Hi,
thanks to all who commented my statements and perhaps my SPAMCONTROL patch.
(well, I live in Cologne and today is ... Rosenmontag).
Okay, back to the facts:
A) In the README I am referring a special situation, when QMAIL is used as
a RELAY Internet <==> INTRANET. My comments about Load and SPAM activity
were guided by SMTP implementations of Lotus Notes and Novell's Groupwise
(which are certainly bad, wrt. QMAIIL or even sendmail).
B) Certainly, I was talking about PLAIN QMAIL - without TCPSERVER and without
RBLSMTPD patch.
C) Now the basic question: Is QMAIL an OPEN RELAY by CONSTRUCTION (as I
stated)??
1. Minimal QMAIL installaton (just ./me): QMAIL-SMTPD will accept all
incoming
E-Mail, put em in the input QUEUE.
- Local Mail will be checked for the existence of a valid UNIX
account,
accepted and delivered or otherwise returned.
- Non-local Mail are process thru the output QUEUE.
a) IF you use ./rcpthosts THEN QMAIL will act as a restricting RELAY
b) IF you use ./badmaifrom THEN QMAIL will be turned into a
pseudo-static
partial blocking (Senders/Sites) blocking RELAY.
c) IF you use the RBLSMTPD patch and TCPSERVER (outside the scope of my
discussion) THEN QMAIL will behave as a dynamic, on-demand
blocking RELAY.
==> Disregarding the IFSs and THENs and even if a) to c) are a very,
very rough
description I called this for simplicity: "an OPEN RELAY by
contruction".
2. Thus, it is the responsibilty of the system's owner to care about the
right set up, as written in the man-page of QMAIL.
(Comment by Chris Johnson and Russell Nelson: "If you install qmail as
per the included documentation, you won't be running an open relay".)
==> Sure. NO doubts about that. But this was not my point.
D) About SPAM E-Mail:
1. SPAMMERs may use a MTA with valid SENDER/RECIPIENT addresses outside
the
domains listed in ./rcthosts et al.
==> Configuring QMAIL as stated (restricted relay) will certainly stop
this.
The SPAMCONTROL patch gives in the environment as stated in A) the
ability to define multiple "internal" domains.
2. SPAMMERS may send E-Mails to address within your domain.
==> You may control it (on your personal demand) my means of
./badmailfrom or
- more effective - by the SPAMCONTROL's ./badrcptpatterns.
3. SPAMMERS may use a "trick" to convince your MTA the E-Mail is target
to it.
==> The SPAMCONTROL's canonical filters do most of the job. Actually, they
apply the same patterns as eg. ORBS.
Russel wrote: "It's simply not possible to eliminate spam in the long
term by
filtering on any characteristic of the mail itself.... The more you
filter on
content, the faster that time will come".
==> Well, I am not sure about that. Fingerprints are a solution. E-Mail
authentication is another. SMTP-Relay authentication a third one.
There was some confusion on my statement "to include the canonical SPAM
filters
natively into QMAIL-SMTPD. The information can be grepped via the TCPSERVER
environment...". I was mistaken. What it should tell is, that - as today -
QMAIL-SMTPD receives information (eg. REMOTEIP) from TCPENV, the canonical
filters (LOCALIP, REVDNSNAME) could be included here and the validity of
addresses checked by QMAIL-SMTPD. This is something I would call an
"internal
filter" (which could be activated, e.g. thru a compile-flag).
What are we missing??
The filters in SPAMCONTROL always work as a logical "OR". There is not an
"AND"
logic. "AND" logic means, that filtering is done by means of SENDER and
RECIPIENT. Thus, E-Mails FOR *HOFFMAN* FROM *spam.com* can be rejected.
E) About Return-Codes:
1) Thanks to Vincent Schonau for the hint (RFC 1893) I will incorporate
that
in the next fix of SPAMCONTORL (1.0.5).
2) 5xx vs. 4xx as stated by RFC 2505 is a matter of practicality of the
local site. I will give a more complete description in the next README.
F) Misc:
BTW: We are running a QMAIL site since 3/1997. We are not Blacklisted.
(I almost missed the carneval parade yesterday).
Thanks again to everybody about that discussion.
eh.
+-----------------------------------------------------------------------+
| fff hh Dr. Erwin Hoffmann |
| ff hh |
| ff eee hhhh ccc ooo mm mm mm Wiener Weg 8 |
| fff ee ee hh hh cc oo oo mmm mm mm 50858 Koeln |
| ff ee eee hh hh cc oo oo mm mm mm |
| ff eee hh hh cc oo oo mm mm mm Tel 0221 484 4923 |
| ff eeee hh hh ccc ooo mm mm mm Fax 0221 484 4924 |
+-----------------------------------------------------------------------+
