I was looking to leave my IMail/Declude setup as my gateway spam
blocking component, and move hosted E-mail to a different server. All
I needed in the hosted mail server was something that could be
configured in such a way as to only accept SMTP AUTH E-mail or E-mail
that only came from my own gateway. I figured that SmarterMail with
port 587 support (the SMTP submission port) would do the trick.
Well, it turns out that despite earlier claims, SmarterMail supports
another SMTP port of your choosing, but it doesn't limit it to SMTP
AUTH-only. This means that the spammers that have a habit of
bypassing your MX records for indefinite periods of time will be able
to still hit the SmarterMail server and bypass the scanning gateways.
I found a post from two days ago that pointed out this major
shortcoming, and despite an earlier thread on the topic, it turns out
that this is a real limitation.
I started searching for alternative methods around this, such as
setting up a custom zone that blacklists the whole Internet except for
the IP space of my scanning servers and using their internal spam
blocking to delete anything that didn't come from my own space or was
AUTHed. I ran into another problem here however...their blacklist
capabilities don't allow for unique result codes, so anything that
returns a result from a blacklist is treated as a positive hit. I had
to actually create a CNAME record for a bogus domain to correspond to
this space in order to work around that limitation and it worked. I
then however figured out that they do not whitelist based on SMTP
AUTH, but instead, they whitelist anything with a local address, and
if a user doesn't have a local address in their headers but still
AUTH's, it won't be whitelisted. So due to this shortsighted
implementation on multiple fronts, there is no practical way to
accomplish this and have it be reliable.
I also came across another thread while researching things where some
fellow Declude users were pointing out how their gateway configuration
affected blacklists. We all know here that when gatewaying through a
different server, you need something that is the equivalent of
IPBYPASS for the gateway. They overlooked this, and after it was
pointed out to them they suggested that they instead test all hops,
which would have resulted in tagging many messages that are sent from
clients on DUL IP space. I'm not sure that by the end of the thread
that the concept stuck with them.
It is a very pretty application, but it has a lot of settings within
it and a few of them don't seem very well thought out. I E-mailed
their tech support asking for ways around this or an indication of
plans to support AUTH-only on the SMTP submission port and they ducked
the questions saying that it wasn't possible to do at this time and
directed my ticket to their sales staff so that I could get a refund.
Unfortunately they seem to need to create a functional whitelisting
mechanism for AUTHed users also for this to work instead of one based
on the Mail From address. I'm a little put off by the short answers
in response to such things, and the rubber stamped reply that it will
be added to their suggestion database. Maybe I'm expecting too
much...
At this point, I'm looking for alternatives...including using IMail on
the new server (I can do this with 8.20). I am also hopeful that
maybe some of the others around here have run into this issue and
possibly have some alternative suggestions. While I don't want to
support IMail any longer and feel that they might again pull the rug
out from under me, I can migrate things in a snap and I won't have to
worry about taking a risk with SmarterMail.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
