SMTP AUTH and no Scanning
Pascal Maes
pascal.maes at elec.ucl.ac.be
Mon Mar 31 10:52:23 IST 2008
Le 31-mars-08 à 11:13, Jason Ede a écrit :
> Surely a customfunction applied to the Spam Check option should do
> this? It can check for authenticated headers to that box and
> providing it meets all the requirements don't check it for spam?
> Would need to be able to use a ruleset as well at a guess for quite
> a few systems...
>
> Jason
>
> ________________________________________
> From: mailscanner-bounces at lists.mailscanner.info [mailscanner-bounces at lists.mailscanner.info
> ] On Behalf Of Alessandro Dentella [sandro at e-den.it]
> Sent: 31 March 2008 10:00
> To: MailScanner discussion
> Subject: Re: SMTP AUTH and no Scanning
>
> On Mon, Mar 31, 2008 at 12:05:33AM +0200, Hugo van der Kooij wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Glenn Steen wrote:
>>
>> | Unfortunately this likely will not work that well... Rather
>> better to
>> | do something completely different. Like demanding taht the ones
>> doing
>> | authenticated SMTP use an alternate port ... and have an instance
>> of
>> | PF listening there that don't include the HOLD thing. ... That's
>> how
>> | I'd do it if I needed it:-).
>>
>> In fact port 587 is intended for this purpose. The trick is to make
>> it
>> listen for authenticated traffic only and then go out straight away
>> and
>> not hit MailScanner on the way out.
>>
>> So the first bit is to make it listen by activating this in the
>> $POSTFIX/master.cf file:
>>
>> submission inet n - n - - smtpd
>> ~ -o smtpd_enforce_tls=yes
>> ~ -o smtpd_sasl_auth_enable=yes
>> ~ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>
>> This was the bit I could find straight away. But how can one make
>> sure
>> the normal hold trick does not apply here? Because that one still is
>> applied at the moment.
>
> wouldn't a simple:
>
> -o header_checks =
>
> added to the lines before do the trick?
>
> My concern now is different. Are we generally sure we don't want
> MailScanner
> on all authenticated traffic? That means no controlon possible
> viruses that
> a custemer has not checked, no control on worms and the like.
>
> Probably what I really want is to let MS but avoid that it drops e-
> mail due
> to the sending IP being in an RBL. As Glenn pointed out Postfix
> already does
> the right think in this reguard, if we correctly set order in rules.
> We
> simply don't want MS (and spamassassin?) drops it afterwords.
>
> sandro
> *:-)
> --
hello,
We are using such a CustonFunction here.
For Postfix, you have to use
smtpd_sasl_authenticated_header = yes
Your authenticated users must use the submission port :
submission inet n - n - - smtpd
-o smtpd_use_tls=yes
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o
smtpd_helo_restrictions
=permit_mynetworks,permit_sasl_authenticated,reject
-o
smtpd_client_restrictions
=permit_mynetworks,permit_sasl_authenticated,reject
-o
smtpd_sender_restrictions
=permit_mynetworks,permit_sasl_authenticated,reject
and then, depending on the informations of the authenticated header,
you should create a CustomFunction to avoid that authenticated users
are considered as spammers.
In that case, the messages are still processed by the anti-virus check
--
Pascal
More information about the MailScanner
mailing list