mailscanner behind a smtpd frontend
glenn.steen at gmail.com
Mon Feb 13 09:45:39 GMT 2006
On 13/02/06, Philipp Snizek <philipp.snizek at terreactive.ch> wrote:
> I have here an architecture I'm not too happy with.
> It looks like this:
> inet -- smtpd -- antispam gw (mailscanner) -- LAN
> The problem I see here is that the antispam gw gets mails with headers
> from the smtpd. Thus, if the smtpd forwards spam the antispam gw learns
> that (SA autolearn enabled).
> I'd prefer to have the antispam gw as a mail frontend.
> However, from firewalling point of view my client wants to make sure
> that only smtp transactions reach the antispam gw.
> I have following ideas how to deal with this problem:
> a) have mailscanner remove the smtpd's received:from header line
> b) tell SA to ignore the smtpd's received:from header line
> c) use a transparent smtpd service
> However, I wonder what of this is possible and if there are other
> (better) ideas.
> Thanks a lot
Any modern firewall can do port forwarding with only "filtering", that
is _no "stateful inspection" or suchlike intervention_.
When we introduced Postfix&MailScanner as our "frontend MTA", that was
mainly to get out of the bugginess and instability of the infamous
SMTP proxy of the firewall we used at the time... (Yours wouldn't
happen to be ... red?:-):-) We haven't looked back since. We get
better protection and more control... And (due to both the public
firewall and the on-box FW) we are confident there is no possibility
of ... "traffic leakage".
I suppose what I'm advocating is some variant of c).
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner