Mailing List CGatePro@mail.stalker.com Message #92248
From: John Rudd <jrudd@ucsc.edu>
Subject: Re: port 587 and authentication
Date: Wed, 15 Aug 2007 20:32:13 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Karl Zander wrote:
On Wed, 15 Aug 2007 16:13:18 -0700
 Thom O'Connor <thom@communigate.com> wrote:
From:      Jeremy Webber

SMTP Authentication is usually always offered. The client MTA or MUA may
choose to use it, or not. If the client MTA/MUA does not authenticate,
then CommuniGate Pro checks the (1) source IP of the connection and the
(2) recipient. If the recipient is a local address, the MTA (such as
CommuniGate Pro) by default always accepts the message.

This is how Internet-based e-mail functions on all "non-Client-IP" (and
non-relay) SMTP traffic.

So, in short - you don't need to configure SMTP Auth at all. Just
configure these SMTP Listener ports:

Port     Init SSL/TLS
----------------------
25       off
465      on
587      off

And you're ready to go...

I'm confused....for a domain, the Domain Settings offer an option to "Force SMTP AUTH for:" for nobody, non-clients, clients, everybody.  Is that not forcing the use of SMTP AUTH if non-clients, clients or everybody is selected?

If I recall correctly, there's a loophole in "Force SMTP AUTH for", in that if the message is headed to a local recipient (possibly only from a non-local return-path), then it wont force SMTP AUTH.

In some regard, that makes sense: remote senders can't authenticate to your systems, so why would you force them to do SMTP AUTH?  That requirement would make it so that your users can't receive any email from the outside world.

But the problem is: if you have a front-line anti-spam/anti-virus system (an appliance, a gateway host, etc.), then this loophole means that spammers and viruses can bypass that front-line system (depending upon your exact network topology).  That's bad.

The way to close this loophole is: blacklist the entire planet.  Put 0.0.0.1-255.255.255.255 in your CGP blacklist range.  Then make sure your front-line system(s), any local automated mail generators, etc., are in the CGP client list.  The result is: your users will have to use SMTP-AUTH in order to submit any email, and remote senders will only be able to submit messages to your front-line systems (which will bypass the blacklist due to being in your client list; and their messages wont require SMTP-AUTH because they all have local destinations).



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster