From stuart at bmsi.com  Fri Jul 13 10:01:07 2012
From: stuart at bmsi.com (Stuart D Gathman)
Date: Fri, 13 Jul 2012 10:01:07 -0400
Subject: [Pymilter] Discovering MTA interface port
Message-ID: <50002A23.8010707@bmsi.com>

It turns out that at least one problem could be neatly solved if only an
{if_port} macro were available in the connect callback.  It is only 2 or
3 lines of code to add it, but then there is the logistics of
maintaining a custom version of sendmail. 

The problem is that we track reputation by IP as well as domain.  Often,
IPs of public networks at airports, hotels, and such are banned (from
sending email) because of frequent abuse.  When a salesman travels, he
needs to send email from said airports and hotels - which should not be
a problem since he uses SMTP AUTH with his smartphone or tablet.  Except
that when I REJECT the banned IP in connect, he never gets a chance to
authenticate. 

Rather than delay the rejection until MAIL FROM, I would rather skip
banned IP checking altogether for connections on port 587 - which only
allows authenticated connections.  But milters don't seem to have any
way to get that information.

Does anyone have any ideas besides patching sendmail?  I went to
sendmail.org, but couldn't figure out where to send feature requests
(probably by design for such a popular product).


From tlyons at ivenue.com  Fri Jul 13 11:01:27 2012
From: tlyons at ivenue.com (Todd Lyons)
Date: Fri, 13 Jul 2012 08:01:27 -0700
Subject: [Pymilter] Discovering MTA interface port
In-Reply-To: <50002A23.8010707@bmsi.com>
References: <50002A23.8010707@bmsi.com>
Message-ID: <CAFG21oivZWE-zCYZk63+re8iAbiPYbPyQzE7qT4Y0Ub1-ok0=w@mail.gmail.com>

On Fri, Jul 13, 2012 at 7:01 AM, Stuart D Gathman <stuart at bmsi.com> wrote:
> It turns out that at least one problem could be neatly solved if only an
> {if_port} macro were available in the connect callback.  It is only 2 or
> Rather than delay the rejection until MAIL FROM, I would rather skip
> banned IP checking altogether for connections on port 587 - which only
> allows authenticated connections.  But milters don't seem to have any
> way to get that information.
>
> Does anyone have any ideas besides patching sendmail?  I went to

Grepping the m4 directories doesn't result in anything that looks useful.

> sendmail.org, but couldn't figure out where to send feature requests
> (probably by design for such a popular product).

I'd send it directly to Claus:
http://www.oreillynet.com/pub/au/1930

...Todd
-- 
The total budget at all receivers for solving senders' problems is $0.
 If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine


From dgc at uchicago.edu  Fri Jul 13 11:03:25 2012
From: dgc at uchicago.edu (David Champion)
Date: Fri, 13 Jul 2012 10:03:25 -0500
Subject: [Pymilter] Re: Discovering MTA interface port
In-Reply-To: <50002A23.8010707@bmsi.com>
References: <50002A23.8010707@bmsi.com>
Message-ID: <20120713150325.GI21151@scurvy.bikeshed.us>

This feels like a member of a category of sendmail problems I've only
ever been able to solve by running multiple sendmails instances.  That
is, put one sendmail on port 25 and another on port 587 (and 465, if you
use that) and pass an extra flag to the milter command on the port 587
instance, indicating that you want to skip IP checks.

* On 13 Jul 2012, Stuart D Gathman wrote: 
> It turns out that at least one problem could be neatly solved if only an
> {if_port} macro were available in the connect callback.  It is only 2 or
> 3 lines of code to add it, but then there is the logistics of
> maintaining a custom version of sendmail. 
> 
> The problem is that we track reputation by IP as well as domain.  Often,
> IPs of public networks at airports, hotels, and such are banned (from
> sending email) because of frequent abuse.  When a salesman travels, he
> needs to send email from said airports and hotels - which should not be
> a problem since he uses SMTP AUTH with his smartphone or tablet.  Except
> that when I REJECT the banned IP in connect, he never gets a chance to
> authenticate. 
> 
> Rather than delay the rejection until MAIL FROM, I would rather skip
> banned IP checking altogether for connections on port 587 - which only
> allows authenticated connections.  But milters don't seem to have any
> way to get that information.
> 
> Does anyone have any ideas besides patching sendmail?  I went to
> sendmail.org, but couldn't figure out where to send feature requests
> (probably by design for such a popular product).
> _______________________________________________
> Pymilter mailing list
> Pymilter at bmsi.com
> http://www.bmsi.com/mailman/listinfo/pymilter

-- 
David Champion ? dgc at uchicago.edu ? IT Services ? University of Chicago


From stuart at bmsi.com  Fri Jul 13 15:44:29 2012
From: stuart at bmsi.com (Stuart D Gathman)
Date: Fri, 13 Jul 2012 15:44:29 -0400
Subject: [Pymilter] Re: Discovering MTA interface port
In-Reply-To: <20120713150325.GI21151@scurvy.bikeshed.us>
References: <50002A23.8010707@bmsi.com>
	<20120713150325.GI21151@scurvy.bikeshed.us>
Message-ID: <50007A9D.4040400@bmsi.com>

On 07/13/2012 11:03 AM, David Champion expounded in part:
> This feels like a member of a category of sendmail problems I've only
> ever been able to solve by running multiple sendmails instances.  That
> is, put one sendmail on port 25 and another on port 587 (and 465, if you
> use that) and pass an extra flag to the milter command on the port 587
> instance, indicating that you want to skip IP checks.
>
Well, I did the patch, and it was more than 2 lines, but still pretty 
simple.  However, while testing it, I discovered that sendmail already 
sets the {daemon_port} macro.  This must be enabled in sendmail.cf with

O Milter.macros.connect=j, _, {daemon_name}, {daemon_port}, {if_name}, 
{if_addr}

or in sendmail.mc with

define(`confMILTER_MACROS_CONNECT', ``j, _, {daemon_name}, 
{daemon_port}, {if_name}, {if_addr}'')dnl

Once enabled, {daemon_port} will have "25" or "587" (or whatever you set 
in DAEMONOPTIONS macro for sendmail.mc or DaemonPortOptions for 
sendmail.cf).  This neatly solves the problem of milter behavior that 
depends on what server port the client connected to.

So, there is a good reason why the sendmail suggestion box is not 
obvious . . .