[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: smtp-policy confusion



> I thought that I understood how to configure the smtp policy filter
> but I was wrong.  After getting the SPAM filter working, I found that I
> was rejecting legitimate mail.

	I may have a few observations on that regard to share with
	TEST-DNS-RBL mode active at one host I use to test new things.
	(Another email coming..)

> I thought that adding a line like:
>   [128.167.0.0]/16	= _full_rights
> where 128.167.0.0 is our class B net would allow mail to or form our
> network to get through without any trouble.  I was wrong.
> 
> I also tried:
>   [128.167.0.0]/16	relaycustomer + relaytarget +
> but that didn't work.

	You need   "relaycustnet +", which is on
	the "_full_rights" macro all right.

	With p9 snapshots (5th now) there is a way to
	check at connection source reversed name, and
	thus define  ".local.domain = _full_rights",
	but as we all know, relying on DNS reversers
	is just pegging for trouble...
	(there is no name-to-IP paranoid verification
	 for the reversed names in the code, thus...)
	(And there are also other problems in this
	 regarding the boiler-plate data, and also
	 the policy-builder.sh script.)

> We are running zmailer 2.99.49p5a2   Is that the problem or am I
> missing something.

	I am checking this against 2.99.49p4 and 2.99.49p9(snap5)
	and both behave the same way (I think).

	However the policytest() stuff has had constant evolution
	in it all the time, and even occasional bugs.  I can't
	say with confidence what was the status at 2.99.49p5a2.


	Do you, by change, use the 'policy-builder.sh' script to
	construct the policy dataset ?

	There all you need to do is to list all relay-customer
	networks in the file:  $MAILSHARE/db/smtp-policy.relay:
		[128.167.0.0]/16
	and then execute the builder script, and you have things
	set up.

	However if people with local addresses are submitting
	to you email for outbound relaying, and their IP address
	is not in your local network, you have a big problem
	to solve:
		Will you allow outbound messages on basis of
		it having MAIL FROM:<...> address in your
		$MAILSHARE/db/localnames file, or you listing
		your domain as ".local.domain" in file
		$MAILSHARE/db/smtp-policy.relay ?

	If you don't, the  "_full_rights" macro needs to have
	attribute "relaycustomer +" removed.

>   David Trueman,
>     Systems Manager, Dalhousie Faculty of Computer Science
>     Technical Chair, Chebucto Community Net

/Matti Aarnio <mea@nic.funet.fi>