search

haraka / Haraka

A fast, highly extensible, and event driven SMTP server
https://haraka.github.io
MIT License
5.08k stars 661 forks source link

inbound versus outbound flow question #1370

Closed usernameisalreadytaken2014 closed 8 years ago

usernameisalreadytaken2014 commented 8 years ago

Hi

Is it possible for Haraka to have 2 different roles for inbound versus outbound email?

The inbound flows are:

The outbound flows are:

For the inbound flow, I need filters for DNSBL, spam checks, antivirus, DKIM verification etc.

For the outbound flow, I need filters for checking that the user only sends email as him/herself (eg. user1 does not use a FROM address saying user2), I need 5-10 custom filters for a variety of mailboxes for various reasons, I need DKIM signing, etc.

(In both cases I want email handed off via LMTP to a user's inbox or outbox folder. Another daemon will pick up from outbox, send the message out either immediately or when a header from the webmail software indicates, and move the message to a sent folder.)

I can only see a "plugins/" folder after running haraka -i.

Is it possible to dynamically switch to a different set of plugins, after the connecting client has successfully executed AUTH ?

Or to indicate inside each plugin that it should only run on inbound / outbound (/ both)?

If so, what would be the easiest way to achieve this?

msimerson commented 8 years ago

Is it possible for Haraka to have 2 different roles for inbound versus outbound email?

Yes, when a remote MUA authenticates (port doesn't matter), the connection.relaying=true property is set. This influences the behavior of later plugins. You can look in each plugin to see how their behavior changes in the presence of relaying=true. One example is the rcpt_to plugins. Some of them have an additional MAIL FROM check that, when a user authenticates, requires the MAIL FROM domain to be a valid local email address (ie, AUTH: tom@foo.com permits him to send email as thomas@foo.com, because both local addresses are valid.).

Is it possible to dynamically switch to a different set of plugins, after the connecting client has successfully executed AUTH ?

No, currently with Haraka need to configure each plugin to handle those connections differently (which is what I do).

Another way to handle this is run two Haraka instances, one for inbound (a MTA) and another as an MSA.

usernameisalreadytaken2014 commented 8 years ago

Perfect, thanks!

(Apologies if this is already in the documentation and I misread it.)

Another way to handle this is run two Haraka instances, one for inbound (a MTA) and another as an MSA.

Hmm, yeah. But I don't particularly want to ban MUAs from sending emails via port 25 + STARTTLS. Also don't necessarily want to deny remote MTAs from doing TLS before SMTP and delivery via port 465.

(Probably not a particularly standard way of doing things, but as far as I can tell, should be useful to prevent any intermediary hops from performing STARTTLS stripping thereby forcing a downgrade.)

baudehlo commented 8 years ago

No external host should ever try port 465, ever. It just doesn't happen. It would only happen if it's one of your users doing outbound mail but sitting outside your network.

Just do what I do: For outbound you can either do port 587 + STARTTLS + AUTH, or 465 if you really have to. For inbound that's port 25 only.

On Mon, Feb 29, 2016 at 1:40 PM, usernameisalreadytaken2014 < notifications@github.com> wrote:

Perfect, thanks!

(Apologies if this is already in the documentation and I misread it.)

Another way to handle this is run two Haraka instances, one for inbound (a MTA) and another as an MSA.

Hmm, yeah. But I don't particularly want to ban MUAs from sending emails via port 25 + STARTTLS. Also don't necessarily want to deny remote MTAs from doing TLS before SMTP and delivery via port 465.

(Probably not a particularly standard way of doing things, but as far as I can tell, should be useful to prevent any intermediary hops from performing STARTTLS stripping thereby forcing a downgrade.)

— Reply to this email directly or view it on GitHub https://github.com/haraka/Haraka/issues/1370#issuecomment-190325692.

msimerson commented 8 years ago

Small sample size, but of my several hundred end users, only 1 still uses port 465 (down from 5 a couple years ago), and he only does so because he has a very old Macintosh computer using a very very old version of Microsoft Outlook that doesn't support STARTTLS. His only encrypted option is port 465. Port 465 is a legacy-support-only feature and should not be utilized in new deployments.

As @baudehlo said, all your users should be sending via port 587 with encryption. In Haraka, by default, they won't be able to AUTH until after they upgrade the connection with STARTTLS. All modern email clients support this.

smfreegard commented 8 years ago

@msimerson - you misunderstood what @baudehlo meant. He meant inbound mail never uses port 465. It's for submission only, not for MTA <-> MTA traffic.

@usernameisalreadytaken2014 - run it on two different containers and IPs if you want to completely separate the functions, then your port 25 issue won't exist.

msimerson commented 8 years ago

@msimerson - you misunderstood what @baudehlo meant.

No I didn't.

He meant inbound mail never uses port 465. It's for submission only, not for MTA <-> MTA traffic

I'm well aware of the difference between an MTA and an MSA, and my entire comment was related to port 465 (MSA) traffic, or as @usernameisalreadytaken2014 referred to it, "outbound" traffic.