Thank you so much for this information Bill. It is very much appreciated! On Mon, May 15, 2017 at 4:52 PM, Bill Cole < postfixlists-070...@billmail.scconsult.com> wrote:
> On 15 May 2017, at 16:21, Linda Pagillo wrote: > > Hi guys. I'm not sure if this is a possibility, but is there a way to >> disable a milter from scanning a message from an authenticated sender? >> > > Yes, but only by segregating all authenticated senders to their own smtpd > configuration. Typically that's port 587 -- initial message submission -- > which should require TLS and authentication to send. > > I >> may have asked this before, but I'm not sure if I asked the correct >> questions. I'm using the SNF-milter and it scans all incoming and outgoing >> messages on all outbound ports which I think is a Postfix setting because >> there is nowhere to specify this in the milter itself. Customers >> authenticate with the server to send on ports 25, 587, 993, 995 and 465. >> > > 993 and 995 are TLS-wrapped IMAP and POP respectively, so while your users > MAY be submitting mail there using some POP or IMAP extension, that is > unlikely and such initial submission isn't being handled by Postfix. > > 465 was proposed for SSL-wrapped SMTP and never standardized except via > implementation by overeager vendors. If you can retire its use, you should: > 20 years of tolerating a bad idea is enough. If you must retain port 465 > for customers running 12-year-old mail clients that can't do TLS on port > 587, its master.cf entry (smtps) should look much like that for > submission. > > Port 25 is really for inbound mail. The fact that it was ever used for > initial message submission has always been a bit of a kludge, and there's > no sound reason for continuing that today, given that we have a mature > standard for SMTP-like submission via port 587 which is supported by any > reasonably modern mail client. > > In short: don't offer authentication on port 25, require it (and > encryption) on port 587, turn off port 465, and tell all your users to use > port 587 for message submission. The canonical way to do this is to put all > of your port 25 configuration in main.cf and use '-o' arguments in the > 'submission' entry of master.cf to make the needed adjustments to spare > messages submitted by authenticated users the indignity of filtering (e.g. > "-o smtpd_milters=" > >
