SMTP AUTH and no Scanning

Mon Mar 31 11:47:29 IST 2008

On 31/03/2008, Glenn Steen <glenn.steen at gmail.com> wrote:
> On 31/03/2008, Alessandro Dentella <sandro at e-den.it> wrote:
>  > On Mon, Mar 31, 2008 at 12:05:33AM +0200, Hugo van der Kooij wrote:
>  >  > -----BEGIN PGP SIGNED MESSAGE-----
>  >  > Hash: SHA1
>  >  >
>  >  > Glenn Steen wrote:
>  >  >
>  >  > | Unfortunately this likely will not work that well... Rather better to
>  >  > | do something completely different. Like demanding taht the ones doing
>  >  > | authenticated SMTP use an alternate port ... and have an instance of
>  >  > | PF listening there that don't include the HOLD thing. ... That's how
>  >  > | I'd do it if I needed it:-).
>  >  >
>  >  > In fact port 587 is intended for this purpose. The trick is to make it
>  >  > listen for authenticated traffic only and then go out straight away and
>  >  > not hit MailScanner on the way out.
>  >  >
>  >  > So the first bit is to make it listen by activating this in the
>  >  > $POSTFIX/master.cf file:
>  >  >
>  >  > submission inet n       -       n       -       -       smtpd
>  >  > ~  -o smtpd_enforce_tls=yes
>  >  > ~  -o smtpd_sasl_auth_enable=yes
>  >  > ~  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>  >  >
>  >  > This was the bit I could find straight away. But how can one make sure
>  >  > the normal hold trick does not apply here? Because that one still is
>  >  > applied at the moment.
>  >
>  >
>  > wouldn't a simple:
>  >
>  >    -o header_checks =
>  >
>  >  added to the lines before do the trick?
>
> Yes. It would.
>
>
>  >  My concern now is different. Are we generally sure we don't want MailScanner
>  >  on all authenticated traffic? That means no controlon possible viruses that
>  >  a custemer has not checked, no control on worms and the like.
>
>
> Ah... That is the icky non-technical policy bit of the matter...:-).
>  If you don't trust them implicitly, don't do this for them. You could
>  have more than one submission service, set up differently... Where
>  port 25 == deeply untrusted:-).
>
>
>  >  Probably what I really want is to let MS but avoid that it drops e-mail due
>  >  to the sending IP being in an RBL. As Glenn pointed out Postfix already does
>  >  the right think in this reguard, if we correctly set order in rules. We
>  >  simply don't want MS (and spamassassin?) drops it afterwords.
>
>
> A matter of clever rulesets then... To the point it is possible to
>  use. Unfortunately, the fact that they are sending through an
>  authenticated channel isn't exactly well-preserved (one can try look
>  at Received lines, but ... that could be spoofed.
>
... Or not, if you're moderately clever in a CustomFunction (only
inspecting the very last... only if from your host .. etc).

Cheers
-- 
-- Glenn (thinking while typing... not the best modus operandi:-)
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se