Chris Thielen wrote:
So it seems the root of my problem is that users are connecting to the office smtp server (also our primary MX) without authentication. That seems to be a legitimate hit for the dynamic ip lists. However it is also the only legitimate smtp server for these people to use. I guess the fix is to *require* authentication for users, but then I don't think I could use that same server for MX.
People on random dynamic addresses are connecting to the service without auth and using it as an MSA?! That's not good. In fact it sounds like one big open relay.
There's no problem with having people using auth when connecting with their MUAs expecting MSA services and having the server act as an MX. Lots of small setups do it this way.
I guess for now I'll continue to use the hack-ish workaround that munges the headers to indicate an authenticated connection even though it's not really authenticated.
That sounds like it's prone to false positives when a spammer forges your from domain/etc.
If you're not sure, if you want to provide a copy of the headers from a "should be auth'd" connection and headers from mail from a random "external domain" I'll take a look.
Daryl
