You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Christian Brel <br...@copperproductions.co.uk> on 2010/02/24 15:56:49 UTC
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What
a Disaster
On Wed, 24 Feb 2010 14:37:49 +0100
Per Jessen <pe...@computer.org> wrote:
> Christian Brel wrote:
>
> >> > Humour me. Does this not mean a need to change the outbound to
> >> > either a different IP or port?
> >>
> >> IP yes. I assume your external and internal network are on
> >> different IP-ranges.
> >
> > What about my home workers? I don't have a VPN, they hook in by DSL
> > from any number of different providers from outside using SASL/TLS.
>
> Then presumably they submit email via port 587 after appropriate
> authentication.
No, they submit on 25 using TLS+SASL. Would making
the changes to Firewall, MTA, plus potentially thosands of clients be
easier than SPF? Would all those angry users screaming because they
can't send mail at all be a good thing? I don't think so myself.
> > It's like you say, you were thinking out loud and I can see where
> > you are coming from, but it's not a fix for every situation.
>
> I think it actually is. Allow mynetworks, allow authenticated users,
> reject everything else.
But that would reject *everything* that was not authenticated or in 'my
networks'. For a single IP/Port listening to the world this does not
work. It requires multiple SMTP instances with different IP's or Ports
which may not suit the needs of the admin and the users concerned.
>
Tell you what, wouldn't it be a great idea to save all the messing
around and use something universal and simple for the job? Something
lightweight and easy to deploy. I know! What about using SPF!
>
> /Per Jessen, Zürich
>
Of course, all this has very little to do with Spamassassin......
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Mariusz Kruk <Ma...@epsilon.eu.org>.
On Wednesday, 24 of February 2010, Christian Brel wrote:
> No, they submit on 25 using TLS+SASL. Would making
> the changes to Firewall, MTA, plus potentially thosands of clients be
> easier than SPF? Would all those angry users screaming because they
> can't send mail at all be a good thing? I don't think so myself.
Well, you _should_ use submission anyway.
(BTW, in my experience it's easier to filter one kind of traffic on 25, and
another on 587 than filtering both on one port. YMMV)
> > > It's like you say, you were thinking out loud and I can see where
> > > you are coming from, but it's not a fix for every situation.
> > I think it actually is. Allow mynetworks, allow authenticated users,
> > reject everything else.
> But that would reject *everything* that was not authenticated or in 'my
> networks'. For a single IP/Port listening to the world this does not
> work. It requires multiple SMTP instances with different IP's or Ports
> which may not suit the needs of the admin and the users concerned.
It doesn't.
permit mynetworks/sasl_authenticated/whatever,
reject my_domains,
permit my_destination,
reject_everything_else.
Of course you may add other restrictions in this chain.
--
\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.Kruk@epsilon.eu.org.\.\.
\.http://epsilon.eu.org/\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Ned Slider <ne...@unixmail.co.uk>.
Christian Brel wrote:
> On Wed, 24 Feb 2010 17:31:19 +0100
> Kai Schaetzl <ma...@conactive.com> wrote:
>
>> Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:
>>
>>> But that would reject *everything* that was not authenticated or in
>>> 'my networks'.
>> Indeed, that's the purpose. And it doesn't matter if you get the mail
>> via 25 or 587. 587 is just a convenience. Any other access to use
>> your server for relaying should not be allowed at all. I really
>> suggest you sit back and read the postfix documentation instead of
>> questioning and questioning in the blue air. It's an absolute
>> standard postfix configuration that you just seem to have not been
>> made aware for years.
>>
>> Kai
>>
>
>
> I'm confused. The mail you have just sent to the list has;
> 'From: Kai Schaetzl <ma...@conactive.com>'
>
Envelope sender, not the "from" address.
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a
Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 17:31:19 +0100
Kai Schaetzl <ma...@conactive.com> wrote:
> Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:
>
> > But that would reject *everything* that was not authenticated or in
> > 'my networks'.
