[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AUTH, MSA-mode and FULLTRUST

To: 'Zmailer List' <zmailer@nic.funet.fi>
Subject: RE: AUTH, MSA-mode and FULLTRUST
From: Nicolas Baumgarten <nico@pert.com.ar>
Date: Mon, 6 Dec 2004 21:41:25 -0300
Original-Recipient: rfc822;zmailer-log@nic.funet.fi
Sender: zmailer-owner@nic.funet.fi


> > 2004-06-22  Matti Aarnio  <mea@zmailer.org>
> >         * smtpserver/policytest.c:
> >             When in MSA-mode, _ignore_ 'relaycustnet +' attributes.
> >             Will then always demand user to authenticate!
> > 
> > So obviously its a feature not a bug :-)
> 
> I think that test has been obsoleted by 
> 
> 2004-10-19  Matti Aarnio  <mea@zmailer.org>
> 	* smtpserver/smtpcmds.c:
> 	    Demand user to authenticate for SUBMISSION/MSA mode
> 	    MAIL/RCPT commands.

I'm not sure what do you mean by "obsoleted by". The previous 
description is acurrate about how it works now.

> 
> This relates on running SMTP and SUBMISSION in same server, and
> needing to have separate rulesets for them.  This relates also
> to the developments of closing direct SMTP from user connection
> lines to the world at large, while leaving SUBMISSION wide open
> access to the world...
> 
> So that SUBMISSION can not be used to deliver spam into the system
> from outside (without authentication, anyway), simplest is to
> demand authentication at all times thru that port.
> 
> Another problem with the original "MSA-mode" was, that it was
> global and happened also at SMTP port, which it by spec wasn't
> intended.
> 
> To get SUBMISSION to work for you would be:
>   - 'relaycustnet +' or authenticate
>   - verify sender and recipient DNS MX data existence
>   - ignore SMTP-like inbound MX and 'this is local' rules
>     (no reception based on 'this is local' or 'we do MX')
>   - to obey possible blocking rules
Exactly.
Thats almost like is being used now, using April's CVS.


 
> > Any idea for a work-around?
> > 
> > The need for this, us I previously said, is to control 
> > from the mail server point of view (not firewall o smtp client
> > configuration)
> > who can send and who must authenticate.
> > 
> > Thanks
> 
> 
> Besides quick fixed that will get around and bite again...
> A major rewrite of the rule machinery and rule composition
> might be necessary.  And even smtpserver's configuration
> setup.  Separate policy rules for each bound service port ?
> Separate overall configuration sets for each bound port,
> or 3 ports for config 1, and 1 port for config 2, just to
> raise some ideas...

Well,
our usual setup always includes 2 instances of mail server.
One (MX) for inbound mail, the other (MR) for outgoing relay
to users or other internal (trusted) servers.
This two instances were on different or same hardware, but 
using different IP's.
MR setup includes MSA mode (as described earlier)

This have several reasons, but policies and antispam/virus
methods/criteria were the most important. Initially we tried to have
all configured in one set, but it was easyer to separate them completely.

Regards.
 
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

Prev by Date: Re: Anybody else seeing hotmail connections hanging ?
Next by Date: Re: Anybody else seeing hotmail connections hanging ?
Prev by thread: Re: AUTH, MSA-mode and FULLTRUST
Next by thread: Anybody else seeing hotmail connections hanging ?
Index(es):
- Date
- Thread