Skipping SA on TLSMTA connections?

Jan-Pieter Cornet wrote:

>On Thu, Nov 23, 2006 at 12:48:34PM -0700, Philip
Prindeville wrote:
>  
>
>>Hey, that's how it comes out-of-the-box from
sendmail.org: it's
>>set in /etc/mail/submit.mc on my machine.
>>    
>>
>
>What platform is that? I can't find any mention of it on
debian
>nor on freebsd. Not even of the (sub-standard) port 465,
sendmail
>seems to come default listening on 25 and 587
(submission). 465
>is deprecated because it is SSL only, not TLS. It's
commonly added
>because lots of clients still cannot do TLS, only direct
SSL.
>  
>

This is on FC5. Quoting:

dnl # The following causes sendmail to only listen on the
IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove
the loopback
dnl # address restriction to accept email from the internet
or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen
to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who
can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked
or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen
to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port
25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using
Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can
ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution
<1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in
version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be
configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen
on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen
to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6,
Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6,
Family=inet6')


Ok, so I'll 'dnl' the:

dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

back, and un-dnl the:

DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

and see what happens.



> 
>  
>
>>>I don't really understand all the fuss about
applying micropatches to
>>>the
examples/suggested-minimum-filter-for-windows-clients file.
As the
>>>name implies, it's an EXAMPLE and a SUGGESTION.
>>>      
>>>
>>Well, I do generate diffs after each update, and
then patch them back in.
>>
>>Ideally it would be nice if MdF could peek into the
SA configs in this
>>case, figure out the values of
"internal_networks", and then skip the test
>>for clients on those subnets.
>>    
>>
>
>I'm sure some large company from washington would ship
it this way, yes 
>But given the ways in which this can go wrong and the
difficulty to
>determine sane "internal_networks", and the
easy with which this can
>be changed while installing, I'd recommend against it.
>
>It would probably be better if the example filter came
in a number of
>pluggable modules, where you could easily add extra
modules or replace
>existing modules by providing your own version in
another directory.
>But then again I'm biased, because I wrote a modular
filter framework.
>  
>

Yes! People that want to do additional scripting should be
able
to, but more most, simply configured knobs and dials should
be
adequate.

If we want people to erradicate spam, MdF needs to be made
more
accessible to the unwashed masses.

Not convinced that better integration of SA and MdF settings
is a
bad thing, but I do agree that getting internal_networks
right is
something a lot of people seem to botch up.

-Philip


_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in
the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpengu
in.com
MIMEDefang mailing list MIMEDefanglists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mime
defang

Philip Prindeville wrote:

> dnl # The following causes sendmail to additionally
listen to port 465, but
> dnl # starting immediately in TLS mode upon connecting.
Port 25 or 587 followed
> dnl # by STARTTLS is preferred, but roaming clients
using Outlook Express can't
> dnl # do STARTTLS on ports other than 25. Mozilla Mail
can ONLY use STARTTLS
> dnl # and doesn't support the deprecated smtps;
Evolution <1.1.1 uses smtps
> dnl # when SSL is enabled-- STARTTLS support is
available in version 1.1.1.
> dnl #
> dnl # For this to work your OpenSSL certificates must
be configured.
> dnl #
> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> dnl #


That's kind of funny.  "starting immediately in TLS
mode" is not "TLS". 
  It's SSL.  They should have named that "SSLMTA"
not "TLSMTA".

But that's just me being picky.

I wouldn't dnl it.  I might change the Name, but you don't
really have 
to disable it.




_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in
the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpengu
in.com
MIMEDefang mailing list MIMEDefanglists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mime
defang

On Thu, Nov 23, 2006 at 03:32:49PM -0700, Philip Prindeville
wrote:
> This is on FC5. Quoting:
> 
[...]
> dnl # The following causes sendmail to additionally
listen to port 465, but
> dnl # starting immediately in TLS mode upon connecting.
Port 25 or 587 followed
> dnl # by STARTTLS is preferred, but roaming clients
using Outlook Express can't
> dnl # do STARTTLS on ports other than 25. Mozilla Mail
can ONLY use STARTTLS
> dnl # and doesn't support the deprecated smtps;
Evolution <1.1.1 uses smtps
> dnl # when SSL is enabled-- STARTTLS support is
available in version 1.1.1.
> dnl #
> dnl # For this to work your OpenSSL certificates must
be configured.
> dnl #
> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

[...]

> Ok, so I'll 'dnl' the:
> 
> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> 
> back, and un-dnl the:
> 
> DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
> 
> and see what happens.

