MailScanner ANNOUNCE: New commercial product SMGateway

Stephen Swaney steve.swaney at FSL.COM
Wed Mar 2 22:44:49 GMT 2005 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of John Rudd
> Sent: Wednesday, March 02, 2005 5:02 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: MailScanner ANNOUNCE: New commercial product SMGateway
>
> On Mar 2, 2005, at 13:06, Mike Bacher wrote:
>
> > John Rudd wrote:
> >> On Mar 2, 2005, at 6:29 AM, Julian Field wrote:
> >>
> >>> We are pleased to announce SMGateway, the first Secure Mail Gateway
> >>> product from Fortress Systems Ltd.
> >>
> >>
> >> - Active Directory Authentication?  What about Kerberos?  (POP/IMAP is
> >> good enough for us (since those check against our Kerberos pass
> >> phrases), but I'm curious if you're doing AD via LDAP, or AD via
> >> Kerberos, or some other aspect of AD authentication I'm not aware of
> >> ... and if you're doing it via AD's LDAP functionality, I wonder why
> >> you didn't also list LDAP authentication in the blurb)
> >
> > Recipient checking is available via LDAP and milter-ahead (basically,
> > it opens a
> > persistent SMTP channel to the mailhub and does RCPT TO's, with some
> > intelligent caching)
>
> So, what exactly is milter-ahead?  Is this just a few checks that are
> done as part of a milter, or is this doing the full mailscanner
> implementation in a milter?
>

It's milter-ahead http://www.milter.info/milter-ahead/index.shtml not a
milter implementation of MailScanner (hmmmm, now that would be a MILTER).
Milter-ahead just checks to see if the mail would be accepted if presented
for delivery at the mailhub before it is accepted at the gateway.

It's very simple to configure and works very well even on sites with high
volumes for the hardware. It's not as efficient as locally accessible db or
ldap file to validate users but it's a lot better than using nothing and y
sites.

We have seen very substantial load decreases on gateways and mailhub where
nothing is used to validate users on the mailhub and then milter is
installed. The reason is simple. Blocking the junk email at the front door
stops MailScanner and all of the related applications for doing a lot of
useless work and these messages never hit the mailhub.

A couple of caveats:

1. Milter-ahead works only with sendmail. There are other techniques which
perform similar checks for Exim and Postfix.

2. Milter-ahead will not work with Exchange 5.5 or Exchange 2000 mailhubs.
These servers cannot be configured not to blindly accept email for any
address at acceptable domains :( and then bounce it back to the non-existent
spammer ).

> (and, what we do now is distribute an aliases file to each of our
> sendmail boxes, and those are how we get valid vs not-valid address
> support for our scanning boxes; the file is automated generated every
> few hours, and the sendmail boxes also periodically/automatically
> import it; part of this is a legacy issue and part of it is because our
> older mailing list system uses the aliases file for lists)
>

Milter-ahead will accept email as soon as the user account is added to the
hub.

> Do domains have default forwards?  It might be interesting to say that
> the default forward for a given domain is to send it to mailhub A, and
> the default domain to send it to for a second domain is mailhub B, but
> not allow users to over-ride that, and yet still have this recipient
> checking going on to insure that the end address is valid.
>

It looks at the mailertable, if the entry is in the form:

        domain.com              esmtp:[mailhub.domain.com]

(Note the [ ]'s) milter-ahead will be called. If the entry is in the form

        domain.com              esmtp:mailhub.domain.com

milter-ahead ahead will not be called.

> (our existing mechanisms are that our athena based account management
> system manages the aliases file, both for mailing lists and user
> forwards; that information also gets extracted and incorporated into
> communigate pro's "redirect" option; users can manage either of them,
> but we're planning to retire the athena stuff, so the authoritative
> location will be the end mail hub, not the scanning hosts, so what we
> want the scanning hosts to do is just send it all to the mailhub.  But,
> it has to be the right mailhub for that domain, and it has to be
> rejecting invalid addresses at the front door.  Our existing plan had
> been to just munge the aliases file, but if SMGateway has domain
> defaults for that kind of thing, then that allows us to eliminate that
> piece)
>
>
I think you should definitely look at milter-ahead as one of the
possibilities. At least until SMCluster is available :)


Hope this helps,

Steve

Steve Swaney
President
Fortress Systems Ltd.
Phone: 202 338-1670
Cell: 202 352-3262
www.fsl.com
steve.swaney at fsl.com

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list