On 15 May 2017, at 16:21, Linda Pagillo wrote:
Hi guys. I'm not sure if this is a possibility, but is there a way to
disable a milter from scanning a message from an authenticated sender?
Yes, but only by segregating all authenticated senders to their own
smtpd configuration. Typically that's port 587 -- initial message
submission -- which should require TLS and authentication to send.
I
may have asked this before, but I'm not sure if I asked the correct
questions. I'm using the SNF-milter and it scans all incoming and
outgoing
messages on all outbound ports which I think is a Postfix setting
because
there is nowhere to specify this in the milter itself. Customers
authenticate with the server to send on ports 25, 587, 993, 995 and
465.
993 and 995 are TLS-wrapped IMAP and POP respectively, so while your
users MAY be submitting mail there using some POP or IMAP extension,
that is unlikely and such initial submission isn't being handled by
Postfix.
465 was proposed for SSL-wrapped SMTP and never standardized except via
implementation by overeager vendors. If you can retire its use, you
should: 20 years of tolerating a bad idea is enough. If you must retain
port 465 for customers running 12-year-old mail clients that can't do
TLS on port 587, its master.cf entry (smtps) should look much like that
for submission.
Port 25 is really for inbound mail. The fact that it was ever used for
initial message submission has always been a bit of a kludge, and
there's no sound reason for continuing that today, given that we have a
mature standard for SMTP-like submission via port 587 which is supported
by any reasonably modern mail client.
In short: don't offer authentication on port 25, require it (and
encryption) on port 587, turn off port 465, and tell all your users to
use port 587 for message submission. The canonical way to do this is to
put all of your port 25 configuration in main.cf and use '-o' arguments
in the 'submission' entry of master.cf to make the needed adjustments to
spare messages submitted by authenticated users the indignity of
filtering (e.g. "-o smtpd_milters="
