MailScanner as mail proxy

[Jim Holland]

On Tue, 31 Oct 2006, David Lee wrote:

> Date: Tue, 31 Oct 2006 11:47:35 +0000 (GMT)
> From: David Lee <t.d.lee at durham.ac.uk>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: MailScanner as mail proxy
> 
> On Tue, 31 Oct 2006, Marc Lucke wrote:
> 
> > I know this is getting off topic.  I know enough about sendmail to be
> > 99% sure that this question should be on their list.  But any help,
> > ideas or feedback would be welcome.  I'm guessing the MailScanner
> > community would have come across my problem on more than 1 occasion.
> >
> > I run MailScanner on a remote machine to my actual mailserver.  In other
> > words all mail is relayed via the Mailscanner box.  This is to stop
> > viruses and spam on the mailserver I have to run which is very limited
> > in such defenses.  It all works great, apart from one annoying problem:
> > if someone sends to an unknown email account (as oft occurs) the
> > MailScanner proxy (for want of a better way to describe it as I'm using
> > it) first accepts the email, attempts delivery, cannot deliver and then
> > tries to notify the sender who doesn't exist.  So I'm lumbered with a
> > billion postmaster non-delivery emails.  I'm keeping up with this quite
> > well, but I'm scared I'll miss a legitimate message because it's buried
> > in garbage.
> >
> > Is there anything I can do to get anything in MailScanner to check with
> > my destination email server that the actual account exists before
> > accepting the email in the first place?
> 
> Even MailScanner would be too late: your overall email system has already
> accepted the email.  To confirm your last paragraph, for unknown
> usernames, you really need to refuse to accept the email in the first
> place.
> 
> You need to do your "refuse to accept" on your Internet boundary: on the
> sendmail listener that runs on your remote (MailScanner) box.  A route you
> probably want to investigate is the "virtuser" table in that remote
> sendmail listener, and having a maintenance procedure that regularly
> populates that table with the valid usernames (and other possible valid
> addresses) on your user-mailserver.

That is the method that I used to use on MANGO, with a script to mail the 
updated virtusertable to the gateway machine and then have it processed by 
another script on arrival.  It works, but is a rather messy approach.  In 
particular, the virtusertable entries redirect mail from one address to 
another address, so you have to change the domain names and then have a 
mailertable entry for the new domain.  However I don't think that sendmail 
itself offers any alternative approach to this problem.

As Steve Freegard wrote:

> You can do this using a sendmail milter . . .
> there is a free alternative (I've never tried it though, so I can't
> comment on it's features) at http://smfs.sourceforge.net/smf-sav.html.

I highly recommend it in its latest version, smf-sav v1.4.0.  Not only can
it be used for recipient verification, it can also do sender verification.
Earlier versions had some significant drawbacks, but I now run this
version on a production server and find it extremely useful for SAV and
RAV. If you want any help offline, please feel free to contact me.  The
developer, Eugene Kurmanin, is also extremely helpful and responsive (even
helping me get it running on an ancient RedHat 6.1 box that it was never
intended to be compiled on).

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service