Mike,
I'm not sure why "It is not considered acceptable to force the users to
authenticate a second time when they want to send email" - we all do
that all do that all the time anyway. Pretty much all MTAs ask clients
for a username and password as part of the connection cycle - it's just
usually set up to be automatic, with the info configured into your MUA.
SMTP AUTH just adds some crypto to it - users just check a different box
when they set up their clients.
It sound like you're still going to need custom code if you're trying to
control the activity of authenticated users.
Miles
Mike Kenny wrote:
Thanks Miles, but I am not sure that this is what I am looking for. My
client's users will already have authenticated to access the data
network, but all that remains to identify them is the IP address that
they were assigned for that session. The data network guys have added
code to update a DNS with both the IP and the original authentication
string provided by the user. When one of these dynamically assiged IPs
connects to our SMT Pserver we want to be able to look up the auth
string in the DNS and check this against a blacklist.
It is not considered acceptable to force the users to authenticate a
second time when they want to send email. We must accept the network
authentication as being valid (it is, our problem is not
unauthenticated users, but authenticated users who perform
unauthorized actions line spamming) and then impose our own rules of
behavior on those users by blacklisting them
mike
On 12/27/06, *Miles Fidelman* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Mike Kenny wrote:
> A client of mine provides an email service to a number of mobile
> users. This leave my client open to abuse as addresses are assigned
> dynamically and blocking specific users is difficult. We have
set up
> an internal, private DNS which we update with the authentication
> details of the user and the IP assigned to him/her at that time. We
> now want to configure postfix/spamassassin to query this DNS and
> return the authentication details. This will allow us to
blacklist the
> abusive users until they re-register (at a cost) and should help us
> fight the proliferation of spam.
>
> How best can this be done? It is not enough that the IP is in
the DNS,
> we expect it to be and we don not want to blacklist based on the IP.
> We actually need to get the authentication details back and look
these
> up in a blacklist. So how do we configure postfix or
spamassassin to
> look up
Mike,
You're barking up the wrong tree. There are several well-established
mechanisms specifically designed to authenticate mobile users to email
systems. What you want is SMTP AUTH, possibly w/ TLS. Look at the
wikipedia entries for SMTP-AUTH and SASL, and then look at the Postfix
howtos.
Miles Fidelman
