Hosting Provided By

Re: [sa-list] Re: Advice on MTA blacklist

From: Dan Mahoney, System Admin <danm(at)prime.gushi.org>
Date: Thu Oct 11 2007 - 00:53:43 EDT

On Wed, 10 Oct 2007, David B Funk wrote:

> On Tue, 9 Oct 2007, Jo Rhett wrote:
>
>> On Oct 9, 2007, at 4:22 PM, Chris Edwards wrote:
>>> Your server then enforces encryption and SMTP-AUTH, and the SSL will
>>> (hopefully) defeat any man-in-the-middle attacks by trans-proxies.
>>
>> That's exactly the problem I am reporting. A lot of mail clients
>> don't enforce SSL connections, so man in the middle is silently
>> accepted. Only T-bird can be configured to not work any other way,
>> TTBOMK.
>
> Jo you didn't read Chris's statement closely. A conscientious mail server
> administrator will configure the SERVER to -ONLY- accept encrypted
> connections for SMTP-AUTH transactions; the server should enforce
> the encryption requirements.
> Thus it does not matter what the client wants to do, the server should
> not let the client continue the SMTP-AUTH transaction until it has
> completed the STARTTLS operation (or in the case of SMTPS, it's
> already encrypted).
>
> Back to Skip's question, possibly the easiest way to solve his
> problem would be to run two SMTP servers, one on port 25 with full
> spam/AV scanning for regular mail traffic, one on ports 587 & 645 with
> SMTP-AUTH/TLS for his users' clients to submit messages, on that one
> have AV scanning and possibly limited spam scanning.

Assuming sendmail (and we don't make such assumptions), you can specify different options per-port, such that you don't need to run "two" mail servers.

For example, I have no less than seven virtual daemons configured:

Submission agents on 587 and 2525, which require auth, and have encryption optional. Also listens on 127.1.

A submission agent on 465 (not 645), configured the same way, but with encryption explicit.

Standard daemon on port 25 (and yes, it still supports the optional encryption).

As a bonus, my own server any port will present a FQDN, signed certificate (not self-signed). I've actually found other servers out there in the wild that do the same, with a valid cert -- I've got my server configured with the CA root certs so it knows which are "true" (this doesn't affect ability to relay or anything, but it's cool to see others are doing it).

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related spamassassin.apache.org Links users Request more information about Pantek

Of course, all this is wildly off the topic, but hey...

-Dan

--

"And, a special guest, from the future, miss Ria Pischell.  Miss Pischell,
as you all know, is the inventor of the Statiophonic Oxygenetic
Amplifiagraphaphonadelaverberator, and it's pretty hard to imagine life
without one of those.

-Rufus, Bill & Ted's Bogus Journey


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  
http://www.gushi.org
---------------------------

Received on Thu Oct 11 00:54:44 2007

This message: [ Message body ]
Next message: Lars Ippich: "8bit encoding in mail header by SpamAssassin"
Previous message: David B Funk: "Re: Advice on MTA blacklist"
In reply to: David B Funk: "Re: Advice on MTA blacklist"
Next in thread: mouss: "Re: Advice on MTA blacklist"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Fri Jul 04 2008 - 12:19:19 EDT