If I had my druthers, a stock QMT would come with SpamDyke
pre-installed... not so much so that I could block a great deal of SPAM,
but because the SpamDyke control of the qmail-smtp is so easy.
So, here is how *I* do it:
1) Port 25 (SMTP) is for receiving mail INTO my server ONLY (that is,
inbound mail TO my users):
- There are is NO AUTH on this port... PERIOD!
- There is no relaying on this port either (unless I have an
smtproutes entry)
- While I do allow TLS, I do not require it.
Here is my EHLO reply on port 25:
250-mail.myserver.com - Welcome
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 67108864
250 X-NOTHING
I accomplish this by setting the *SPAMDYKEFLAGS *entry in the file
_*/var/qmail/control/smtp/run*_ to show a DIFFERENT config file:
SPAMDYKE="/usr/local/bin/spamdyke"
SPAMDYKEFLAGS="-f /etc/spamdyke/smtp.conf"
Then, in the _*smtp.conf*_ file, I create an entry:
smtp-auth-level=none
2) Port 587 (SUBMISSION) is for outbound mail ONLY (that is, outbound
mail FROM my users):
- AUTH is required on this port
- On some servers, I REQUIRE TLS, but on most it is allowed but not
required.
Here is my EHLO reply on port 587:
250-mail.myserver.com - Welcome
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 67108864
250 AUTH LOGIN PLAIN CRAM-MD5
I accomplish this by setting the *SPAMDYKEFLAGS *entry in the file
_*/var/qmail/control/submission/run*_ to show a DIFFERENT config file:
SPAMDYKE="/usr/local/bin/spamdyke"
SPAMDYKEFLAGS="-f /etc/spamdyke/submission.conf"
Then, in the _*submission*__*.conf*_ file, I create an entry:
smtp-auth-level=always
NOTE: To REQURE TLS, use always-encrypted instead of just always
3) On systems that have valid SSL certificates, I have a port 465
(SMTP-SSL) port open as well
- AUTH is required on this port
- I REQUIRE TLS or SSL
I cannot show you the EHLO reply, as I don't have a tool to do the TLS
decryption for me :)
Still, I accomplish this by setting the *SPAMDYKEFLAGS *entry in the
file _*/var/qmail/control/smtp-ssl/run*_ to show a DIFFERENT config file:
SPAMDYKE="/usr/local/bin/spamdyke"
SPAMDYKEFLAGS="-f /etc/spamdyke/smtp-ssl.conf"
Then, in the _*smtp-ssl*__*.conf*_ file, I create an entry:
smtp-auth-level=always-encrypted
So the point is that you can configure SpamDyke to behave totally
differently on all 3 SMTP ports (25, 587, & if you want, 465) simply by
setting the config file to be unique in the supervise/run script for
each port.
I hope this helps others...
Dan McAllister
On 12/15/2014 3:33 PM, Peter Peltonen wrote:
Hi,
I would like to force all users using my toaster to send mail to
authenticate. I've now managed to get Squirrelmail and Horde do that.
But I would like to know how to do this also with other (web)servers
that use the toaster as a smarthost? The other servers are running
Postfix.
Another thing I remember that has been discussed in this list, but
what I couldn't find by searching the archives, was that if all users
authenticate, then one could blacklist all local domains in Spamdyke?
Is that advice still valid (and why should one do it, I'm curious)?
Another thing I'm thinking is about local user accounts on the toaster
server. How are those handled if localhost is not allowed to relay
mail? Do they inject the mail to qmail directly without using smtp?
Regards,
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
--
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
