REJECT-ON-SMTP-DATA (Re: Mail Server best practices - was: Pandora's Box of new TLDs)

Justin Shore justin at
Tue Jul 1 21:17:16 UTC 2008

Chris Owen wrote:
> The lack of a spam folder is one of the problems with such a solution.  
> Having a middle ground quarantine is actually quite nice.
> However, the biggest problem is these solutions are global in nature.  
> We let individual customers considerable control over the process.  They 
> can each set their own block and quarantine levels, configure their own 
> white and blacklists and even turn the spam controls completely off.  
> For various reasons none of that would be possible with this solution 
> and all the implementations you link to all run with a single global 
> configuration.


I can think of one spam filter that does give both you and your users 
individual control over all of these settings while still rejecting mail 
during the SMTP dialog including the DATA phase:  CanIt-Pro.

CanIt-Pro is a mail filter or 'milter' in Sendmail-speak.  It 
essentially connects into Sendmail from the side.  Sendmail calls on it 
during the SMTP dialog with the remote MTA, giving CanIt-Pro the 
opportunity to work its magic before the message is accepted for 
delivery which allows from rejecting mail right up until the last second 
RFC 2821 permits it.  I use CanIt-Pro for this very reason.  Each user 
can have their own individual mail "stream" in CanIt terminology.  Each 
user can define white/blacklists by senders, domains and hosts.  Users 
can block or permit by MIME types or perform actions based on attachment 
suffixes.  They can write their own rules with regexs against the 
headers or body as well as checking to see if a sending domain matches 
that of the relaying MTA (not always accurate but often is; is 
a good example).  Users can enable or disable individually configured 
DNSBLs or change the score.  They can even define rules based on SPF 
values.  Each user gets their own bayesian DB as well.

You as an admin can disable any of the above features on a per-user 
basis so you can make it as simple or as complex as you want.  You can 
also pre-define streams with specific settings that users can subscribe 
to if they don't want the more fine-grained control.  I created a stream 
that only tags suspect spam.  I also created 3 streams with varying 
levels of aggressiveness.

Have you ever heard the phrase "a pilot's plane"?  Well I would liken 
CanIt to being the equivalent for mail admins and their spam filters.  I 
first started using the OSS predecessor to CanIt back in late 2000 or so 
called MIMEDefang.  MD is still the underpinnings of CanIt.  When you 
buy CanIt you also get the source code so you have the ability to code 
in custom things if you have the need and desire.  It's perfect for SPs.

BTW, I'm not a Roaring Penguin employee.  I'm just an impressed user of 
their products so they've earned my loyalty.


More information about the NANOG mailing list