On Fri, 1 Sep 2006, John Peacock wrote:
Lars Roland wrote:
While setting up a DNS blacklist filter it looks like the dnsbl plugin
isn't blacklisting remote IP, if the sending MTA is using qpsmtpd's
TLS plugin.
I think you mean if the sending MTA uses TLS (it doesn't have to be qpsmtpd). I
test with swaks, which should have the same behavior.
I think this falls under the more general issue that plugins which fire during
connect are wiped out when TLS is initiated, since *all* information about the
client before TLS is started must be ignored after TLS has been negotiated.
I believe that is a misinterpretation of the RFCs. All information about
the SMTP transaction obtained from the client must be discarded, but there
is nothing which says that connection information must be discarded.
Moreover, the RFCs are only concerned with correct delivery of email. We
are concerned with discrimination of ham from spam, and additional
information may help us. It's important, however, that we only use
post-TLS information for authentication, authorization and sender
and recipient address determination.
See
the thread here:
http://www.nntp.perl.org/group/perl.qpsmtpd/5371
about "Connection notes across TLS?" for more details and a possible solution...
I think that connection notes should be preserved over TLS, and only
transaction should be discarded.
