On 07/28/2012 03:42 AM, Gary Gendel wrote: > On 7/28/12 1:09 AM, Eric Shubert wrote: >> A potential problem just occurred to me though. QMT uses the (preferred >> default) submission port 587, and includes a qmail-smtpd patch which >> forces authentication (export REQUIRE_AUTH=1). While spamdyke wouldn't >> typically be used on the submission port (since all connections must >> authenticate, the filters are pointless), I would still consider putting >> spamdyke in the submission pipe for a) authentication and b) logging >> capabilities. Spamdyke would need an smtp-auth-level=required option (or >> some such) in order to do this though. I haven't asked for this >> enhancement yet, have I? I guess I'm asking now. > I have a different setup. I do use the submission port does > authorization only and allows relaying. The smtp port does no > authorization or relaying (except relaying from ip addresses internal to > my LAN). In my setup, spamdyke is only on the smtp port.
I expect your setup is typical, using qmail with the smtp-auth patch. After all, spamdyke authentication has only been available since v4. All of my users use the submission port as well. I wouldn't mind shutting off authentication on port 25 personally, but I don't think that would fly with the QMT community at large. The capability to authenticate on port 25 will need to be provided until all users' clients are (re)configured to use port 587. In the case of ISPs, that could be quite some time. > In the 25+ years of running a mail server, I've had only two incidents > where spammers had gotten the password for a user. They were easily > detected by scanning the logs and the accounts shut down quickly. I've seen this happen twice in 6 years. The point isn't so much the frequency as it is protecting the integrity of the sending IPs address (from being blacklisted or otherwise hampered), which potentially affects everyone on the host, as well as the administrator who has to spend time to remove the blacklist. There are two improvements I'd like to see regarding this. First is to be able to enforce a policy of not sending passwords in clear text. Dovecot can do this via configuration, and it'd be nice if authentication with qmail/spamdyke had this capability as well. The second improvement would be to have some sort of throttle on qmail-remote, such that emails from a given account would only be sent every so often. gmane.org uses a throttle of this sort, and it appears to work quite nicely. This is outside the scope of spamdyke though, so I won't go into any more detail about it here. > Gary > Thanks for your input, Gary. -- -Eric 'shubes' _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
