Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
You don't have to run two postfixes for this. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Kai Schaetzl wrote: You don't have to run two postfixes for this. Kai I wasn't suggesting two postfixes, only two smtpds, but what Mariusz said is even easier. /Per Jessen, Zürich
RE: [SPAM:9.6] Off Topic - SPF - What a Disaster
On 2010-02-24, Kai Schaetzl wrote: Postfix: I would have two different smtpd daemons - one for You don't have to run two postfixes for this. I think Per means: 2 smtpd processes, not 2 Postfixes.. -- Rob
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote on Wed, 24 Feb 2010 10:02:02 +: So you would reject outbound mail from your domain? I'm sure that's a typo. He just didn't show the full configuration. It's obvious that you put your allowance checks first. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 11:39:43 +0100 Rob Sterenborg r.sterenb...@netsourcing.nl wrote: On 2010-02-24, Kai Schaetzl wrote: Postfix: I would have two different smtpd daemons - one for You don't have to run two postfixes for this. I think Per means: 2 smtpd processes, not 2 Postfixes.. -- Rob Humour me. Does this not mean a need to change the outbound to either a different IP or port? I guess you could start hashing things around with IPTables to redirect certain requests, but once you've done all of this, changed all the clients etc. etc, you are saying this would be *easier* than SPF? Sure, I get the sentiment but I don't necessarily agree that large changes would be better than making use of a simple DNS based mechanism that already exists. Factor in the millions of email users who don't use Postfix and run things like Exchange and things tend to widen up.
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Rob Sterenborg wrote on Wed, 24 Feb 2010 11:39:43 +0100: I think Per means: 2 smtpd processes, not 2 Postfixes.. and I meant what he meant ;-) Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wednesday, 24 of February 2010, Per Jessen wrote: I guess you could start hashing things around with IPTables to redirect certain requests, but once you've done all of this, changed all the clients etc. etc, you are saying this would be *easier* than SPF? See Mariusz Kruks suggestion - that's the way to do it. Accept everything from mynetworks, reject everything pretending to be coming from your domain. Let's also add that you should receive mail on port 25 from other SMTP servers only; port 25 is not meant for endusers nowadays. So it should not (unless you have multiple servers and some complicated setup, but then you probably know what you are doing anyway) be _from_ your domain. Mail _from_ your domain (which means your clients) should be submitted to port 587 where you do not accept anything unless client authenticated himself (by SMTP-auth, being in apropriate IP-range or any other means). It all makes it quite easy to _not_ accept mail from outside world which seems to be originating in your domain. -- \/ | k...@epsilon.eu.org | | http://epsilon.eu.org/ | /\
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Kai Schaetzl wrote: Christian Brel wrote on Wed, 24 Feb 2010 10:02:02 +: So you would reject outbound mail from your domain? I'm sure that's a typo. He just didn't show the full configuration. It's obvious that you put your allowance checks first. Kai I did also say 'thinking out loud here', so yes, it was obviously not a complete config. However, smtpd is not involved in sending outbound mail, so my sender access check would not get in the way. /Per Jessen, Zürich
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, Feb 24, 2010 at 11:30:25AM +, Christian Brel wrote: On Wed, 24 Feb 2010 11:39:43 +0100 Rob Sterenborg r.sterenb...@netsourcing.nl wrote: On 2010-02-24, Kai Schaetzl wrote: Postfix: I would have two different smtpd daemons - one for You don't have to run two postfixes for this. I think Per means: 2 smtpd processes, not 2 Postfixes.. -- Rob Humour me. Please stop humouring our resident troll.
