mailscanner behind a smtpd frontend
Alex Neuman van der Hans
alex at nkpanama.com
Mon Feb 13 12:55:16 GMT 2006
Glenn Steen wrote:
> On 13/02/06, Philipp Snizek <philipp.snizek at terreactive.ch> wrote:
>
>> c) use a transparent smtpd service
>>
>>
>>
> Any modern firewall can do port forwarding with only "filtering", that
> is _no "stateful inspection" or suchlike intervention_.
> When we introduced Postfix&MailScanner as our "frontend MTA", that was
> mainly to get out of the bugginess and instability of the infamous
> SMTP proxy of the firewall we used at the time... (Yours wouldn't
> happen to be ... red?:-):-) We haven't looked back since. We get
> better protection and more control... And (due to both the public
> firewall and the on-box FW) we are confident there is no possibility
> of ... "traffic leakage".
> I suppose what I'm advocating is some variant of c).
>
>
<rant>
You *shouldn't* have to use any form of smtpd on the firewall. Check the
firewall mailing lists; a firewall is a firewall is a firewall, not a
server. It shouldn't be running any services. It should simply forward
traffic transparently to your MS gateway.
I have had a ton of problems with some boxes (I'm almost sure they were,
in fact, red) wanting to proxy the mail. They either keep it to
themselves and not tell anybody, crash and take the e-mails with them,
prevent me from using RBL's at the MTA level (all e-mail appears to come
from the box), process e-mail from shotgun spammers (something I deal
with using greet_pause), prevent people from using SMTP AUTH properly,
... the list goes on.
In fact, I remember a *bank* whose fancy schmancy (and red, now that you
mention it) box broke once... The "red box guy" they had wasn't
available, so they called me to see if there was something I could do. I
enabled the second interface on the server, installed a custom firewall
script + dhcp + dns (forward and reverse) + transparent squid +
squidclamav, and within the hour everybody was back to normal... except
for the fact that network throughput was somehow faster, we had full
logging of everything we wanted to know about the network and how it was
being used, etc. - you guys *know* what I'm talking about here.
Unfortunately, the "red box guy" came about 4 hours later and restored
insanity to the place; people still talk about those glorious 3 hours
where "the network was fast, e-mail came through instantaneously, and
people loved one another". The second interface on the server sits
waiting for the day where the sysadmin will finally be able to work up
the guts to sell the shiny red box on eBay (for at least the "books"
value, so he can justify it) and finally have complete control of his
network.
</rant>
--
Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060213/983699ed/attachment.html
More information about the MailScanner
mailing list