Hi, all.
I'd like to know whether it is possible to bypass content_filter based
on whether someone has authenticated via SASL.
The situation:
I would like to build a machine that can function both to scrub
spam/viruses for incoming mail (to my clients) and handle outgoing mail
using SMTP-AUTH (from my clients) if they use port 25 (yes, I do know
about port 587, but getting that configured client-side takes a bit of
additional handholding to get the port changed). I was wondering
whether it is possible to bypass content filtering based on whether a
user has successfully authenticated to the machine. Since I do not have
additional IP addresses available to me, I have little choice but to use
the one IP address the machine has.
To simplify explanation, I'll show you a little step-by-step list of
what I'd like to do (plus I already have one other condition I'd like to
check for, which is whether the IP address connecting belongs to one of
my clients and is static) but I have already figured this out given the
docs):
1. Client connects.
2. My server checks to see if the IP address is one of those belonging
to a client.
3. It is? If so, then use the FILTER operation in an
access(5)-formatted file, which, as we know, overrides content_filter.
4. It isn't? If not, then did the connection use SASL with an
established account?
5. It is (assuming the authentication process had a positive outcome)?
If so, then bypass the "content_filter" directive.
6. It isn't (either is an outside client IP address AND either did not
use authentication or authentication failed)? If not, filter it as if
it were any other incoming mail.
Any thoughts on this one? I'm probably going to invite criticism on
this one because of possible ways of subverting this setup, but that's a
risk I'm willing to take.
Thanks!
--Ian.
--
Ian R. Justman
UNIX hacker. Anime fan. Any questions?
ianj (at) ian-justman.com
