mailscanner behind a smtpd frontend

Alex Neuman van der Hans alex at nkpanama.com
Mon Feb 13 12:55:16 GMT 2006 


Glenn Steen wrote:
> On 13/02/06, Philipp Snizek <philipp.snizek at terreactive.ch> wrote:
>   
>> c) use a transparent smtpd service
>>
>>
>>     
> Any modern firewall can do port forwarding with only "filtering", that
> is _no "stateful inspection" or suchlike intervention_.
> When we introduced Postfix&MailScanner as our "frontend MTA", that was
> mainly to get out of the bugginess and instability of the infamous
> SMTP proxy of the firewall we used at the time...  (Yours wouldn't
> happen to be ... red?:-):-) We haven't looked back since. We get
> better protection and more control... And (due to both the public
> firewall and the on-box FW) we are confident there is no possibility
> of ... "traffic leakage".
> I suppose what I'm advocating is some variant of c).
>
>   
<rant>
You *shouldn't* have to use any form of smtpd on the firewall. Check the 
firewall mailing lists; a firewall is a firewall is a firewall, not a 
server. It shouldn't be running any services. It should simply forward 
traffic transparently to your MS gateway.

I have had a ton of problems with some boxes (I'm almost sure they were, 
in fact, red) wanting to proxy the mail. They either keep it to 
themselves and not tell anybody, crash and take the e-mails with them, 
prevent me from using RBL's at the MTA level (all e-mail appears to come 
from the box), process e-mail from shotgun spammers (something I deal 
with using greet_pause), prevent people from using SMTP AUTH properly, 
... the list goes on.

In fact, I remember a *bank* whose fancy schmancy (and red, now that you 
mention it) box broke once... The "red box guy" they had wasn't 
available, so they called me to see if there was something I could do. I 
enabled the second interface on the server, installed a custom firewall 
script + dhcp + dns (forward and reverse) + transparent squid + 
squidclamav, and within the hour everybody was back to normal... except 
for the fact that network throughput was somehow faster, we had full 
logging of everything we wanted to know about the network and how it was 
being used, etc. - you guys *know* what I'm talking about here.

Unfortunately, the "red box guy" came about 4 hours later and restored 
insanity to the place; people still talk about those glorious 3 hours 
where "the network was fast, e-mail came through instantaneously, and 
people loved one another". The second interface on the server sits 
waiting for the day where the sysadmin will finally be able to work up 
the guts to sell the shiny red box on eBay (for at least the "books" 
value, so he can justify it) and finally have complete control of his 
network.

</rant>

-- 

Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060213/983699ed/attachment.html

More information about the MailScanner mailing list