[EMAIL PROTECTED] wrote: >>>That way, you only do the nasty hack for people connecting with >>>MUAs, and use normal "real-time" processing for everyone else. >> >>I am thinking about doing something similar for users with MUA's, as >>during peak times sendmail/MD can take 5-10 seconds to send an email. >>I was thinking about setting up another sendmail instance on another >>IP that just accepts mail from our MUA's, and then relays it through >>the sendmail/MD instance. >> >>I know I would loose functionality like immediately rejecting bad >>recipients, a feature some MUA users like. But assumed a bad rcpt >>bounce would be returned to the original sender, right? > > > You could set up another sendmail instance on a nonstandard port on the > *same* machine. That way you can get bad RCPT checking without the > MIMEDefang overhead. > > Or you could require SMTP AUTH and run sendmail on 587, then configure > MIMEDefang to skip SpamAssassin checks on authenticated mail... or run them > on a no-network-tests config, which should be much faster. >
This is how I do it in a corp environment, I turn off relaying by IP and force users to authenticate to smtp before I will let them relay. Then I require TLS before SMTPAUTH [define(`confAUTH_OPTIONS', `A,p,y')] just to make sure that the password is never passed in the clear. Once the user authenticates I can see it in the filter because I import a sendmail macro (look at docs over at http://sial.org/howto/mimedefang/macro-pass/ ). Now, I don't omit users from virus scanning because I don't want a virus leaving, but I do omit them from spamassassin which is the majority of the processing time. Another interesting hack (that means use with caution) is this rule: # If user is authenticated or coming from localhost then stop filtering if ((exists $SendmailMacros{md_tag} and $SendmailMacros{md_tag} eq 'authenticated') or ($ip eq "127.0.0.1")) { $authenticated = "TRUE"; md_syslog('warning', "user authenticated"); } else { $authenticated = "FALSE"; md_syslog('warning', "user is NOT authenticated"); } # if the user is sending from domain.com then they must authenticate (or be localhost) if( ($sender =~ /domain.com/i) && ($authenticated ne "TRUE") ){ return ('REJECT', 'You must authenticate to send mail from an domain.com account.'); } Basically, since we know that all of our users will authenticate, when we see mail from domain.com that doesn't come from an authenticated user we know it is spoofed so we reject it. While this is great because it limits inter domain spoofing to authenticated users, and viruses from [EMAIL PROTECTED] simply break, it also breaks things like ebay where they send you mail from yourself. Anyway, I think this is the best solution because you should treat trusted users differently than public users. I don't mangle trusted users email, and I haven't had a call from someone complaining about messages being marked as spam from other staff members in a long time. schu _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang