On Tue, 29 Oct 2024 09:59:09 +0100,
Tom Li <to...@tomli.me> wrote:
>
> On Tue, Oct 29, 2024 at 07:35:41AM +0100, Kirill A. Korinsky wrote:
> > I wonder why you can't use different listeners with and without filters?
> >
> > For example I do have following setup:
> >
> > listen on socket
> >
> > listen on egress inet4 port smtp tls pki mx.catap.net \
> > filter { admdscrub, "auth", dnsbl }
> >
> > listen on egress port submission \
> > tls-require pki mx.catap.net auth <credentials> \
> > mask-src \
> > filter sign
> >
> > where sign is filter chain which adds DKIM and ARC signatures for the mail
> > which is relayed in behalf of authenticated users.
>
> According to RFC 6409, Section 3.1:
>
> > Although most email clients and servers can be configured to use port
> > 587 instead of 25, there are cases where this is not possible or
> > convenient. A site MAY choose to use port 25 for message submission
> > by designating some hosts to be MSAs and others to be MTAs.
>
> My patch allows the server admin to operate it in this manner, using the
> authentication status as an identifier.
>
Which is an interesting use case indeed.
I think the right move instead of patching each filter is to add condition
to proc-exec filters when it should or shouldn't be executed.
--
wbr, Kirill
