|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: /dev/rob0 (rob0
gmx.co.uk)
Date: Fri May 18 2012 - 17:55:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, May 18, 2012 at 02:19:14PM -0500, Noel Jones wrote:
> On 5/18/2012 1:06 PM, Chris wrote:
> > The email from gmail.com in my example log comes in on port 25 - the
> > 1st line in master.cf. If I leave the "-o
> > content_filter=lmtp:unix:/tmp/dspam.sock" in instead of removing it,
> > then authenticating users who choose to use port 25 in their email
> > clients will also go through dspam as well as non-authenticating
> > users. That is why I need to have this:
>
> OK, you didn't mention that you have users that MUST use port 25.
>
> Typically mail submission and incoming mail are separated so that
> you can easily apply proper policy to each function. You should
> seriously consider getting authenticated users off of port 25, but
> that's another discussion.
If you can't get them off port 25, use a different IP address to
separate submitted mail from MX mail. This problem is trivial to
solve. If you only have one IP address, you should be small enough to
get the message out to your users. (Those who hesitate will notice
when their MUA is unable to AUTH on port 25.)
Another "another discussion" I want to bring up is the BAD idea of
bypassing content filtering for submission (which here is meant to
include authentication on port 25.) Users can get malware, and some
malware is submitting spam through the authentication credentials
stored in the MUA.
This is a real-world problem, and content filtering is about the only
way to address it. (Rate limiting helps also, but does not prevent
spew up to the allowed rate.)
Of course a content filter for submission needs different settings
and should run different tests, but typically the same software that
does it for MX mail can also do it for submission mail. As Noel
alluded above, the content filter should have policy settings to
distinguish these functions.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]