Well, if you have clients that depend on port 465 being
enabled,
they will complain 

Also, I have to retract some of my words. I incorrectly
assumed that
TLS would always start cleartext, until the STARTTLS command
(as explained
in the comments above), but apparently a TLS connection can
start encrypted,
so TLSMTA isn't that wrong after all. (See wikipedia on
"Transaction
Level Security").

But it's not standard, I think redhat/fedora made up the
"TLSMTA" name.

[...configuration issues...]
 
> Yes! People that want to do additional scripting should
be able
> to, but more most, simply configured knobs and dials
should be
> adequate.
> 
> If we want people to erradicate spam, MdF needs to be
made more
> accessible to the unwashed masses.
> 
> Not convinced that better integration of SA and MdF
settings is a
> bad thing, but I do agree that getting
internal_networks right is
> something a lot of people seem to botch up.

I'm not convinced MIMEDefang is the ideal spam eradication
product
for the unwashed masses.

-- 
Jan-Pieter Cornet <johnpcxs4all.nl>
!! Disclamer: The addressee of this email is not the
intended recipient. !!
!! This is only a test of the echelon and data retention
systems. Please !!
!! archive this message indefinitely to allow verification
of the logs.  !!
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in
the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpengu
in.com
MIMEDefang mailing list MIMEDefanglists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mime
defang

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 23 Nov 2006, John Rudd wrote:

> Philip Prindeville wrote:
>
>> dnl # The following causes sendmail to additionally
listen to port 465, but
>> dnl # starting immediately in TLS mode upon
connecting. Port 25 or 587 
>> followed
>> dnl # by STARTTLS is preferred, but roaming clients
using Outlook Express 
>> can't
>> dnl # do STARTTLS on ports other than 25. Mozilla
Mail can ONLY use 
>> STARTTLS
>> dnl # and doesn't support the deprecated smtps;
Evolution <1.1.1 uses smtps
>> dnl # when SSL is enabled-- STARTTLS support is
available in version 1.1.1.
>> dnl #
>> dnl # For this to work your OpenSSL certificates
must be configured.
>> dnl #
>> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA,
M=s')dnl
>> dnl #
>
>
> That's kind of funny.  "starting immediately in
TLS mode" is not "TLS".  It's 
> SSL.  They should have named that "SSLMTA"
not "TLSMTA".
>
> But that's just me being picky.
>
> I wouldn't dnl it.  I might change the Name, but you
don't really have to 
> disable it.

Last time I tried, sentmail did not recognize a SSL
connection, I had to 
use stunnel to wrap the connection. Insofar, it makes no
sense.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQEVAwUBRWauIegJIbZtwg6XAQIyfgf/a98PaNSx5Y3RX4Yht3d4t8RqUmGj
jeh/
UtToK/tsWnI5e0gaB2nBFQANTaY3wS4NBREala1NM74I/5+Sj1/+AgWB2Hli
Tag5
j8ZGBcdpgbM1lUvu7S/SaKgY5oGvr/yW3lCG9uR+D0kuq5O2pgyy7UjuOy8I
6kIG
5f9jpuJv1UxQai1xn2ZTd2RoacoPMJMC/5ezDr9lzYPJRwlSExSPY/sh+gOW
5oHO
yLlpX2C+GHEi7Wc0jyENGmw81i4BsdCZ0hGQIEW3ALQMpY97+pwL21hnu3H6
H4uo
8GeWZ8H7f2kSbvNzYIoXy006LEGcyoC7mBiVOlSxycHUK0z+k9SIyg==
=pPzv
-----END PGP SIGNATURE-----
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in
the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpengu
in.com
MIMEDefang mailing list MIMEDefanglists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mime
defang

Steffen Kaiser wrote:

>Last time I tried, sentmail did not recognize a SSL
connection, I had to 
>use stunnel to wrap the connection. Insofar, it makes no
sense.
>  
>

Well, I'm using it with T-bird and it works just fine.

I'm using the:

DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl


on the server.

What I haven't figured out is how to configure all of the
workstations at the company to use 587 for submission to the
mailhost, with certificates for authentication... but
without running a listener (i.e. each of the workstations
or servers runs logwatch nightly and submits daily reports,
but doesn't ever accept incoming SMTP connections).

Not positive that a queue runner is strictly necessary
either,
except in the case where mailhost is down for PM at the
time that the reports are generated (otherwise, they'll
simply be dropped).

Tried running the internal workstations with submitting on
port 25 to the mailhost instead, but it was running MdF on
the logwatch reports... and they were being flagged as Spam.

Sigh.

-Philip




_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in
the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpengu
in.com
MIMEDefang mailing list MIMEDefanglists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mime
defang