scanning on both primary and second MX servers

Logan Shaw lshaw at emitinc.com
Tue May 2 00:20:09 IST 2006 

Hey everyone,

I've been working on setting up MailScanner at the site where
I admin (previously we had no spam filtering at all), and so
far I've got it working pretty well on the main mail server.
We have a backup MX server (which we control) as well, but I
hadn't set up MailScanner on that machine at all; I made the
decision that it wasn't necessary based on the fact that all
that mail will eventually go through the MailScanner machine
anyway, so it should be able to do all the filtering.

Now I've reached the point where I think realtime blacklisting
needs to be part of our spam solution.  I set it up on our
primary mailserver (which receives via SMTP, runs MailScanner,
and also is the POP3/IMAP server), and everything seems OK,
except for one thing:  the realtime blacklisting doesn't do
squat to filter out spams that hit our backup MX server first.
The reason is fairly obvious:  on our MailScanner machine,
the mail appears to be coming from a host that's OK, whereas
on the backup MX machine, there is no blacklisting.

So, I thought I had a solution:  install MailScanner on the
backup MX as well.  Then blacklisting will be in effect over
there, and everything's great, theoretically.  I installed all
that, and just now I realized the flaw in that plan.  I now
get two sets of headers because the messages are being scanned
twice by two different machines.  (I get "X-Spam-Status: Yes,
Yes" and stuff like that.)

Now I'm starting to believe I need to rethink my filtering
strategy, but I'm not sure what the best solution is.  It seems
like I could solve this problem by making all our public MX
records (both primary and secondary) MailScanner machines and
having them both forward on to a third machine (which would run
POP3/IMAP), but this is complicated, and we're a small company
that probably can't easily spare another server-grade machine.
Is there any other solution?  Should I just remove MailScanner
from the backup MX and fall back to doing realtime blacklisting
through sendmail's DNSBL feature?  That could work, but right
now the policy is "always tag, never discard" spam, and I
would have to delete spam if I had sendmail do that filtering.

Thanks for any advice anyone can offer.

   - Logan

More information about the MailScanner mailing list