[clamav-users] ign2 whitelist don't work

Charles Swiger cswiger at mac.com
Tue Jul 19 17:00:07 UTC 2016 

On Jul 19, 2016, at 10:28 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
[ ... ]
>> 2) In the absence of MX records stating otherwise, I expect that any mailserver which sends outbound email should be willing to accept inbound mail for the same domains it terminates or relays email on behalf of.
> 
> that is not how email works

As I recall, you were either submitting a bug report about ClamAV and SPF, which seems misguided as you've since acknowledged ("i know that SPF is not relevant for clamav"), or at the least you were looking for feedback about how to better handle legitimate email from paypal.at which you were bouncing due to ClamAV's heuristics.

> a) the sender is @mail.paypal.at and not "@epsl1.com"

True.

> b) every smarter setup these days has strictly
>   seperated outbound and inbound servers

False.  Assuming that there is only one correct mail architecture is a major fallacy.

What you describe is one reasonable architecture for a large ISP which needs to have redundant sending and receiving mail servers.  However, there are lots of smaller sites which have no need for that-- they might be better off having an external MX relay in their firewall DMZ which handles both inbound and outbound mail, and an internal mailhost / reader box, for example.

> what you expect is completly pointless - as example you have no business to deliver mail to our outbound server unless you are a customer with a valid username and password since inbound mail is expected at the MX (spamfirewall) and not at the submission server

You appear to have skipped past this phrase: "In the absence of MX records stating otherwise..."

If a mail server sends outbound, it needs to be willing to handle bounces and DSNs for those  messages/domains which it sends.

> why?
> 
> because it's much easier to define MTA policies for spamfiltering when you need not to mix with mail clients and when you do outbound spamfiltering you need completly different rules (no RBL looksups, no PTR checks, different scorings and first of all no postscreen in front which a MUA can't handle)


It is reasonable to have different inbound and outbound MTAs to implement different policies?  Sure.

Is that the only mechanism by which one can have different policies?  Nope.

It is reasonable to trust all local mail and push the burden of checking it upon others?  Nope.

You should be applying spamfiltering and especially malware/virus scanning to outbound email just as rigorously as you do to inbound email.  In a few cases that I am familiar with, outbound email is screened more carefully than inbound email.

Regards,
-- 
-Chuck

More information about the clamav-users mailing list