mailscanner behind a smtpd frontend

Glenn Steen glenn.steen at
Mon Feb 13 13:15:15 GMT 2006

On 13/02/06, Alex Neuman van der Hans <alex at> wrote:
>  Glenn Steen wrote:
>  On 13/02/06, Philipp Snizek <philipp.snizek at> wrote:
>  c) use a transparent smtpd service
>  Any modern firewall can do port forwarding with only "filtering", that
> is _no "stateful inspection" or suchlike intervention_.
> When we introduced Postfix&MailScanner as our "frontend MTA", that was
> mainly to get out of the bugginess and instability of the infamous
> SMTP proxy of the firewall we used at the time... (Yours wouldn't
> happen to be ... red?:-):-) We haven't looked back since. We get
> better protection and more control... And (due to both the public
> firewall and the on-box FW) we are confident there is no possibility
> of ... "traffic leakage".
> I suppose what I'm advocating is some variant of c).
>  <rant>
>  You *shouldn't* have to use any form of smtpd on the firewall. Check the
> firewall mailing lists; a firewall is a firewall is a firewall, not a
> server. It shouldn't be running any services. It should simply forward
> traffic transparently to your MS gateway.
>  I have had a ton of problems with some boxes (I'm almost sure they were, in
> fact, red) wanting to proxy the mail. They either keep it to themselves and
> not tell anybody, crash and take the e-mails with them, prevent me from
> using RBL's at the MTA level (all e-mail appears to come from the box),
> process e-mail from shotgun spammers (something I deal with using
> greet_pause), prevent people from using SMTP AUTH properly, ... the list
> goes on.
>  In fact, I remember a *bank* whose fancy schmancy (and red, now that you
> mention it) box broke once... The "red box guy" they had wasn't available,
> so they called me to see if there was something I could do. I enabled the
> second interface on the server, installed a custom firewall script + dhcp +
> dns (forward and reverse) + transparent squid + squidclamav, and within the
> hour everybody was back to normal... except for the fact that network
> throughput was somehow faster, we had full logging of everything we wanted
> to know about the network and how it was being used, etc. - you guys *know*
> what I'm talking about here.
>  Unfortunately, the "red box guy" came about 4 hours later and restored
> insanity to the place; people still talk about those glorious 3 hours where
> "the network was fast, e-mail came through instantaneously, and people loved
> one another". The second interface on the server sits waiting for the day
> where the sysadmin will finally be able to work up the guts to sell the
> shiny red box on eBay (for at least the "books" value, so he can justify it)
> and finally have complete control of his network.
>  </rant>
>  --
> Alex Neuman van der Hans
> N&K Technology Consultants
> Tel. +507 214-9002 -
Quite true Alex, forgive me for the sloppy last sentence.

Actually, you can set up a "red box" like an ordinary (meaning
*normal*) firewall too... Really no need to use 'em like anything
else. Or you can slip them into the closest harbor (really not useable
as an anchor... to little weight... but I'd image they make an
entertaining sound "going under":-). Oh well.
All I'm saying is, that in situations where your PHB is loath to
switch to another brand, one _can_ make sane use of them.

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list