You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Dan Mahoney, System Admin" <da...@prime.gushi.org> on 2007/10/11 06:53:43 UTC
Re: [sa-list] Re: Advice on MTA blacklist
On Wed, 10 Oct 2007, David B Funk wrote:
> On Tue, 9 Oct 2007, Jo Rhett wrote:
>
>> On Oct 9, 2007, at 4:22 PM, Chris Edwards wrote:
>>> Your server then enforces encryption and SMTP-AUTH, and the SSL will
>>> (hopefully) defeat any man-in-the-middle attacks by trans-proxies.
>>
>> That's exactly the problem I am reporting. A lot of mail clients
>> don't enforce SSL connections, so man in the middle is silently
>> accepted. Only T-bird can be configured to not work any other way,
>> TTBOMK.
>
> Jo you didn't read Chris's statement closely. A conscientious mail server
> administrator will configure the SERVER to -ONLY- accept encrypted
> connections for SMTP-AUTH transactions; the server should enforce
> the encryption requirements.
> Thus it does not matter what the client wants to do, the server should
> not let the client continue the SMTP-AUTH transaction until it has
> completed the STARTTLS operation (or in the case of SMTPS, it's
> already encrypted).
>
> Back to Skip's question, possibly the easiest way to solve his
> problem would be to run two SMTP servers, one on port 25 with full
> spam/AV scanning for regular mail traffic, one on ports 587 & 645 with
> SMTP-AUTH/TLS for his users' clients to submit messages, on that one
> have AV scanning and possibly limited spam scanning.
Assuming sendmail (and we don't make such assumptions), you can specify
different options per-port, such that you don't need to run "two" mail
servers.
For example, I have no less than seven virtual daemons configured:
Submission agents on 587 and 2525, which require auth, and have encryption
optional. Also listens on 127.1.
A submission agent on 465 (not 645), configured the same way, but with
encryption explicit.
Standard daemon on port 25 (and yes, it still supports the optional
encryption).
As a bonus, my own server any port will present a FQDN, signed
certificate (not self-signed). I've actually found other servers out
there in the wild that do the same, with a valid cert -- I've got my
server configured with the CA root certs so it knows which are "true"
(this doesn't affect ability to relay or anything, but it's cool to see
others are doing it).
Of course, all this is wildly off the topic, but hey...
-Dan
--
"And, a special guest, from the future, miss Ria Pischell. Miss Pischell,
as you all know, is the inventor of the Statiophonic Oxygenetic
Amplifiagraphaphonadelaverberator, and it's pretty hard to imagine life
without one of those.
-Rufus, Bill & Ted's Bogus Journey
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------