Closed msimerson closed 10 years ago
baudehlo
commented
10 years ago FWIW I do this by having outbound run a separate Qpsmtpd on port 587 with minimal plugins. This just works, and makes everything generally easier to manage.
But others have done exactly this with a deny hook. You can then defer the deny and log what caused it until later. Talk to smf on IRC about his.
msimerson
commented
10 years ago I used to run a second instance as well, until I added the naughty plugin and deferred rejections to QP. Having a single instance listening on ports 25, 465, and 587, using a single set of SSL certificates, and a single config is far easier than managing 3.
It also doesn't bring along the benefits of deferred rejections, such as doing useful things with spam. I've yet to catch smf on IRC. I think he knows I'm after him... :-)
Problem: end users can't send mail via Haraka if their IP is on a DNSBL. Or if their HELO is invalid. Or if their MUA isn't strict RFC 822 compliant.
Goal: allow users with valid credentials (meaning no rejections before they get a chance to STARTTLS and AUTH) to send mail, always, always, always. And still have connect.* plugins fully enabled.
Potential solution: In QP, I added a naughty plugin. Any QP plugin could then mark a connection as 'naughty' if it failed tests. The SMTP conversation continued and at the appointed time, naughty disconnected the remote. By disconnecting later, the remote was always offered the opportunity to STARTTLS, AUTH, and thus clear the naughty flag and continue.
Would such a plugin be welcome in Haraka?