SMTP AUTH and no Scanning

Glenn Steen glenn.steen at gmail.com
Mon Mar 31 11:44:10 IST 2008 

On 31/03/2008, Alessandro Dentella <sandro at e-den.it> wrote:
> On Mon, Mar 31, 2008 at 12:05:33AM +0200, Hugo van der Kooij wrote:
>  > -----BEGIN PGP SIGNED MESSAGE-----
>  > Hash: SHA1
>  >
>  > Glenn Steen wrote:
>  >
>  > | Unfortunately this likely will not work that well... Rather better to
>  > | do something completely different. Like demanding taht the ones doing
>  > | authenticated SMTP use an alternate port ... and have an instance of
>  > | PF listening there that don't include the HOLD thing. ... That's how
>  > | I'd do it if I needed it:-).
>  >
>  > In fact port 587 is intended for this purpose. The trick is to make it
>  > listen for authenticated traffic only and then go out straight away and
>  > not hit MailScanner on the way out.
>  >
>  > So the first bit is to make it listen by activating this in the
>  > $POSTFIX/master.cf file:
>  >
>  > submission inet n       -       n       -       -       smtpd
>  > ~  -o smtpd_enforce_tls=yes
>  > ~  -o smtpd_sasl_auth_enable=yes
>  > ~  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>  >
>  > This was the bit I could find straight away. But how can one make sure
>  > the normal hold trick does not apply here? Because that one still is
>  > applied at the moment.
>
>
> wouldn't a simple:
>
>    -o header_checks =
>
>  added to the lines before do the trick?
Yes. It would.

>  My concern now is different. Are we generally sure we don't want MailScanner
>  on all authenticated traffic? That means no controlon possible viruses that
>  a custemer has not checked, no control on worms and the like.

Ah... That is the icky non-technical policy bit of the matter...:-).
If you don't trust them implicitly, don't do this for them. You could
have more than one submission service, set up differently... Where
port 25 == deeply untrusted:-).

>  Probably what I really want is to let MS but avoid that it drops e-mail due
>  to the sending IP being in an RBL. As Glenn pointed out Postfix already does
>  the right think in this reguard, if we correctly set order in rules. We
>  simply don't want MS (and spamassassin?) drops it afterwords.

A matter of clever rulesets then... To the point it is possible to
use. Unfortunately, the fact that they are sending through an
authenticated channel isn't exactly well-preserved (one can try look
at Received lines, but ... that could be spoofed.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list