On Jul 19, 2016, at 10:28 AM, Reindl Harald <[email protected]> wrote:
[ ... ]
>> 2) In the absence of MX records stating otherwise, I expect that any
>> mailserver which sends outbound email should be willing to accept inbound
>> mail for the same domains it terminates or relays email on behalf of.
>
> that is not how email works
As I recall, you were either submitting a bug report about ClamAV and SPF,
which seems misguided as you've since acknowledged ("i know that SPF is not
relevant for clamav"), or at the least you were looking for feedback about how
to better handle legitimate email from paypal.at which you were bouncing due to
ClamAV's heuristics.
> a) the sender is @mail.paypal.at and not "@epsl1.com"
True.
> b) every smarter setup these days has strictly
> seperated outbound and inbound servers
False. Assuming that there is only one correct mail architecture is a major
fallacy.
What you describe is one reasonable architecture for a large ISP which needs to
have redundant sending and receiving mail servers. However, there are lots of
smaller sites which have no need for that-- they might be better off having an
external MX relay in their firewall DMZ which handles both inbound and outbound
mail, and an internal mailhost / reader box, for example.
> what you expect is completly pointless - as example you have no business to
> deliver mail to our outbound server unless you are a customer with a valid
> username and password since inbound mail is expected at the MX (spamfirewall)
> and not at the submission server
You appear to have skipped past this phrase: "In the absence of MX records
stating otherwise..."
If a mail server sends outbound, it needs to be willing to handle bounces and
DSNs for those messages/domains which it sends.
> why?
>
> because it's much easier to define MTA policies for spamfiltering when you
> need not to mix with mail clients and when you do outbound spamfiltering you
> need completly different rules (no RBL looksups, no PTR checks, different
> scorings and first of all no postscreen in front which a MUA can't handle)
It is reasonable to have different inbound and outbound MTAs to implement
different policies? Sure.
Is that the only mechanism by which one can have different policies? Nope.
It is reasonable to trust all local mail and push the burden of checking it
upon others? Nope.
You should be applying spamfiltering and especially malware/virus scanning to
outbound email just as rigorously as you do to inbound email. In a few cases
that I am familiar with, outbound email is screened more carefully than inbound
email.
Regards,
--
-Chuck
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
