On Fri, May 18, 2012 at 02:19:14PM -0500, Noel Jones wrote: > On 5/18/2012 1:06 PM, Chris wrote: > > The email from gmail.com in my example log comes in on port 25 - the > > 1st line in master.cf. If I leave the "-o > > content_filter=lmtp:unix:/tmp/dspam.sock" in instead of removing it, > > then authenticating users who choose to use port 25 in their email > > clients will also go through dspam as well as non-authenticating > > users. That is why I need to have this: > > OK, you didn't mention that you have users that MUST use port 25. > > Typically mail submission and incoming mail are separated so that > you can easily apply proper policy to each function. You should > seriously consider getting authenticated users off of port 25, but > that's another discussion.
If you can't get them off port 25, use a different IP address to separate submitted mail from MX mail. This problem is trivial to solve. If you only have one IP address, you should be small enough to get the message out to your users. (Those who hesitate will notice when their MUA is unable to AUTH on port 25.) Another "another discussion" I want to bring up is the BAD idea of bypassing content filtering for submission (which here is meant to include authentication on port 25.) Users can get malware, and some malware is submitting spam through the authentication credentials stored in the MUA. This is a real-world problem, and content filtering is about the only way to address it. (Rate limiting helps also, but does not prevent spew up to the allowed rate.) Of course a content filter for submission needs different settings and should run different tests, but typically the same software that does it for MX mail can also do it for submission mail. As Noel alluded above, the content filter should have policy settings to distinguish these functions. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