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote: On Wed, 24 Feb 2010 11:39:43 +0100 Rob Sterenborg r.sterenb...@netsourcing.nl wrote: On 2010-02-24, Kai Schaetzl wrote: Postfix: I would have two different smtpd daemons - one for You don't have to run two postfixes for this. I think Per means: 2 smtpd processes, not 2 Postfixes.. -- Rob Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. I guess you could start hashing things around with IPTables to redirect certain requests, but once you've done all of this, changed all the clients etc. etc, you are saying this would be *easier* than SPF? See Mariusz Kruks suggestion - that's the way to do it. Accept everything from mynetworks, reject everything pretending to be coming from your domain. /Per Jessen, Zürich
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 12:41:29 +0100 Per Jessen p...@computer.org wrote: Christian Brel wrote: On Wed, 24 Feb 2010 11:39:43 +0100 Rob Sterenborg r.sterenb...@netsourcing.nl wrote: On 2010-02-24, Kai Schaetzl wrote: Postfix: I would have two different smtpd daemons - one for You don't have to run two postfixes for this. I think Per means: 2 smtpd processes, not 2 Postfixes.. -- Rob Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I'm also thinking about those forwarding services out there - does the two SMTPd approach not break this in the same way SPF would break if the forwarder was not permitted to send?
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 13:38:55 +0200 Henrik K h...@hege.li wrote: On Wed, Feb 24, 2010 at 11:30:25AM +, Christian Brel wrote: On Wed, 24 Feb 2010 11:39:43 +0100 Rob Sterenborg r.sterenb...@netsourcing.nl wrote: On 2010-02-24, Kai Schaetzl wrote: Postfix: I would have two different smtpd daemons - one for You don't have to run two postfixes for this. I think Per means: 2 smtpd processes, not 2 Postfixes.. -- Rob Humour me. Please stop humouring our resident troll. That would be you then as your post has no purpose other than to inflame. Kinda reminds me of that old saying 'takes one to know one.'
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wednesday, 24 of February 2010, Christian Brel wrote: IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. They should be using submission service on port 587 and authenticate themselves, for example with smtp-auth. (of course you can still authenticate them and let them send on port 25 - it's perfectly possible from technical point of view; because you authenticate your clients, right?). I'm also thinking about those forwarding services out there - does the two SMTPd approach not break this in the same way SPF would break if the forwarder was not permitted to send? In case of forwarding the envelope address is that of the original sender, not that of the receiver. You have email from addre...@domain1.com to addre...@domain2.com. MX for domain2.com tries to forward the mail to addre...@domain3.com, so it sends mail from addre...@domain1.com to addre...@domain3.com. Domain3.com checks SPF records and sees that domain2.com is not permitted to send mails for domain1.com, so it refuses to accept such mail. We were talking about (let's assume we're domain3.com) not letting people from outside world send mail from domain3.com. -- Kruk@ -\ | }- epsilon.eu.org | http:// -/ | |
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote: Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. Then presumably they submit email via port 587 after appropriate authentication. Then you just add that requirement - can't remember what the exact postfix option is. I have people working from home-offices too, that's how they are set up. It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. I'm also thinking about those forwarding services out there - does the two SMTPd approach not break this in the same way SPF would break if the forwarder was not permitted to send? I can't quite follow you - there's is no forwarding involved AFAICS? /Per Jessen, Zürich
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 14:37:49 +0100 Per Jessen p...@computer.org wrote: Christian Brel wrote: Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. Then presumably they submit email via port 587 after appropriate authentication. No, they submit on 25 using TLS+SASL. Would making the changes to Firewall, MTA, plus potentially thosands of clients be easier than SPF? Would all those angry users screaming because they can't send mail at all be a good thing? I don't think so myself. It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. But that would reject *everything* that was not authenticated or in 'my networks'. For a single IP/Port listening to the world this does not work. It requires multiple SMTP instances with different IP's or Ports which may not suit the needs of the admin and the users concerned. Tell you what, wouldn't it be a great idea to save all the messing around and use something universal and simple for the job? Something lightweight and easy to deploy. I know! What about using SPF! /Per Jessen, Zürich Of course, all this has very little to do with Spamassassin..
