quarantine release might lose mail?
Glenn Steen
glenn.steen at gmail.com
Fri Dec 18 09:22:55 GMT 2009
2009/12/17 Steve Freegard <steve.freegard at fsl.com>:
> On 17/12/09 16:17, Frank Cusack wrote:
>>
>> On December 17, 2009 3:04:59 PM +0000 Steve Freegard
>> <steve.freegard at fsl.com> wrote:
>>>
>>> Huh? Don't see what this has to do with anything if you use MailScanner
>>> properly.
>>>
>>> It's a *gateway* and should be running as the inbound MX for your domain
>>> and 'Read IP Address from Received Header' should be left well alone.
>>> MailScanner will read the client IP address from the queue file.
>>
>> It is not a gateway. It does not even implement an SMTP client much
>> less a server. It is a filter.
>>
>
> I disagree - if deployed as documented e.g. MTA in -> MailScanner -> MTA out
> - then the sum of the parts can be called a gateway.
>
>>> That how all of us use it....
>>
>> Apparently not as some solutions using it as other than a gateway are
>> documented. One may not have the network configuration to support
>> using it as a gateway. Just for example, if you have a backup MX
>> server, perhaps you cannot run MailScanner on that server. In which
>> case you MUST have a hop before your MS server so that when mail is
>> forwarded from the backup to the MS server, the source IP is properly
>> interpreted.
>>
>> Or are you saying that everyone using MS "properly" must have enough
>> resources to have a backup MX server on another network and under
>> their direct control.
>>
>
> A very 1990s-style set-up. Backup MXes that are not within your control are
> spam magnets and should be avoided at all costs. They will cause
> backscatter unless a lot of care is taken in their configuration.
>
> They need to be configured with as strict rules as the primary systems and
> implement things like recipient verification.
>
>>> I'm going to guess that you're trying to use a single MailScanner systems
>>> for inbound and outbound scanning and that you want to apply rules to
>>> your MUA clients separately using the IP address supplied in the Received
>>> headers by your mail server which is using the MailScanner gateway as a
>>> smart host.... if so - run a separate outbound gateway and configure
>>> 'Read IP Address from Received Header' accordingly.
>>
>> That is correct, however just as I am unable to run MS on my MX host
>> I am unable to run MS on my SMTP host (the host which receives mail from
>> users).
>>
>
> Hmmm ... configuration like that leaves you with seriously limited options.
> No wonder you were asking about the 'bounce' action...
>
>>> If you need anything more complex - then write a CustomFunction on 'Read
>>> IP Address from Received Header' and parse the received headers yourself
>>> and return the correct number back using that.
>>
>> It was much less complex (trivial as I noted) to properly release a
>> queue file from the quarantine.
>>
>
> Ok.
>
> Regards,
> Steve.
Steve is the voice of reason here Frank, so listen well to his advice.
Given your current situation, I'd seriously think of ditching the
secondare entirely... As is, it doesn't add any security worth
mentioning, only trouble. For real mail sent through real MTAs, a
service outage will be handled (more or less well) via the RFCs
anyway, so ... the use of a secondary is only to try simulate
something that mail was never designed for, in your case at least, so
... not that great:/
I haven't looked at it lately, but there used to be a fairly
opinionated (but good) wiki page on best practices ... Have a quick
peek at http://wiki.mailscanner.info/doku.php?id=best_practices ...
it's actually worth the read;-)
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list