|
Markus, I have had IMail configured for port 587 for almost a year now, and my router is redirecting port 25 to 587 for my mail server's IP's, so having just an alternative port isn't the issue here. The problem is that if you put a mail server out there without spam and virus protection on it, everything that it receives will go straight to the client's mail boxes without being scanned. So in an environment where you have a mail scanning gateway as your MX records, and a separate mail server as your SMTP server, you need to be able to lock down that server so that it only accepts connections that AUTH or that come from your gateways. Regardless of whether or not a product supports multiple ports, you need a configuration option that stops the server from blindly accepting any locally addressed traffic. The best way to do this is by using new functionality built for the SMTP submission port 587 which should support AUTH-only, or have a server that allows you to configure it for AUTH-only (plus specific IP space), or at least gives you the ability to build a kludge that can block non-AUTHed traffic that doesn't come from your gateways (which Declude can do with IMail 8.x, but SmarterMail can't do with or without Declude presently). SmarterMail has many ways that they could address this and I am only hoping for one. A checkbox that says to only allow AUTHed connections (with present functionality that treats specific IP space the same), or the ability of Declude to detect AUTHed connections so that it can whitelist it...and blacklist everything else, or an internal whitelisting mechanism in SmarterMail's built in spam blocking that works on AUTH instead of on just the Mail From address as they do now which can be forged or doesn't have to match the account (meaning that it isn't presently a 100% solution). I believe that they should desire to have all three things in their product. I know that the WHITELIST AUTH limitation is a sticking point with some of us around here that have considered moving spam blocking over to SmarterMail. It seems like a simple mod as IMail handled it with just a simple marker in the Q*.smd file. Matt Markus Gufler wrote: Matt, I'm not sure if this will help you. As I understand you and other people go to use the alternative port 587 just because more and more ISP's are blocking outgoing SMTP-traffic on port 25.I must say that in my region here I know only one ISP doing this and we've resolved the problem by implementing stunnel (www.stunnel.org) So we tell to people having a internet connection with blocked port 25 that they should switch the configuration in the mailclient to our server running stunnel and activate SSL for outgoing SMTP-connections. Now I don't know if this will help you because I can't understand exactly why do you need "SMTP-Auth only" on this port and not on the port 25 too. Not missunderstand me: I'm sure you know what you want to do. Just I can't follow at the moment. Markus-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, July 15, 2005 12:50 AM To: [email protected] Subject: [Declude.JunkMail] SmarterMail shortcomings in a gateway environment Why does this always happen to me... I was looking to leave my IMail/Declude setup as my gateway spam blocking component, and move hosted E-mail to a different server. All I needed in the hosted mail server was something that could be configured in such a way as to only accept SMTP AUTH E-mail or E-mail that only came from my own gateway. I figured that SmarterMail with port 587 support (the SMTP submission port) would do the trick. Well, it turns out that despite earlier claims, SmarterMail supports another SMTP port of your choosing, but it doesn't limit it to SMTP AUTH-only. This means that the spammers that have a habit of bypassing your MX records for indefinite periods of time will be able to still hit the SmarterMail server and bypass the scanning gateways. I found a post from two days ago that pointed out this major shortcoming, and despite an earlier thread on the topic, it turns out that this is a real limitation. I started searching for alternative methods around this, such as setting up a custom zone that blacklists the whole Internet except for the IP space of my scanning servers and using their internal spam blocking to delete anything that didn't come from my own space or was AUTHed. I ran into another problem here however...their blacklist capabilities don't allow for unique result codes, so anything that returns a result from a blacklist is treated as a positive hit. I had to actually create a CNAME record for a bogus domain to correspond to this space in order to work around that limitation and it worked. I then however figured out that they do not whitelist based on SMTP AUTH, but instead, they whitelist anything with a local address, and if a user doesn't have a local address in their headers but still AUTH's, it won't be whitelisted. So due to this shortsighted implementation on multiple fronts, there is no practical way to accomplish this and have it be reliable. I also came across another thread while researching things where some fellow Declude users were pointing out how their gateway configuration affected blacklists. We all know here that when gatewaying through a different server, you need something that is the equivalent of IPBYPASS for the gateway. They overlooked this, and after it was pointed out to them they suggested that they instead test all hops, which would have resulted in tagging many messages that are sent from clients on DUL IP space. I'm not sure that by the end of the thread that the concept stuck with them. It is a very pretty application, but it has a lot of settings within it and a few of them don't seem very well thought out. I E-mailed their tech support asking for ways around this or an indication of plans to support AUTH-only on the SMTP submission port and they ducked the questions saying that it wasn't possible to do at this time and directed my ticket to their sales staff so that I could get a refund. Unfortunately they seem to need to create a functional whitelisting mechanism for AUTHed users also for this to work instead of one based on the Mail From address. I'm a little put off by the short answers in response to such things, and the rubber stamped reply that it will be added to their suggestion database. Maybe I'm expecting too much... At this point, I'm looking for alternatives...including using IMail on the new server (I can do this with 8.20). I am also hopeful that maybe some of the others around here have run into this issue and possibly have some alternative suggestions. While I don't want to support IMail any longer and feel that they might again pull the rug out from under me, I can migrate things in a snap and I won't have to worry about taking a risk with SmarterMail. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
