Quantcast

Question about milters

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Question about milters

Linda Pagillo
Good day everyone. I have a quick question about a milter that I'm using. I'm running Postfix 3.x. The milter is called SNFMilter and it uses a Unix socket instead of inet. My question is a general question about milters. Is there a way to bypass a milter for authenticated senders who are sending on posts 25, 587 and 465? I know I can bypass all of Postfix antispam for authenticated senders, but that is not what I want to do. I just want to bypass the milter for these outbound senders. Is that even possible? Thanks for all and any help.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about milters

Patrick Ben Koetter-2
* Linda Pagillo <[hidden email]>:
> Good day everyone. I have a quick question about a milter that I'm using.
> I'm running Postfix 3.x. The milter is called SNFMilter and it uses a Unix
> socket instead of inet. My question is a general question about milters. Is
> there a way to bypass a milter for authenticated senders who are sending on
> posts 25, 587 and 465? I know I can bypass all of Postfix antispam for
> authenticated senders, but that is not what I want to do. I just want to
> bypass the milter for these outbound senders. Is that even possible? Thanks
> for all and any help.

If you run separate instances for all the ports you mentioned, you can provide
individual, per instance lists of smtpd_milters.

p@rick


--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about milters

Linda Pagillo
I have only one smtpd_milter and no non_smtpd_milters. The one milter I'm using is called SNFMilter. It's an anti-spam milter that I use from Arm Research. I have a configuration file called SNFMilter.xml and in the main.cf I have the following line: smtpd_milters = unix:/path/to/socket

Forgive me if I didn't answer with what you were asking. I'm very new at this. Thanks.

On Wed, Mar 1, 2017 at 10:10 AM, Patrick Ben Koetter <[hidden email]> wrote:
* Linda Pagillo <[hidden email]>:
> Good day everyone. I have a quick question about a milter that I'm using.
> I'm running Postfix 3.x. The milter is called SNFMilter and it uses a Unix
> socket instead of inet. My question is a general question about milters. Is
> there a way to bypass a milter for authenticated senders who are sending on
> posts 25, 587 and 465? I know I can bypass all of Postfix antispam for
> authenticated senders, but that is not what I want to do. I just want to
> bypass the milter for these outbound senders. Is that even possible? Thanks
> for all and any help.

If you run separate instances for all the ports you mentioned, you can provide
individual, per instance lists of smtpd_milters.

p@rick


--
[*] sys4 AG

https://sys4.de, <a href="tel:%2B49%20%2889%29%2030%2090%2046%2064" value="+498930904664">+49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about milters

Patrick Ben Koetter-2
* Linda Pagillo <[hidden email]>:
> I have only one smtpd_milter and no non_smtpd_milters. The one milter I'm
> using is called SNFMilter. It's an anti-spam milter that I use from Arm
> Research. I have a configuration file called SNFMilter.xml and in the
> main.cf I have the following line: smtpd_milters = unix:/path/to/socket

I suggest you remove the smtpd_milters setting from main.cf, because if you
put it there it will affect any Postfix smtpd daemon in your Postfix instance.

But don't throw it away. Instead move it to master.cf (see my example below)
and associate it only with Postfix smtpd daemons that serve ports where you
want SNFMilter to become active.

My example enables SNFMilter for 25 and disables any other MILTER for 587 and
465:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
# Port 25
smtp      inet  n       -       n       -       -       smtpd
    -o smtpd_milters=unix:/path/to/socket

# Port 587
submission inet n       -       n       -       -       smtpd
    -o smtpd_milters=
    ...

# Port 465
smtps     inet  n       -       n       -       -       smtpd
    -o smtpd_milters=
    ...


If you don't have much experience with Postfix yet, pay special attention to
notation in master.cf. Versions before 3.0 require *no space* between a
parameter and the associated values, e.g. parameter=value. My example above
follows this advice.

p@rick

--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about milters

Linda Pagillo
Thank you for this Patrick. My problem is, I want to disable the milter for outgoing authenticated email on those ports, not enable the milter for them. Also.. I want the milter to still run on non-authenticated email. For example... [hidden email] is a valid user on the server. They want to send mail out on ports 25... I would want to the milter to bypass this because they are authenticated. Now... if [hidden email] tries to send mail out of the server on port 25 and they do not authenticate, I want the mitler to run. Is this possible?

On Wed, Mar 1, 2017 at 10:41 AM, Patrick Ben Koetter <[hidden email]> wrote:
* Linda Pagillo <[hidden email]>:
> I have only one smtpd_milter and no non_smtpd_milters. The one milter I'm
> using is called SNFMilter. It's an anti-spam milter that I use from Arm
> Research. I have a configuration file called SNFMilter.xml and in the
> main.cf I have the following line: smtpd_milters = unix:/path/to/socket

I suggest you remove the smtpd_milters setting from main.cf, because if you
put it there it will affect any Postfix smtpd daemon in your Postfix instance.

