[milters] Archive

Lists Index Date Thread Search

Article: 377
From: Anthony Howe
Date: 2010-03-21 06:23:22 -0400
Subject: Re: milter-spiff and accessdb question

On 21/03/2010 00:27, Geoff Adams whispered from the shadows...:
> Perhaps you should add a note to the milter-spiff documentation page
> explaining that distinction. The section that follows suggests that
> "RELAY" will cause white-listing, which is apparently not true unless
> you set that option:

Well all my milters tend share some common (and undocumented)
functionality and thus certain sections of the documentation are boiler
plate. BTW the common undocumented options and their brief description
do appear in the +help output towards the end. This is why I always
suggest people generate and edit a default .cf file, so that the can see
ALL the options:

	milter-name +help >/etc/mail/milter-NAME.cf

Now some time back, about three years ago, and issue concerning RELAY
was brought up. Looking back in the libsnert CHANGES.TXT I find that
version 1.64 had this to say about why you might not always want to
treat RELAY like OK:

   +	Added smdb-relay-ok option. When enabled, a right hand side
   	access.db value of RELAY will be treated the same as a white
   	list OK value, which is technical correct according to the
   	sendmail definition. However, some sites want to "filter before
   	relay" and so do not want to treat RELAY as a white list entry.

So I add the common option to the milters and let the postmasters
determine how it should be. Now since I have about 21 milters last
count, I opted not to go through and change the text in all the
documentation and deal with the exceptions. Just more work than I had in
mind to do.

> Is there ever a case where one wouldn't want the +smdb-relay-ok
> behavior?

In the specific case of milter-spiff, given how SPF works, there are two
ways to solve this. Assuming 192.0.2.1 is your second MX, most likely
outside your control you could:

	+smdb-relay-ok
	Connect:192.0.2.1		RELAY

Or you could

	milter-spiff-connect:192.0.2.1	OK
	Connect:192.0.2.1		RELAY

The former would always treat RELAY same as OK for ALL sendmail entries.
The latter would make a targeted exception for a specific host.

Generally its a bad idea to use the former case as it can be too broad
and can let spam by-pass filters. For example in milter-spamc it would
be a _bad_ idea to use +smdb-relay-ok, since spammers are known to try
secondary MXes on the off chance that mail from the secondary is
blinding accepted by the primary MX. Not a problem if you have control
over both MXes and implement the same level of spam protection, but
really bad if the secondary is outside of your control and has weaker
protection. (My mail server in this latter case: primary under my
control, secondary outside my hands.)

In milter-spiff, though +smdb-relay-ok won't have adverse issues, since
it is most likely one in a suite of defences, not just the only one.

-- 
Anthony C Howe            Skype: SirWumpus                  SnertSoft
+33 6 11 89 73 78       Twitter: SirWumpus      BarricadeMX & Milters
http://snert.com/      http://nanozen.info/     http://snertsoft.com/

Lists Index Date Thread Search