Outbound and Inbound mail on same server

[Randy Herban]

I'm curious to see everyones reactions to this subject.  I know it was
brought up several weeks ago but it was brought up as a 'Should I scan
outbound mail' question, which is completely valid, but I want to take it a
step further.  And I apologize now if this is considered off-topic to the
mailscanner mailing list.  I feel it relevant as I am beginning to
standardize on MailScanner for all my machines that accept incoming mail and
want to know the best way to position servers and others experience with the
similar task.

Maybe I'll answer my own question and convince myself in the process of this
email, but I continue.

Background:
We support mail accounts for several tens of thousand customers.  The
majority of the mail we deal with is spam coming into our accounts using
dictionary attacks or the like.
With this in mind, the majority of the mail in the Outgoing queue at any
time are MAILER-DAEMON messages with bounce-backs of user unknowns tryin to
send mail to a host that doesn't accept mail.

The major offenders I notice I add to our access file so sendmail will block
them with a 550.  This helps to lessen the load on mailscanner.
Another item I have done is shorten the timeouts within sendmail so that
mail that could not be sent after 4 days was discarded, is now discarded
after 6 hours.
I have also added RBL blocking into sendmail itself.  If someone tries to do
a dictionary spam attack on 1000 users, it would have mailscanner and
spamassassin and sophos scanning 1000 messages.  If I get lucky and they are
already blocked via an RBL, then MS doesn't have to deal with it to begin
with.


With this in mind, should I have outbound smtp traffic hitting my
MailScanner machines or set it up on a separate server all together.
Probably 95% of outbound traffic is legit and bound for someone who does
exist at a domain that does exist.  So outbound mail usually only takes a
few seconds to deliver.

Those customers of ours that get a virus would be safe and the virus would
not spread.  From what I have seen of the Klez, it creates a direct outbound
connection to the receiving mail server, bypassing the specified smtp
server.  Is this a growing trend or highly successful coincidence?

Whomever wants to send spam from their dialup will probably be using their
own mail server or hijacked servers in other countries.  But the 1 or 2 who
try to send mail through my server would, depending on the spamassassin
scoring, be blocked.  This isn't enough to justify scanning all outbound
traffic, however.


The main reason I am concerned with scanning outbound traffic is that our
customers need to have near-100% availability to a SMTP server.  With
Mailscanner the load tends to be artificially high and could have sendmail
to reject connections.  Other thing to consider is that when the queues
build up high enough, it takes extra time to sort through the mail queues
and subsequentially for sendmail to respond.  I know Julian has implemented
multiple queues for both incoming and outgoing mail, but I have not had a
chance to configure this.

It is built into the RFC for mail traffic that it will retry if a connection
has failed, so my MX boxes can reject connections and I would not be
concerned.  But with customers trying to sendmail through the same host, it
causes problems if it is rejecting.

Is there another possibility that I have overlooked?  Any other suggestions
or comments are appreciated and hopefully can help everyone, maybe even just
a little bit.

-Randy