On Jul 30, 2012, at 7:59 PM, Eric Shubert wrote: > On 07/30/2012 09:58 AM, Sam Clippinger wrote: >> Here's yet another chance for me to say that I *still* don't understand the >> need for a whole separate port >> for authenticated connections. On my servers, I configure ports 25 and 587 >> exactly the same and mail clients >> can use whichever one makes them the happiest. >> If they authenticate they can send mail, if they don't they'll be subject to >> the spam filter, simple as that. > > The only reason I know of why it's really *needed* is to comply with > RFC6409 Sec 4.3 (http://tools.ietf.org/html/rfc6409#section-4.3), which > says that an MSA MUST require authentication. I take it this means for > submissions for intra-domain messages as well. Does spamdyke's > filter-level=require-auth conform to this (submissions to local domains > as well)?
Yes. "filter-level" overrides everything else; if authentication isn't successful, the connection will be rejected regardless of whitelists or anything else. > While not necessarily *required*, I think there are good reasons for > having these separate, as they're different logical roles and thus have > different processing requirements, although they use the same protocol. > See http://en.wikipedia.org/wiki/Mail_submission_agent for some benefits. > > We all have our pet peeves. I guess this is one of yours. ;) Yep. I just don't see the point, when those changes in behavior can be determined by authentication. I think port 587 was really created because so many providers were blocking outbound port 25 to stop spambots on their networks (in the US, AT&T and Time Warner do this). So someone wrote an RFC that basically says "you can trust anyone using port 587 because they have to authenticate so please please please don't block it too!" Unfortunately, lots of spambots these days hijack mail clients on the local PC, which will use port 587 if that's how it's configured. So we're back to the drawing board, but now we have to configure our servers with two ports instead of one. *sigh* >> Anyway, you can certainly use spamdyke on port 587 the way you describe. >> Just set it up to use a different configuration file than the one on port 25 >> -- >> the second configuration file would not activate all the filters and would >> also include >> the option "filter-level=require-auth". > > I missed that one. I wouldn't expect this option here. It makes sense > though once I think about it. Thanks. > >> I see your point and you're right. > >> I guess I had it the way it was because it's simpler for me to do all my >> server configuration through spamdyke >> and I didn't see the harm in allowing the whitelist to govern relaying. >> I'll get that changed. > > Thanks. No hurry, but I'd like to see it in the next release. > > Of course you'll still be able to do all your server configuration > through spamdyke. That's my goal as well. :) Another option came to me today: you could also set your "relay-level" option to "no-check". When that value is given, spamdyke won't set or alter RELAYCLIENT, even if the sender authenticates. In effect, spamdyke's behavior would go back to the way it was before you were using "access-file". That would get you by until I can release a new version. > -- > -Eric 'shubes' -- Sam Clippinger _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