But don't throw it away. Instead move it to master.cf (see my example below)
and associate it only with Postfix smtpd daemons that serve ports where you
want SNFMilter to become active.

My example enables SNFMilter for 25 and disables any other MILTER for 587 and
465:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
# Port 25
smtp      inet  n       -       n       -       -       smtpd
    -o smtpd_milters=unix:/path/to/socket

# Port 587
submission inet n       -       n       -       -       smtpd
    -o smtpd_milters=
    ...

# Port 465
smtps     inet  n       -       n       -       -       smtpd
    -o smtpd_milters=
    ...


If you don't have much experience with Postfix yet, pay special attention to
notation in master.cf. Versions before 3.0 require *no space* between a
parameter and the associated values, e.g. parameter=value. My example above
follows this advice.

p@rick

--
[*] sys4 AG

https://sys4.de, <a href="tel:%2B49%20%2889%29%2030%2090%2046%2064" value="+498930904664">+49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about milters

Patrick Ben Koetter-2
* Linda Pagillo <[hidden email]>:
> Thank you for this Patrick. My problem is, I want to disable the milter for
> outgoing authenticated email on those ports, not enable the milter for
> them. Also.. I want the milter to still run on non-authenticated email. For
> example... [hidden email] is a valid user on the server. They want to send
> mail out on ports 25... I would want to the milter to bypass this because
> they are authenticated. Now... if [hidden email] tries to send mail out
> of the server on port 25 and they do not authenticate, I want the mitler to
> run. Is this possible?

If you are able to split authenticated from unauthenticated traffic by ports
Postfix can do that for you. In this case follow the example I sent in my
previous mail.

If you cannot split authenticated from unauthenticated traffic two approaches
come to my mind:

SNFMilter
    Use a mechanism in SNFMilter to tell authenticated from unauthenticated
    senders. A quick glance at the INSTALL file suggest it might be possible
    to signal SNFMilter should become active by setting x-headers. I am not
    familiar with the product. Maybe someone else on this list or on a
    SNFMilter-related list has more information on that.

split traffic by IP
    Get a new IP for your mail service and configure Postfix to use that one
    too. Announce the new IP as MX. From now on all external traffic will
    enter your mail system via the new IP. Scan all traffic on the new IP
    using SNFMilter. Do not scan traffic on the old IP.

p@rick


--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about milters

Linda Pagillo
Thank you so much Patrick. I sincerely appreciate your help with this.

On Wed, Mar 1, 2017 at 11:23 AM, Patrick Ben Koetter <[hidden email]> wrote:
* Linda Pagillo <[hidden email]>:
> Thank you for this Patrick. My problem is, I want to disable the milter for
> outgoing authenticated email on those ports, not enable the milter for
> them. Also.. I want the milter to still run on non-authenticated email. For
> example... [hidden email] is a valid user on the server. They want to send
> mail out on ports 25... I would want to the milter to bypass this because
> they are authenticated. Now... if [hidden email] tries to send mail out
> of the server on port 25 and they do not authenticate, I want the mitler to
> run. Is this possible?

If you are able to split authenticated from unauthenticated traffic by ports
Postfix can do that for you. In this case follow the example I sent in my
previous mail.

If you cannot split authenticated from unauthenticated traffic two approaches
come to my mind:

SNFMilter
    Use a mechanism in SNFMilter to tell authenticated from unauthenticated
    senders. A quick glance at the INSTALL file suggest it might be possible
    to signal SNFMilter should become active by setting x-headers. I am not
    familiar with the product. Maybe someone else on this list or on a
    SNFMilter-related list has more information on that.

split traffic by IP
    Get a new IP for your mail service and configure Postfix to use that one
    too. Announce the new IP as MX. From now on all external traffic will
    enter your mail system via the new IP. Scan all traffic on the new IP
    using SNFMilter. Do not scan traffic on the old IP.

p@rick


--
[*] sys4 AG

https://sys4.de, <a href="tel:%2B49%20%2889%29%2030%2090%2046%2064" value="+498930904664">+49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about milters

@lbutlr
In reply to this post by Linda Pagillo
On 2017-03-01 (09:50 MST), Linda Pagillo <[hidden email]> wrote:
>
> For example... [hidden email] is a valid user on the server. They want to send mail out on ports 25... I would want to the milter to bypass this because they are authenticated.

This is not the way to go.

A mail server should *never* allow unauthenticated users to send mail. The most reasonable way to do this is to require port 587 for all mail submission and require secure authentication on that port. Do not allow users to use port 25 at all.

main.ct:
smtpd_sasl_auth_enable = no

master.cf:
submission inet  n       -       n       -       -       smtpd
   […]
    -o smtpd_sasl_auth_enable=yes
   […]

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Loading...