On 4 May 2008 at 22:16, Hal Dell wrote:
> Dear David Lord -
>
> > I've still not worked out if you want mail coming in via postini to be
> allowed
> > to be relayed or if postini is just an external filter for scanning some
> of your
> > incoming mail. If the latter, I can't see why it should need to be treated
> different
> > to any other incoming email. However you've mentioned putting an entry for
> > postini in smtprelay.tab which would indicate that you intend it is
> allowed to
> > be relayed. I can't see how that can be done securely though without
> authentication.
>
> Please understand that I support eMail for about over 300 Domains and
> about 450 eMailboxes so changing ports would be large task. Further, you
> are correct that the eMail from Postini plus outbound eMail from clients are
> Relay'd on Port 25.
There is no problem so far as I know in using port 25, but
in my case that port is blocked for outgoing by the ISPs
except via their particular gateways.
Can you arrange for your clients to use authentication on
port 25?
> The problem is 1) the SPAMers are ignoring the MX records and
> using a private look-aside IP Address Database(s) which allows the
> SPAMers to bypass Postini by directly making a connection to the
> xMail Server on it's IP Address on Port 25;
>
> and 2) the SPAMers are constantly scanning IPs around the world
> for new or moved eMail servers; therfore they will eventually any
> "hidden" open Server within weeks -- I'm not just talking about an
> Issuse with SMTP -- this includes ALL of the protocols including the
> more common FTP, SQL, SMB, etc.
Mostly glst removes majority of spam but there are periods, as
just now, when a lot of spam is arriving via normal mailservers
and this is being quarantined by spamassassin. I only run a few
services with rest blocked at firewall. I also have a few ip
blocklists in use.
> Thefore, one has no choice but to lock the relay function to only accept
> eMails from the upstream relay MTA; in this case Postini IPs. This is
> easily doable on Many of the MTAs that I've come across in the past like
> Microsoft Exchange; and RFC 4409 already proposed this concept.
If you can be sure only your own customers will attempt to relay
via postini you can just add that ip block to smtprelay.tab
without specifying authentication, however I'd not trust it as
being secure without knowing a lot more as to how the
service works.
ie. (1) your account users authenticate
(2) postini only allowed to relay via its ip block
Do you need authentication capability for postini?
David
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]
