Hi,
I am looking at stunnel as a way to add SSL/TLS to an SMTP server, but my issue is that the SMTP server must be able to determine the address of the incoming connection to perform RBL checks, reverse MX record checks, PTR checks, etc. From what I can understand, however, the SMTP server will only see the client side of the pipe (localhost) as the originating address, instead of the originating machine IP.
Is there any way to get the SMTP server to see that original IP address? Or baring that, is there anyway that stunnel can insert a header into the mail indicating the original IP address?
Thanks!
Eric
On Friday 24 November 2006 18:17, Eric B. wrote:
I am looking at stunnel as a way to add SSL/TLS to an SMTP server, but my issue is that the SMTP server must be able to determine the address of the incoming connection to perform RBL checks, reverse MX record checks, PTR checks, etc. From what I can understand, however, the SMTP server will only see the client side of the pipe (localhost) as the originating address, instead of the originating machine IP.
That is how a proxy is expected to work.
Is there any way to get the SMTP server to see that original IP address? Or baring that, is there anyway that stunnel can insert a header into the mail indicating the original IP address?
I know there are some people that implement it based on log files.
What is your SMTP server? Why don't you use a native SSL support?
Are there really a lot of spammers that use SSL to send spam?
Best regards, Mike
Is there any way to get the SMTP server to see that original IP address? Or baring that, is there anyway that stunnel can insert a header into the mail indicating the original IP address?
I know there are some people that implement it based on log files.
I'm not quite sure how that would work, baring parsing log files each time a connection is made, which I would think would slow down the system significantly. Would it be very difficult to update stunnel and make it a configurable option to insert the originating IP as a header in the mail? ex: something like X-st-originating-IP: or something like that.
What is your SMTP server? Why don't you use a native SSL support?
Am actually using an anti-spam proxy in front my my SMTP server which doesn't have native SSL support (ASSP). And if I use the SMTP server's SSL support, I'll completely be bypassing the AntiSpam proxy which will completely defeat the purpose of anti-spam.
Are there really a lot of spammers that use SSL to send spam?
Actually, yes. There are a significant number of spammers that use SSL mainly b/c a lot of systems don't check SSL ports against spam, etc. It is becoming more and more prevalent. I woudl have to say that at least 50-60% of the spam comes via the SSL port.
Thanks,
Eric
On Saturday 25 November 2006 20:24, Eric B. wrote:
Would it be very difficult to update stunnel and make it a configurable option to insert the originating IP as a header in the mail? ex: something like X-st-originating-IP: or something like that.
Since adding a header to each email address within a connection requires building SMTP parser - I could say it's very difficult. Probably a wealthy sponsor could make me change my mind, but otherwise such change obviously breaks the KISS principle that stunnel is based on.
Am actually using an anti-spam proxy in front my my SMTP server which doesn't have native SSL support (ASSP). And if I use the SMTP server's SSL support, I'll completely be bypassing the AntiSpam proxy which will completely defeat the purpose of anti-spam.
What about installing an SMTP router in front with RBL support, than your anti-spam proxy, than another instance of SMTP server for local delivery? For sure it's easier than adding another feature to stunnel. I use a similar configuration for antivirus scanner based on Postfix.
Are there really a lot of spammers that use SSL to send spam?
Actually, yes. There are a significant number of spammers that use SSL mainly b/c a lot of systems don't check SSL ports against spam, etc. It is becoming more and more prevalent. I woudl have to say that at least 50-60% of the spam comes via the SSL port.
I didn't know that. Thank you.
Mike
Would it be very difficult to update stunnel and make it a configurable option to insert the originating IP as a header in the mail? ex: something like X-st-originating-IP: or something like that.
Since adding a header to each email address within a connection requires building SMTP parser - I could say it's very difficult. Probably a wealthy sponsor could make me change my mind, but otherwise such change obviously breaks the KISS principle that stunnel is based on.
Fair enough. I didn't think about the need of including the SMTP parser, etc.
What about installing an SMTP router in front with RBL support, than your anti-spam proxy, than another instance of SMTP server for local delivery? For sure it's easier than adding another feature to stunnel. I use a similar configuration for antivirus scanner based on Postfix.
Agreed - probably easier than adding this feature to stunnel. I'll have to research other options instead.
Thanks for the input/advice!
Eric
-
Eric B. -
Michal Trojnara