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wednesday, 24 of February 2010, Christian Brel wrote: No, they submit on 25 using TLS+SASL. Would making the changes to Firewall, MTA, plus potentially thosands of clients be easier than SPF? Would all those angry users screaming because they can't send mail at all be a good thing? I don't think so myself. Well, you _should_ use submission anyway. (BTW, in my experience it's easier to filter one kind of traffic on 25, and another on 587 than filtering both on one port. YMMV) It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. But that would reject *everything* that was not authenticated or in 'my networks'. For a single IP/Port listening to the world this does not work. It requires multiple SMTP instances with different IP's or Ports which may not suit the needs of the admin and the users concerned. It doesn't. permit mynetworks/sasl_authenticated/whatever, reject my_domains, permit my_destination, reject_everything_else. Of course you may add other restrictions in this chain. -- \.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.k...@epsilon.eu.org.\.\. \.http://epsilon.eu.org/\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.
Re: [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote on Wed, 24 Feb 2010 12:39:47 +: What about my home workers? they use SMTP AUTH. It works, believe us. With a standard postfix. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote: On Wed, 24 Feb 2010 14:37:49 +0100 Per Jessen p...@computer.org wrote: Christian Brel wrote: Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. Then presumably they submit email via port 587 after appropriate authentication. No, they submit on 25 using TLS+SASL. Would making the changes to Firewall, MTA, plus potentially thosands of clients be easier than SPF? Would all those angry users screaming because they can't send mail at all be a good thing? I don't think so myself. Then keep them on port 25, it's no big deal as long as they are authenticated. It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. But that would reject *everything* that was not authenticated or in 'my networks'. No. See Mariusz' explanation. Tell you what, wouldn't it be a great idea to save all the messing around and use something universal and simple for the job? Something lightweight and easy to deploy. I know! What about using SPF! Christian, I suspect we don't have quite the same understanding of what 'easy' means. /Per Jessen, Zürich
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +: But that would reject *everything* that was not authenticated or in 'my networks'. Indeed, that's the purpose. And it doesn't matter if you get the mail via 25 or 587. 587 is just a convenience. Any other access to use your server for relaying should not be allowed at all. I really suggest you sit back and read the postfix documentation instead of questioning and questioning in the blue air. It's an absolute standard postfix configuration that you just seem to have not been made aware for years. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 17:31:19 +0100 Kai Schaetzl mailli...@conactive.com wrote: Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +: But that would reject *everything* that was not authenticated or in 'my networks'. Indeed, that's the purpose. And it doesn't matter if you get the mail via 25 or 587. 587 is just a convenience. Any other access to use your server for relaying should not be allowed at all. I really suggest you sit back and read the postfix documentation instead of questioning and questioning in the blue air. It's an absolute standard postfix configuration that you just seem to have not been made aware for years. Kai I'm confused. The mail you have just sent to the list has; 'From: Kai Schaetzl mailli...@conactive.com' Yet the server is: mail.apache.org (hermes.apache.org [140.211.11.3]) #aka a forwarder in this context# Now, if we do as you say and you have somebody else at conactive.com who is subscribed to the list, what happens to this mail when it comes across: 'reject my_domains,' Granted SPF won't help anyone here (I don't think anyone would add an entry for 140.211.11.3 in their SPF unless they were really keen)
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote: On Wed, 24 Feb 2010 17:31:19 +0100 Kai Schaetzl mailli...@conactive.com wrote: Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +: But that would reject *everything* that was not authenticated or in 'my networks'. Indeed, that's the purpose. And it doesn't matter if you get the mail via 25 or 587. 587 is just a convenience. Any other access to use your server for relaying should not be allowed at all. I really suggest you sit back and read the postfix documentation instead of questioning and questioning in the blue air. It's an absolute standard postfix configuration that you just seem to have not been made aware for years. Kai I'm confused. The mail you have just sent to the list has; 'From: Kai Schaetzl mailli...@conactive.com' Envelope sender, not the from address.