Ted Mittelstaedt wrote:
I know that, Sendmail adds the same flag when setup for auth SMTP. The problem is that SA will see this and assume the mail is safe.
Noooo.... if your trust path is set correctly, then SA won't run tests like eg PBL (IP blocks designated by the nominal owner as "not allowed to send SMTP traffic to world+dog"). It does NOT mean SA treats the mail as "safe".
In the versions of SA I have used, SA will assume the mail is safe no matter what Received line in the header has the auth indicator set. They may have fixed that in the most recent SA but I don't believe so,
*scratch head* I've never had problems with mistaken RBL hits as the OP is asking about *if* I've got my *_networks set correctly. Earlier this year I discovered an edge case with our "accelerated dialup" service and had to make some adjustments to the trust path to include the accelerator host as an MSA - but previous to that the setup had been working correctly.
and even if they did then what if SA is running on a prefilter server in front of an Exchange server for example?
I have no idea what scenario you're referring to here - inbound mail? The OP is asking about outbound mail; and so far as your own filtering is concerned, (especially) if you're an ISP your spam filter really shouldn't penalize customers who send mail directly through the SMTP server you provide, whether that's separate from your MX(es) or not.
And you still have the problem of if a spammer's custom-written virus has determined a user password. The spammers are now able to do this with some of their hijack tools. And there are also a LOT of phishing spams now that we see from time to time that tell users that their e-mail password needs to be reset and to go to such and such a webpage and change it, etc.
I'm not sure where you're going with this, but this scenario will be a problem with SMTP AUTH no matter how that info is passed to SA. Unless you can guarantee real control over end-user systems, you *will* have to deal with this somehow. I'll leave it at that since the original question was about preventing PBL hits on authenticated users.
But, go ahead, do it your way. If your a small site you might even be OK for long enough to forget this advice. But sooner or later your going to get cracked into and you will wish you had separated the servers.
The ISP I work for currently has 6 machines handling customer-facing mail services - two physical machines for MX, two for outbound SMTP and two running SA and Clam.
I've worked with a number of single-machine and partial-split configurations on a smaller scale, but I don't recall any special challenges tracking down a cracked account. TBH the only "problem" I recall was the size of the logfiles relative to available CPU power to search them.
-kgd
