checked, no control on worms and the like.
> Probably what I really want is to let MS but avoid that it drops e- 
> mail due
> to the sending IP being in an RBL. As Glenn pointed out Postfix  
> already does
> the right think in this reguard, if we correctly set order in rules.  
> We
> simply don't want MS (and spamassassin?) drops it afterwords.
> sandro
> *:-)
> --


We are using such a CustonFunction here.

For Postfix, you have to use

smtpd_sasl_authenticated_header = yes

Your authenticated users must use the submission port :

submission inet n       -       n       -       -       smtpd
   -o smtpd_use_tls=yes
   -o smtpd_tls_auth_only=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_security_options=noanonymous

and then, depending on the informations of the authenticated header,  
you should create a CustomFunction to avoid that authenticated users  
are considered as spammers.
In that case, the messages are still processed by the anti-virus check


More information about the MailScanner mailing list