> On 12/17/2010 10:15 AM, Kris Deugau wrote: > > Ted Mittelstaedt wrote: > >> I know that, Sendmail adds the same flag when setup for auth SMTP. > The > >> problem is that SA will see this and assume the mail is safe. > > > > Noooo.... if your trust path is set correctly, then SA won't run > tests > > like eg PBL (IP blocks designated by the nominal owner as "not > allowed > > to send SMTP traffic to world+dog"). It does NOT mean SA treats the > mail > > as "safe". > > > > That doesn't help us you see because we have users who send mail that > is constructed in such a way as it will trigger the other SA tests, > yet they insist on being allowed to send it.
Is it spam, maybe? Note you can craft a rule such that authenticated in-bound mail may get some negative points, such that even spam-looking messages may pass. > >> In the versions of SA I have used, SA will assume the mail is safe > >> no matter what Received line in the header has the auth indicator > >> set. They may have fixed that in the most recent SA but I don't > >> believe so, > > > > *scratch head* I've never had problems with mistaken RBL hits > > It's not the RBL hits that are the problem. Uhu? Wasn't this thread about this? > > as the OP > > is asking about *if* I've got my *_networks set correctly. Earlier > this > > year I discovered an edge case with our "accelerated dialup" service > and > > had to make some adjustments to the trust path to include the > > accelerator host as an MSA - but previous to that the setup had been > > working correctly. > > > >> and even if they did then what if SA is running on a > >> prefilter server in front of an Exchange server for example? > > > > I have no idea what scenario you're referring to here - inbound mail? > > The OP is asking about outbound mail; and so far as your own > filtering > > is concerned, (especially) if you're an ISP your spam filter really > > shouldn't penalize customers who send mail directly through the SMTP > > server you provide, whether that's separate from your MX(es) or not. > > > > Exactly my point. The problem I have had with SA as I said in my > original response is that even if you use authenticated SMTP that > setting the auth flag in the received header simply didn't work. > Even when it is there, SA still filtered. If you say that setting > the flag only makes SA skip the RBL checks then I believe you, > but what is the point, the RBL checks aren't the issue. The > filtering is the issue. > > It is possible this is because I use sa-milter. It is possible > this is because I have an older SA version that's been fixed now. So, it had issues with PBL too? > There's many possibilities. But, whatever the problem, the > easy fix was using a separate machine for auth-smtp and not > running SA on it. It was > only a few years later after doing this when I stated seeing the > spammers cracking auth-smtp passwords, that I realized how many > OTHER benefits to using a separate auth-smtp server that there are. In example, having all that spam from cracked accounts to pass without earning any score... Isn't this exactly the benefit on gets SA-filtering also authenticated messages? Also, most SA spawners (like amavis-new, in example) may even drop and/or send you alerts when a message is earning too many spam points. Amavis-new also has banks, which lets you tune the handling of a suspicious message based on the its direction (inbound or submitted for outbound).
