OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Content filter wants to know sender's IP
From: Wietse Venema (wietseporcupine.org)
Date: Sat Jun 03 2000 - 05:47:04 CDT

Alexander Nosenko:
> > > Last snapshot-20000531 has support for content filtering, but I would like
> > > to make a proposal: can we have message filtering by sender's IP and
> > > message size, not only by content?
> >
> > What problem are you trying to solve? By filtering only incoming mail
> > a) you're only reducing content filtering expense by half, and b) you
> > allow harmful mail to emanate from your site.
> >
> > Wietse
>
> I want to filter _outgoing_ mail (on company's firewall).

That does not change my question - why filter some not all.

> Filtering rules
> include checks for sender IP, i.e. to check outgoing message size depending
> on sender's host (some users are allowed to send 100MB messages with TIFF
> files, some aren't). For now, filtering script can't get real sender's IP to
> do that.

The way to do this is to extend the pipe mailer with more $name
command-line expansions.

There is no reliable way to make sender IP ADDRESS information
available when the content inspector is connected to Postfix via
SMTP. If you pass the information via message headers it can be
forged.

> I can check for return address (possibly forged to someone's else
> within the company). Same problem arises with authentificated SMTP (well,
> someday ;-) - filtering script needs access to the auth data (metod, real
> user name etc.).

There is no reliable way to make all sender authentication information
available when the content inspector is connected to Postfix via
SMTP. If you take authentication information from message headers
it can be forged, and you are giving too much information to recipients.

        Wietse