Weird Problem with MailScanner

Scott Silva ssilva at sgvwater.com
Mon Oct 22 21:51:50 IST 2007 

on 10/22/2007 12:00 PM Kevin Miller spake the following:
> Damian Rivas wrote:
>> I have sendmail, not postfix as my MTA. I've been checking and I have
>> to download some packages like access_db to prevent Backscattering. 
>>
>> I'll explain how things work here so that you can give me more
>> accurate advice: 
>>
>> I have a MX Linux server on the outside which is the one
>> experimenting the weird problem, caused surely by the backscattering.
>> Then, I have an internal MS Exchange 2003 server which recieves the
>> filtered and scanned mails and sends the mails via SMTP to the MX
>> Linux Server to be scanned before being sent.    
>>
>> I can activate SMTP filtering in Exchange but the problem is that it
>> checks the contacts in AD, if I don't have that contact it doesn't
>> send the mail. Why is it a problem? As I stated before, this is a
>> Travel Agency and is constantly recieving mails from new hotels,
>> airlines, agencies, etc. With "new" I mean that they were unknown
>> contacts until the reception of their mail, therefore there domain is
>> not identified as a trusted or real one. So, if I use the MS Exchange
>> filtering this will likely block the answers to this new domains.    
>>
>> So the filtering, in my opinion should be done only in the
>> MailScanner server, the thing is that I want to know which is your
>> recommendation to build the filtering on sendmail and if there can be
>> a solution with the MS Exchange filtering, perhaps I misunderstood
>> the documentation.    
> 
> Hi Damian,
> 
> I don't understand your problem with contacts above.  Is it Exchange or
> MailScanner that is not trusting the new domain and blocking it?  What
> rule does that?  Guess I'm not doing smtp filtering in Exchange.  That's
> what MailScanner is for. <g>
> 
> I'm set up in a similar manner here, with an Exchange 2003 server on the
> inside and MailScanner gateways doing the filtering.  New people are
> constantly sending to us, and the mail comes in fine.  Replies go out
> fine.  
> 
> One difference I'm doing is allowing the Exchange server to send
> directly rather than route outbound mail through MailScanner.  I'm not
> an ISP, so can more or less trust my users not to be spammers.  You may
> or may not have that luxury.  But if you can do that, it will reduce the
> load on your MailScanner server.
> 
> There's a couple things I'd do on the sendmail side if you haven't
> already.  On is to activate the greet pause feature.  Put this line in
> your sendmail.mc file (or enable it if it's already there but removing
> the dnl at the beginning of the line), then rebuild your sendmail.cf
> file.
> 
>   FEATURE(`greet_pause',  `10000')dnl
> 
> What it does, is tell the sending server to way for 10 seconds.
> Spammers usually won't wait and just drop the connection.  Legitimate
> servers will.  You can whitelist servers to not be greetpaused in your
> access file (/etc/mail/access).  For example the following entries will
> cause connections from google.com and connections from the ip range
> 192.168.1.x to be accepted w/o delay.  You'd typically put your own IP
> range in there, and any legitimate mail servers/domains that have a
> problem.  Beyond a couple entries early on I haven't had any trouble
> with it.  
> 
>   GreetPause:192.168.1    0
>   GreetPause:google.com   0
> 
> I'm also using a couple of milters: smf-sav and smf-spf (see
> http://smfs.sourceforge.net/smf-sav.html).  Those are quite useful.  You
> should set up spf records in your dns, then add the smf-spf milter to
> your sendmail.  Then smf-sav will be particularly useful in that it does
> both sender and recipient verification.  You will have to whitelist some
> domains if you use sender verification but I haven't found it
> problematic.
> 
> You'll have tweak your Exchange server to filter out messages for
> non-existing users.  
> Instructions here: 
>   http://www.fsl.com/support/Milter-Ahead-Exchange-Settings.pdf
> 
> These things will let you block a lot of spam at the MTA level - that
> is, sendmail will drop the connection before anything is passed to
> MailScanner, thus saving a lot of CPU cycles.
> 
> Hope this helps...
> 
> ...Kevin
Slackware 9 has sendmail 8.12, so he won't have greetpause. That came out in 8.13.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list