>
> Indeed, that's the purpose. And it doesn't matter if you get the mail
> via 25 or 587. 587 is just a convenience. Any other access to use
> your server for relaying should not be allowed at all. I really
> suggest you sit back and read the postfix documentation instead of
> questioning and questioning in the blue air. It's an absolute
> standard postfix configuration that you just seem to have not been
> made aware for years.
>
> Kai
>
I'm confused. The mail you have just sent to the list has;
'From: Kai Schaetzl <ma...@conactive.com>'
Yet the server is:
mail.apache.org (hermes.apache.org [140.211.11.3])
#aka a forwarder in this context#
Now, if we do as you say and you have somebody else at conactive.com
who is subscribed to the list, what happens to this mail when it comes
across: 'reject my_domains,'
Granted SPF won't help anyone here (I don't think anyone would add
an entry for 140.211.11.3 in their SPF unless they were really keen)
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Kai Schaetzl <ma...@conactive.com>.
Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:
> But that would reject *everything* that was not authenticated or in 'my
> networks'.
Indeed, that's the purpose. And it doesn't matter if you get the mail via
25 or 587. 587 is just a convenience. Any other access to use your server
for relaying should not be allowed at all. I really suggest you sit back
and read the postfix documentation instead of questioning and questioning
in the blue air. It's an absolute standard postfix configuration that you
just seem to have not been made aware for years.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Off Topic - SPF - What a Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 17:09:31 +0100
Per Jessen <pe...@computer.org> wrote:
> > Tell you what, wouldn't it be a great idea to save all the messing
> > around and use something universal and simple for the job? Something
> > lightweight and easy to deploy. I know! What about using SPF!
>
> Christian, I suspect we don't have quite the same understanding of
> what 'easy' means.
I guess that is so.
Personally I find the multiple use of Postfixens trivial easy and have
it deployed that way to get over it's inability to whitelist body and
header checks {at all}. In general terms your fix may not suit
common MTA's like Exchange (I feel quite disgusted to have described
Exchange as an MTA and will now go and wash my typing fingers.....)
I did find a bad place to use SPF - and that is
on a well known spam filter made by an American company. Enable it there
and watch the machine grind to a halt..... 'it's a feature - not a bug'
LOL.... could'nt resist it... I'll get my coat......
>
>
> /Per Jessen, Zürich
>
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Per Jessen <pe...@computer.org>.
Christian Brel wrote:
> On Wed, 24 Feb 2010 14:37:49 +0100
> Per Jessen <pe...@computer.org> wrote:
>
>> Christian Brel wrote:
>>
>> >> > Humour me. Does this not mean a need to change the outbound to
>> >> > either a different IP or port?
>> >>
>> >> IP yes. I assume your external and internal network are on
>> >> different IP-ranges.
>> >
>> > What about my home workers? I don't have a VPN, they hook in by DSL
>> > from any number of different providers from outside using SASL/TLS.
>>
>> Then presumably they submit email via port 587 after appropriate
>> authentication.
>
> No, they submit on 25 using TLS+SASL. Would making
> the changes to Firewall, MTA, plus potentially thosands of clients be
> easier than SPF? Would all those angry users screaming because they
> can't send mail at all be a good thing? I don't think so myself.
Then keep them on port 25, it's no big deal as long as they are
authenticated.
>> > It's like you say, you were thinking out loud and I can see where
>> > you are coming from, but it's not a fix for every situation.
>>
>> I think it actually is. Allow mynetworks, allow authenticated users,
>> reject everything else.
>
> But that would reject *everything* that was not authenticated or in
> 'my networks'.
No. See Mariusz' explanation.
> Tell you what, wouldn't it be a great idea to save all the messing
> around and use something universal and simple for the job? Something
> lightweight and easy to deploy. I know! What about using SPF!
Christian, I suspect we don't have quite the same understanding of
what 'easy' means.
/Per Jessen, Zürich