question about acl_connect
- Thread starter Nerigal
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Best way to do this is with greylisting or nolisting.
Jeff
Jeff
interfasys
Verified User
Maybe I understand the request differently, but I think it would be a good idea to differentiate the delay based on whether a sender is authenticated or not.
EDIT. It's not possible to do any of these checks before acl_smtp_rcpt
EDIT. It's not possible to do any of these checks before acl_smtp_rcpt
Last edited:
nobaloney
NoBaloney Internet Svcs - In Memoriam †
As user interfasys points out, you can't tell at connect time if a sender is going to authenticate or not. Which is why I recommend nolisting, which works through mx; local connections don't use mx.
Jeff
Jeff
the fact that we cant manage the delay of acl_connect between local users and remote is more a "performance problem" then a lack of security...
but adding every local users in the whitelist of a web server would seriously a security problem same as the ...
accept hosts = *
delay = 0s
and a serious pain to do when you have 12 servers with +-500 users each
with a custom configuration that permit
accept hosts = external hosts
delay = 3s
this would be only went you setup/update a new/old server... thats it
and about authentication...
mailing list send by local user from there web hosting will be send using apache user which have no authentication...
Last edited:
nobaloney
NoBaloney Internet Svcs - In Memoriam †
How would you recommend getting a list of external hosts? I presume you mean for every host except the server's hostname.
Note that we get similar (better? I think so) results using nolisting; it's unlikely I'd switch to a delay, but I could include it (untested) for others depending on how you'd look it up.
I just don't feel like keeping every connection from outside open for three seconds; I believe that would cause an increase in server load, while with nolisting (lowest-cost MX to a server without port 25 open) there's no extra load at all.
Jeff
Note that we get similar (better? I think so) results using nolisting; it's unlikely I'd switch to a delay, but I could include it (untested) for others depending on how you'd look it up.
I just don't feel like keeping every connection from outside open for three seconds; I believe that would cause an increase in server load, while with nolisting (lowest-cost MX to a server without port 25 open) there's no extra load at all.
Jeff
im not sure at all about this but maybe something like
accept hosts = trusted_users : localhost
delay = 0s
or something similar but functional...lol
interfasys
Verified User
I'm confused as to what nolisting has to do with anything in this case...
After a sender has passed the nolisting test by identifying the correct mail server to connect to it will still get delayed by 3 seconds, like everybody else.
If one wants to make the difference between authorized senders and the rest, I suggest creating a rule that uses +auth_relay_hosts and the port that is in use if you manage to force your user to use a different port. Works like a charm.
After a sender has passed the nolisting test by identifying the correct mail server to connect to it will still get delayed by 3 seconds, like everybody else.
If one wants to make the difference between authorized senders and the rest, I suggest creating a rule that uses +auth_relay_hosts and the port that is in use if you manage to force your user to use a different port. Works like a charm.
apache is not a authenticated user so i think +auth_relay_hosts is not enough
nobaloney
NoBaloney Internet Svcs - In Memoriam †
We use nolisting instead of a 3 second delay, not along with a 3 second delay.
I'm sorry if I was confusing.
Jeff