Re: OpenBSD 4.4: dnsbl just for port 25 (not msa 587)
On Mon, Jun 22, 2009 at 9:59 PM, Dan Harnettdan...@harnett.name wrote: On Mon, Jun 22, 2009 at 07:19:09PM -0600, Alvaro Mantilla Gimenez wrote: According to the /usr/share/sendmail/README file, it is necessary to add the a modifier to the line that define the MSA: Additionally, by using the M=a modifier you can require authentication before messages are accepted by the MSA Actually, 'a' will only advertise that SMTP AUTH is available, it does not require it. You want to use 'l' to enforce it. DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=El')dnl This won't even allow mail to local recipients without authentication first. Hmm, this seems to not match the documentation in /usr/share/doc/smm/08.sendmailop: the meaning you give for the 'a' and 'l' flags are correct for the srv_features ruleset, but not for the DaemonPortOptions option. ... Authenticated users will skip the DNSBL checks if you use FEATURE(`delay_checks') in your .mc file. This is the easiest way to accomplish the original poster's goal, yes. Philip Guenther
Re: OpenBSD 4.4: dnsbl just for port 25 (not msa 587)
On Tue, Jun 23, 2009 at 07:33:15AM -0700, Philip Guenther wrote: Hmm, this seems to not match the documentation in /usr/share/doc/smm/08.sendmailop: the meaning you give for the 'a' and 'l' flags are correct for the srv_features ruleset, but not for the DaemonPortOptions option. My mistake. You're absolutely right.
Re: OpenBSD 4.4: dnsbl just for port 25 (not msa 587)
Hi, I added the FEATURE(`delay_checks') in the .mc file, keep it the line DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA M=Ea')dnl and it seems everything is so far so good. I take note about the file on /usr/share/doc/smm/08.sendmailop too. Thanks so much both of you. Alvaro On Tue, 23 Jun 2009 07:33:15 -0700, Philip Guenther guent...@gmail.com wrote: On Mon, Jun 22, 2009 at 9:59 PM, Dan Harnettdan...@harnett.name wrote: On Mon, Jun 22, 2009 at 07:19:09PM -0600, Alvaro Mantilla Gimenez wrote: According to the /usr/share/sendmail/README file, it is necessary to add the a modifier to the line that define the MSA: Additionally, by using the M=a modifier you can require authentication before messages are accepted by the MSA Actually, 'a' will only advertise that SMTP AUTH is available, it does not require it. You want to use 'l' to enforce it. DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=El')dnl This won't even allow mail to local recipients without authentication first. Hmm, this seems to not match the documentation in /usr/share/doc/smm/08.sendmailop: the meaning you give for the 'a' and 'l' flags are correct for the srv_features ruleset, but not for the DaemonPortOptions option. ... Authenticated users will skip the DNSBL checks if you use FEATURE(`delay_checks') in your .mc file. This is the easiest way to accomplish the original poster's goal, yes. Philip Guenther
OpenBSD 4.4: dnsbl just for port 25 (not msa 587)
Hello, Is there any way to apply dnsbl feature just on port 25 on the default openbsd sendmail configuration and do not apply that on port 587 (just auth smtp)? I googled it looking for answers but it seems people disabled dnsbl feature on sendmail and used it with spamassasin (which is not an option for me). Any advice? Thanks, Alvaro
Re: OpenBSD 4.4: dnsbl just for port 25 (not msa 587)
Hi, The openbsd-proto.mc file has these lines: FEATURE(`no_default_msa')dnl DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA')dnl DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=O')dnl DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=E')dnl DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O, M=E')dnl According to the /usr/share/sendmail/README file, it is necessary to add the a modifier to the line that define the MSA: Additionally, by using the M=a modifier you can require authentication before messages are accepted by the MSA If I understood well the line: DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=E')dnl would be: DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=Ea')dnl and then the smtp auth must work on port 587. Why the original line (without the a modifier) port 587 requires authentication as well?. Is it implicit in other place? I already checked several times the send process with/without the a modifier and I needed the authentication in both cases all the times to be able to send an email trough the 587 port. My question is because, as I said in my previous email, I want to separate the dnsbl verification just for port 25 and let the clients to authenticate and send the email on port 587 without pass trough the dnsbl lists verifications (as is defined by the line FEATURE(`dnsbl', `zen.spamhaus.org' that I added to openbsd-proto.mc). I just add the a modifier and I noticed a little delay when the client software (thunderbird on this case) do the authentication process for send the email. My problem is that I have users that connect to the server with dynamic IP addresses and they are rejected after the authentication process because the IP is on the PBL list with this message: This IP range has been identified by Spamhaus as not meeting our policy for IPs which should deliver 'direct-to-mx' mail to PBL users. Spamhouse said that the only thing I need to avoid that error is to have SMTP AUTH enable on the server on port 587 (which I already have as my previous question about the lines on openbsd-proto.mc). Can I assume that the MSA configuration (with the a modifier) will authenticate the user and let him send the email without pass trough the PBL verification, just doing the authentication process? In case my assumption is not correct...is there any way to separate that without to run another sendmail process (with a separate configuration) on port 587? Sadly I can test it myself because my IP does not appear on PBL lists and my users will connect during my sleep time (I am 8 hours behind). Some light here will be appreciate. Regards Alvaro Alvaro Mantilla Gimenez wrote: Hello, Is there any way to apply dnsbl feature just on port 25 on the default openbsd sendmail configuration and do not apply that on port 587 (just auth smtp)? I googled it looking for answers but it seems people disabled dnsbl feature on sendmail and used it with spamassasin (which is not an option for me). Any advice? Thanks, Alvaro
Re: OpenBSD 4.4: dnsbl just for port 25 (not msa 587)
On Mon, Jun 22, 2009 at 07:19:09PM -0600, Alvaro Mantilla Gimenez wrote: According to the /usr/share/sendmail/README file, it is necessary to add the a modifier to the line that define the MSA: Additionally, by using the M=a modifier you can require authentication before messages are accepted by the MSA Actually, 'a' will only advertise that SMTP AUTH is available, it does not require it. You want to use 'l' to enforce it. DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=El')dnl This won't even allow mail to local recipients without authentication first. Why the original line (without the a modifier) port 587 requires authentication as well?. Is it implicit in other place? I already checked several times the send process with/without the a modifier and I needed the authentication in both cases all the times to be able to send an email trough the 587 port. How did you test this? Do you have any Srv_Features listed in your access map? Authentication is not required in the default config. In fact, it's not even available. Some clients (like Thunderbird, IIRC) will always try to authenticate if the mail server announces SMTP AUTH as a feature during the EHLO/HELO state. Are you sure you're not confusing an annoying client feature with enforcing authentication? Spamhouse said that the only thing I need to avoid that error is to have SMTP AUTH enable on the server on port 587 (which I already have as my previous question about the lines on openbsd-proto.mc). Authenticated users will skip the DNSBL checks if you use FEATURE(`delay_checks') in your .mc file. 587? Sadly I can test it myself because my IP does not appear on PBL lists and my users will connect during my sleep time (I am 8 hours behind). You can always setup your own test DNSBL that lists just your IP address.