Mail System Redesign

Koopmann, Jan-Peter jan-peter at koopmann.eu
Thu Jul 12 08:23:34 IST 2007


Hi,

> What we have right now is FreeBSD MX boxes running Postfix for an MTA
> that are screening email for RFC compliance, and against several
DNSBLs

Good choice. If you want to make your life a bit simpler regarding RFC
compliance and tons of other very interesting tests google for
BarricadeMX from Fort Systems since this will really help you. Your
Postfix configuration will be a lot simpler and more spam will be
rejected at MTA level. 

> (as well as "does this user exist in our LDAP directory?") -- anything
> that fails is rejected, anything that passes continues on.  After
that,
> we're running MailScanner on the messages, and tagging according to
> SpamAssassin (configured with sitewide rules because that's how
> MailScanner does things).  

You can tweak some things like individual spamscores, white/black lists
with MailWatch. Only to a certain extent but it might help you.

> I have a few problems with this setup.  The first is user
> dissatisfaction.  They want the ability to white and black list
> individual senders (and possibly domains), preferably as close to the
> beginning of the process as possible.  

As said before MailWatch can help you with this a bit. However the
black/whitelists will be handled during MailScanner phase and not at MTA
phase which might not satisfy you. Of course the MaiLWatch database
structure is not too complicated and you could use the corresponding
MySQL table with Postfix (with Exim at least it is possible so Postfix
should be able to do this as well). If speed is an issue you could
periodically create a black/whitelist lookup table in a more suitable
format and use that. I would have to take a look at Barricade MX again
but possibly you could use BMX as well for this. 

> The third is upper management suggesting that we might look to move to
> an Exchange server for handling user accounts at some point in the
> future, and as much of the white and blacklisting functionality should
> continue to exist if users edit their .forward files to show a
> completely different system (such as Exchange.  Ugh).

Starting with Exchange 2003 it is a much better system than most
imagine. It greatly depends on what you want to achieve. Exchange works
great together with Outlook, gives you a great Web access and you could
easily offer services like POP, IMAP, RPC over HTTPS, HTTPS access.
Outlook users will love the functionality and your users could share
data. Moreover campus-wide public folders could be a nice gimmick as
well. If redundancy is an issue setting up an Exchange Cluster will give
you all the redundancy you need. If however 99% of your users are not
using Outlook but things like Thunderbird and IMAP/POP, Exchange will
not really give you any benefit.

That being said, Exchange works with MailWatch, SpamAssassin etc. Have a
look at SMTPTracker so that the SpamAssassin scores will be translated
to Exchange Spam Confidence level. Low Scoring spam that is being
delivered to Exchange will automatically be delivered to the users Junk
E-Mail folder then. The user can then use outlooks own Junk E-Mail
functionality and override the action permanently by
whitelisting/blacklisting the sender. Advantage: The user does not have
to leave Outlook/Outlook Web Access and login to a secondary system like
MailWatch. Pretty simple to use and very easy to maintain.

> Does anyone have any wisdom on this situation that they'd care to
> express?

My recommendation:

- Barricade MX as first line of defense on at least two MX servers
- Postfix/Exim/Sendmail as MTA. Not really worth discussing which one to
use as it really does not matter if you use Barricade MX.
- MailScanner/SpamAssassin as second line of defense
- Exchange (possibly cluster) with SMTPTracker on it (is only about 40$)
- Outlook, Outlook Web Access as preferred user agents (or Entourage for
Mac OS X), IMAPS/POPS as secondary offering

Kind regards,
  JP


More information about the MailScanner mailing list