Auteur: W B Hacker Date: À: exim users Sujet: Re: [exim] acl black art help wanted
Ian Eiloart wrote: >
>
> --On 17 May 2009 13:40:46 +0800 W B Hacker <wbh@???> wrote:
>
>>
>>> Clearly my PC client cant have a verified HELO
>>> So how do I make the list ignore authenticated hosts ?
>>>
>
> You might want to think about running two servers. One for inbound mail,
> and one for message submission from authenticated hosts. The
> configuration for the latter should be simpler, since you can replace
> most anti-spam measures with rate-limiting measures.
>
> Given that the security model is quite different for authenticated
> accounts versus incoming mail, we've found it simpler to separate the
> configurations.
>
That was the OP's question.
My answer was further down...
I see value in more than one server in a University-sized environment in any
case - total volume aside, the *peaks* must be a RBK.
But otherwise?
Simple enough to just make use of the arrival port as part of the 'steering'.
- port 25 may have encryption, but should *never* accept 'member' auth.
(use port 24 when intra-pool wworkign with matching certs, auth handshaking etc)
- port 587 should *always* have BOTH (encryption and AUTH).
IF/AS/WHEN traffic TO port 587 is blocked by an ISP's firewall, port 25 will
have been long-since blocked, so there is no point in offering OR accepting
luser AUTH on it.