SMTP AUTH and no Scanning
pascal.maes at elec.ucl.ac.be
Mon Mar 31 10:52:23 IST 2008
Le 31-mars-08 à 11:13, Jason Ede a écrit :
> Surely a customfunction applied to the Spam Check option should do
> this? It can check for authenticated headers to that box and
> providing it meets all the requirements don't check it for spam?
> Would need to be able to use a ruleset as well at a guess for quite
> a few systems...
> From: mailscanner-bounces at lists.mailscanner.info [mailscanner-bounces at lists.mailscanner.info
> ] On Behalf Of Alessandro Dentella [sandro at e-den.it]
> Sent: 31 March 2008 10:00
> To: MailScanner discussion
> Subject: Re: SMTP AUTH and no Scanning
> On Mon, Mar 31, 2008 at 12:05:33AM +0200, Hugo van der Kooij wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Glenn Steen wrote:
>> | Unfortunately this likely will not work that well... Rather
>> better to
>> | do something completely different. Like demanding taht the ones
>> | authenticated SMTP use an alternate port ... and have an instance
>> | PF listening there that don't include the HOLD thing. ... That's
>> | I'd do it if I needed it:-).
>> In fact port 587 is intended for this purpose. The trick is to make
>> listen for authenticated traffic only and then go out straight away
>> not hit MailScanner on the way out.
>> So the first bit is to make it listen by activating this in the
>> $POSTFIX/master.cf file:
>> submission inet n - n - - smtpd
>> ~ -o smtpd_enforce_tls=yes
>> ~ -o smtpd_sasl_auth_enable=yes
>> ~ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> This was the bit I could find straight away. But how can one make
>> the normal hold trick does not apply here? Because that one still is
>> applied at the moment.
> wouldn't a simple:
> -o header_checks =
> added to the lines before do the trick?
> My concern now is different. Are we generally sure we don't want
> on all authenticated traffic? That means no controlon possible
> viruses that
> a custemer has not checked, no control on worms and the like.
> Probably what I really want is to let MS but avoid that it drops e-
> mail due
> to the sending IP being in an RBL. As Glenn pointed out Postfix
> already does
> the right think in this reguard, if we correctly set order in rules.
> simply don't want MS (and spamassassin?) drops it afterwords.
We are using such a CustonFunction here.
For Postfix, you have to use
smtpd_sasl_authenticated_header = yes
Your authenticated users must use the submission port :
submission inet n - n - - smtpd
and then, depending on the informations of the authenticated header,
you should create a CustomFunction to avoid that authenticated users
are considered as spammers.
In that case, the messages are still processed by the anti-virus check
More information about the MailScanner