On Wed, 2005-09-14 at 16:42 +0200, Pieter Ennes wrote:
> Is there a way to limit rfc 1413 callouts to non-authenticated connections?
I think not, because (from memory) the RFC1413 query occurs very early
on in the transaction, before the client will have had a chance to
authenticate.
If you could, then the mechanism you want is described in the expansion
variables section of the spec:-
$sender_host_authenticated: This variable contains the name (not
the public name) of the authenticator driver which successfully
authenticated the client from which the message was received. It
is empty if there was no successful authentication.
> This way, MUA's won't be bothered with a timeout when the callout is stuck
> in someones firewall.
The answer to this is to use the standard MSA port (port 587) for MUA to
MTA submission and to do something like this:-
rfc1413_hosts = *
rfc1413_query_timeout = ${if eq{$interface_port}{587}{0}{5}}
which will give (an untested) 5 second timeout for folks connecting to
ports other than 587 and no query for those on 587. You should also
have the (standard) ACL conditions so 587 *enforces* authentication (and
probably TLS).
There are other advantages such avoiding port 25 blocks.
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
