mailscanner behind a smtpd frontend trust network

Glenn Steen glenn.steen at gmail.com
Fri Feb 16 11:25:39 CET 2007


On 16/02/07, Ramprasad <ram at netcore.co.in> wrote:
> On Fri, 2007-02-16 at 10:46 +0100, Glenn Steen wrote:
> > On 16/02/07, Ramprasad <ram at netcore.co.in> wrote:
> > > Hello,
> > >
> > >    If the MX is pointed to some machine and is then relayed to my
> > > MailScanner box how can I configure whitelisted IPs
> > >
> > > I currently use MailScanner on the MX box with
> > >
> > > MailScanner.conf
> > > -------------------
> > > Is Definitely Not Spam= /path/whitelist
> > >
> > >
> > >
> > > And in the file
> > > -----------------
> > > From: 1.1.1.1 and To: mydomain.com  yes
> > >
> > >
> > >
> > >
> > >
> > > Will this work if I move the MailScanner box behind a smtpd frontend
> > >
> > If I read you right, I don't think it will. If all mail will
> > "originate" from that "in front" smtp server, the IP address as a
> > criterion would lose any meaning in this context.
> > Why would you want to hide your MailScanner box behind another? If it
> > is a firewall thing (like the icky SMTP proxy in a WatchGuard), simply
> > don't use it, configure it as a simple port forward instead.
> > Cheers
>
> No I dont want to proxy the MTA, today my MX machines receive 350k
> messages an hour ( 16 loadbalanced machines ) and they do the RBL checks
> the spam checks ,  custom whitelist/blacklist  etc
>
> I need to run a frontend SMTP box to do all the MTA checks and then
> relay the mails to the Scan box That would mean 60-80% of mails would
> get rejected before reaching the MailScanner machine
>
>
> But the whitelist/blacklist IPs should work as they were before
>
> Thanks
> Ram

Right. And as I said, I don't think this will work. How would you
preserve the _sending server IP address_ when you effectively
"replace" that with your frontend server IP (as viewed from the
perspective of the MailScanner boxes?

Might one ask if it wouldn't be better to teach all 16 incoming MTAs
how to drop things fast?
Yes, this would be more administrative work, I can see that. But
functionally you'd be doing pretty much the same, wouldn't you?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list