Bypass content_fitler based on SASL auth

From: Ian R. Justman (no email)
Date: Sun Sep 07 2008 - 00:02:17 EDT

  • Next message: Sahil Tandon: "Re: Bypass content_fitler based on SASL auth"

    Hi, all.

    I'd like to know whether it is possible to bypass content_filter based
    on whether someone has authenticated via SASL.

    The situation:

    I would like to build a machine that can function both to scrub
    spam/viruses for incoming mail (to my clients) and handle outgoing mail
    using SMTP-AUTH (from my clients) if they use port 25 (yes, I do know
    about port 587, but getting that configured client-side takes a bit of
    additional handholding to get the port changed). I was wondering
    whether it is possible to bypass content filtering based on whether a
    user has successfully authenticated to the machine. Since I do not have
    additional IP addresses available to me, I have little choice but to use
    the one IP address the machine has.

    To simplify explanation, I'll show you a little step-by-step list of
    what I'd like to do (plus I already have one other condition I'd like to
    check for, which is whether the IP address connecting belongs to one of
    my clients and is static) but I have already figured this out given the
    docs):

    1. Client connects.
    2. My server checks to see if the IP address is one of those belonging
    to a client.
    3. It is? If so, then use the FILTER operation in an
    access(5)-formatted file, which, as we know, overrides content_filter.
    4. It isn't? If not, then did the connection use SASL with an
    established account?
    5. It is (assuming the authentication process had a positive outcome)?
      If so, then bypass the "content_filter" directive.
    6. It isn't (either is an outside client IP address AND either did not
    use authentication or authentication failed)? If not, filter it as if
    it were any other incoming mail.

    Any thoughts on this one? I'm probably going to invite criticism on
    this one because of possible ways of subverting this setup, but that's a
    risk I'm willing to take.

    Thanks!

    --Ian.

    -- 
    Ian R. Justman
    UNIX hacker.  Anime fan.  Any questions?
    ianj (at) ian-justman.com
    

  • Next message: Sahil Tandon: "Re: Bypass content_fitler based on SASL auth"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD