postfix comments ... was: Re: receiving mails with executable.

Pete pete at eatathome.com.au
Wed Dec 3 12:51:14 GMT 2003 

C. Jon Larsen wrote:

>On Tue, 2 Dec 2003, Julian Field wrote:
>
>
>
>>To give you the brief answer to this question....
>>
>>The Postfix guys don't like me as I dared to use their software in a way
>>they hadn't intended. Rather than publish the file format (which sendmail
>>does) or happily let me use it (the Exim authors use MailScanner
>>themselves), the Postfix guys throw their toys out of the pram and whinge a
>>lot.
>>
>>
>
>I see your point :=) I think postfix is supposed to be formalizing their
>APIs for dealing with queues, etc. Thanks for the background info.
>
>
>
>>I'm not going to apologise for daring to "think outside the box".
>>
>>
>
>MailScanner is *great* software. You have a lot to be proud of. Postfix
>guys seem to suggest using Amavis-new instead of MS. But to me thats a
>step backwards and away from the best software to scan and protect emails
>(MailScanner).
>
>I wanted postfix and I wanted MailScanner :=)  Here's what I did to make
>them work together - see below ...
>
>
>
>>Many people run MailScanner on Postfix without any problems. A few sites
>>see a fault where very occasionally a message with no body is delivered.
>>The correct version of the same message with its body is later delivered
>>correctly, in addition to the version with the body missing. No mail is lost.
>>
>>
>
>I did not want to take that chance, so I setup 1 postfix instance as an
>external smtp router and proxy that looks up incoming domains in an SQL
>database and makes routing decisions based on a content_scan column. It
>can route the mail directly to the destination, drop the mail if its for an
>invalid domain, or route it to the dedicated MailScanner box, which uses
>sendmail. The MailScanner box does its job, and then sends the mail to a
>third postfix box which does message delivery to mailboxes, and handles
>SMTP AUTH for customers that send email from mail clients.
>
>Exim was not my cup of tea for a secure internet facing MTA :=)  I'm not
>saying its not secure, its just not what I wanted. I did not see Exim as
>being more secure than sendmail due to its design (my opinion only, send
>flames to /dev/null).
>
>I was looking for something that had privilege separation like qmail or
>postfix for an internet facing MTA. Since my internal mailscanner box is
>locked down from an SMTP listener perspective, I am o.k. running sendmail
>on that, though exim would probably make a better host than sendmail for
>the MS - thanks for the tips though.
>
>I looked as smtp.proxy, Obtuse/juniper smtp proxy, qpsmtpd, and mailfront
>as ways to improve the security of the internet facing MTA. qpsmtpd and
>mailfront were too qmailish (also not my preference) and none of the smtp
>proxies gave me a warm and fuzzy regarding protocol support/workaround
>(ESMTP, cisco pix workarounds like postfix has). They seemed o.k. for
>hobbyists but not for production networks that get a lot of mail from a
>lot of different networks with different (often partially broken MTAs).
>
>I kept coming back to postfix as the best combination of security,
>protocol support, and usability for my external MTA.
>
>I had already picked postfix as my MTA for my mailboxes. So I
>went from 2 boxes (mailscanner + postfix) to 3 boxes (inbound postfix
>message router, mailscanner/sendmail, mailbox, smtp auth postfix).
>
>Hopefully this will help someone else. If not, thats fine too. Just
>relaying my experiences and research.
>
>-jon
>
>
>
>
>>As many MailScanner sites now run it on a dedicated server, it makes very
>>little difference what MTA is chosen, as all the MTA's can take mail in and
>>just punt it onto another server.
>>
>>My personal recommendation is probably Exim, especially if you don't like
>>sendmail. Exim is very easy to configure and is very fast. When used with
>>MailScanner it is considerably faster than Postfix as Postfix copies all
>>the data around more often than it needs to, resulting in inefficient
>>handling, particularly of large messages.
>>
>>At 13:46 02/12/2003, you wrote:
>>
>>
>>>On Tue, 2 Dec 2003, Mark Hernandez wrote:
>>>
>>>
>>>
>>>>hi all,
>>>>
>>>>Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add
>>>>features
>>>>
>>>>
>>>Is MailScanner safe to use with postfix ? The postfix site and several
>>>messages in the archives advise strongly not to use postfix with MS
>>>because postfix does not like to have its queues manipulated by an
>>>external program.
>>>
>>>Postfix has a content filter interface they they suggest using and the
>>>current postfix snapshot has a new smtp content filter proxy interface
>>>that looks interesting.
>>>
>>>I don't like sendmail anymore (security issues seem to never stop), so I
>>>have switched to postfix for all mail relay and mailbox destinations -
>>>with a MailScanner + sendmail box that sits in the middle.
>>>
>>>
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654
>>
>>
>>
>>
>
>--
>+ Jon Larsen: Chief Technology Officer, Richweb, Inc.
>+ Richweb.com: Providing Internet-Based Business Solutions since 1995
>+ GnuPG Public Key: http://richweb.com/jlarsen.gpg
>+ Business: (804) 359.2220 x 101; Mobile: (804) 307.6939
>
>
>
>
>
There is already haps of info in the list - but i am still pretty new
with MailScanner, and mine works flawlessly with postfix 2.016 on RH9.
These 2 boxes sit in the DMZ and handle all our inbound mail - its fast
enough (how fast does smtp mail need to be?) very reliable and stops
almost all of our spam - perfect!

I personally tried for so long to get amavis, sa and postfix working
nicely together i gavce up entirely until i stumbled accorss a post
about mailscanner elsewhere - gave it a try and was hooked, inside of 3
weeks we had conducted testing, planned and executed a rollout - a
rollout that has not required the restart of the MS service or box once,
not even once since going live with 2 machines in a multi domain
environment - not bad for a linux newbie :) My point is, its works SO
well, and is very easy to get going, i cant understand why anyone
wouldnt use it...

More information about the MailScanner mailing list