Can I disable a milter for authenticated senders?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Can I disable a milter for authenticated senders?

Linda Pagillo
Hi guys. I'm not sure if this is a possibility, but is there a way to disable a milter from scanning a message from an authenticated sender? I may have asked this before, but I'm not sure if I asked the correct questions. I'm using the SNF-milter and it scans all incoming and outgoing messages on all outbound ports which I think is a Postfix setting because there is nowhere to specify this in the milter itself. Customers authenticate with the server to send on ports 25, 587, 993, 995 and 465. The problem I'm having is a lot of customers have dirty IPs from their ISPs which is causing the SNF-milter to block the connections when they try to send. The milter is working as it should be, but it is causing the customers to have problems sending out and as you know, it's almost impossible to get an ISP to clean up their dirty IP issues. If it is not possible to have a milter not scan messages from authenticated users, is there a script that can be written to accomplish this? Any and all help would be greatly appreciated. Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: Can I disable a milter for authenticated senders?

Benny Pedersen-2
Linda Pagillo skrev den 2017-05-15 22:21:

your fails is to not post postconf -nf

but anyway:

you should not let auth users use port 25

and some milters works as designed if thay support auth

thats all i can help with now

turn down:

use milter overrides in master.cf so not all ports use all milters, why
is this still missing in libmilter as 2017 :(
Reply | Threaded
Open this post in threaded view
|

Re: Can I disable a milter for authenticated senders?

Bill Cole-3
In reply to this post by Linda Pagillo
On 15 May 2017, at 16:21, Linda Pagillo wrote:

> Hi guys. I'm not sure if this is a possibility, but is there a way to
> disable a milter from scanning a message from an authenticated sender?

Yes, but only by segregating all authenticated senders to their own
smtpd configuration. Typically that's port 587 -- initial message
submission -- which should require TLS and authentication to send.

> I
> may have asked this before, but I'm not sure if I asked the correct
> questions. I'm using the SNF-milter and it scans all incoming and
> outgoing
> messages on all outbound ports which I think is a Postfix setting
> because
> there is nowhere to specify this in the milter itself. Customers
> authenticate with the server to send on ports 25, 587, 993, 995 and
> 465.

993 and 995 are TLS-wrapped IMAP and POP respectively, so while your
users MAY be submitting mail there using some POP or IMAP extension,
that is unlikely and such initial submission isn't being handled by
Postfix.

465 was proposed for SSL-wrapped SMTP and never standardized except via
implementation by overeager vendors. If you can retire its use, you
should: 20 years of tolerating a bad idea is enough. If you must retain
port 465 for customers running 12-year-old mail clients that can't do
TLS on port 587, its master.cf entry (smtps) should look much like that
for submission.

Port 25 is really for inbound mail. The fact that it was ever used for
initial message submission has always been a bit of a kludge, and
there's no sound reason for continuing that today, given that we have a
mature standard for SMTP-like submission via port 587 which is supported
by any reasonably modern mail client.

In short: don't offer authentication on port 25, require it (and
encryption) on port 587, turn off port 465, and tell all your users to
use port 587 for message submission. The canonical way to do this is to
put all of your port 25 configuration in main.cf and use '-o' arguments
in the 'submission' entry of master.cf to make the needed adjustments to
spare messages submitted by authenticated users the indignity of
filtering (e.g. "-o smtpd_milters="

Reply | Threaded
Open this post in threaded view
|

Re: Can I disable a milter for authenticated senders?

Linda Pagillo
Thank you so much for this information Bill. It is very much appreciated!

On Mon, May 15, 2017 at 4:52 PM, Bill Cole <[hidden email]> wrote:
On 15 May 2017, at 16:21, Linda Pagillo wrote:

Hi guys. I'm not sure if this is a possibility, but is there a way to
disable a milter from scanning a message from an authenticated sender?

Yes, but only by segregating all authenticated senders to their own smtpd configuration. Typically that's port 587 -- initial message submission -- which should require TLS and authentication to send.

I
may have asked this before, but I'm not sure if I asked the correct
questions. I'm using the SNF-milter and it scans all incoming and outgoing
messages on all outbound ports which I think is a Postfix setting because
there is nowhere to specify this in the milter itself. Customers
authenticate with the server to send on ports 25, 587, 993, 995 and 465.

993 and 995 are TLS-wrapped IMAP and POP respectively, so while your users MAY be submitting mail there using some POP or IMAP extension, that is unlikely and such initial submission isn't being handled by Postfix.

465 was proposed for SSL-wrapped SMTP and never standardized except via implementation by overeager vendors. If you can retire its use, you should: 20 years of tolerating a bad idea is enough. If you must retain port 465 for customers running 12-year-old mail clients that can't do TLS on port 587, its master.cf entry (smtps) should look much like that for submission.

Port 25 is really for inbound mail. The fact that it was ever used for initial message submission has always been a bit of a kludge, and there's no sound reason for continuing that today, given that we have a mature standard for SMTP-like submission via port 587 which is supported by any reasonably modern mail client.

In short: don't offer authentication on port 25, require it (and encryption) on port 587, turn off port 465, and tell all your users to use port 587 for message submission. The canonical way to do this is to put all of your port 25 configuration in main.cf and use '-o' arguments in the 'submission' entry of master.cf to make the needed adjustments to spare messages submitted by authenticated users the indignity of filtering (e.g. "-o smtpd_milters="