[Mimedefang] Skipping SA on TLSMTA connections?
Philip Prindeville
philipp_subx at redfish-solutions.com
Thu Nov 23 17:32:49 EST 2006
Jan-Pieter Cornet wrote:
>On Thu, Nov 23, 2006 at 12:48:34PM -0700, Philip Prindeville wrote:
>
>
>>Hey, that's how it comes out-of-the-box from sendmail.org: it's
>>set in /etc/mail/submit.mc on my machine.
>>
>>
>
>What platform is that? I can't find any mention of it on debian
>nor on freebsd. Not even of the (sub-standard) port 465, sendmail
>seems to come default listening on 25 and 587 (submission). 465
>is deprecated because it is SSL only, not TLS. It's commonly added
>because lots of clients still cannot do TLS, only direct SSL.
>
>
This is on FC5. Quoting:
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
Ok, so I'll 'dnl' the:
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
back, and un-dnl the:
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
and see what happens.
>
>
>
>>>I don't really understand all the fuss about applying micropatches to
>>>the examples/suggested-minimum-filter-for-windows-clients file. As the
>>>name implies, it's an EXAMPLE and a SUGGESTION.
>>>
>>>
>>Well, I do generate diffs after each update, and then patch them back in.
>>
>>Ideally it would be nice if MdF could peek into the SA configs in this
>>case, figure out the values of "internal_networks", and then skip the test
>>for clients on those subnets.
>>
>>
>
>I'm sure some large company from washington would ship it this way, yes :)
>But given the ways in which this can go wrong and the difficulty to
>determine sane "internal_networks", and the easy with which this can
>be changed while installing, I'd recommend against it.
>
>It would probably be better if the example filter came in a number of
>pluggable modules, where you could easily add extra modules or replace
>existing modules by providing your own version in another directory.
>But then again I'm biased, because I wrote a modular filter framework.
>
>
Yes! People that want to do additional scripting should be able
to, but more most, simply configured knobs and dials should be
adequate.
If we want people to erradicate spam, MdF needs to be made more
accessible to the unwashed masses.
Not convinced that better integration of SA and MdF settings is a
bad thing, but I do agree that getting internal_networks right is
something a lot of people seem to botch up.
-Philip
More information about the MIMEDefang
mailing list