Smith wrote:
After mulling over the idea of having a virus/spam filter on an MTA, I
believe that the best solution is to use an enterprise anti-virus
program like Norton Anti-Virus and an email client that supports
Bayesian spam filtering. The setup should be where the anti-virus
server downloads the latest updates and sends them to each Windows
workstation to update their Norton Anti-Virus client. Why?
1. If you have a bunch of Windows workstations, you would need this
setup anyways even if you have a virus filtered MTA. A virus filtered
MTA couldn't stop CEO John Doe from getting infected if he accessed his
Hotmail account. Or Jane Smith from taking her laptop home and
connecting it to her cable modem and getting infected and proceed to
infect everyone else when she comes back to work. Or Jack Daniels
bringing in an infected floppy disk.
2. Have the workstations do all the work, not the MTA.
3. No need to add 3rd party software to your MTA, thus avoiding
security holes and program bugs.
4. If spam gets through, have the email client do all the work with
Bayesian spam filtering, not your MTA.
But of course, I say this based off the assumption that your MTA is
OpenBSD using sendmail and OpenBSD's spamd. Why?
1. No need to add 3rd party software. Thus you take full advantage of
OpenBSD's quality assurance and security auditing. Plus you don't have
to keep track of all the security and bug issues of each 3rd party
software you install, just OpenBSD.
2. Most viruses and spam come from a compromised machine (typically
Windows) that act as an unauthorized MTA. If you use OpenBSD's spamd,
receiving viruses and spam from them is mitigated.
I find your reasoning mostly sound, but improvable for three reasons:
1. Workstations often have Norton disabled, through user ignorance,
carelessness or automatically by malware. This opens a channel
for viruses sent by known and (foolishly) trusted corespondents.
2. Open source virus tools like ClamAV use an independent database
that is often updated sooner than Norton et.al. and is often
more comprehensive.
3. It is a belt and suspenders world. Having two chances of blocking
a virus is better than one.
My preferred mail arrangement for small offices (I have built others)
looks like this:
Unfiltered Internet
|
V
MTA (sendmail/graylisting) RELAY
|
V
Firewall (tunnel)
|
V
MTA (sendmail/ClamAV) LOCAL_DELIVERY
|
V
Workstations (Norton/virus blocking)
(Thunderbird/spam filter)
Those Windows users who insist on using Outlook just have
to eat the remaining spam.
Just my opinion.
Ray
That's just my thoughts; I'm interested in any constructive criticisms
L. V. Lammert wrote:
We're planning on upgrading some mail servers with 3.7, .. but we're
having an internal 'debate' over the architecture.
Keeping things simple (sendmail - don't need antoher MTA debate!), the
question is three-fold:
1) Vilter/Milter - using sendmail to scan incoming messages in realtime.
Pro: Reject messages before being accepted.
Con: Possibility of locking up sendmail daemon; performance
hit for large messages.
2) Mainscanner - passing emails to external programs for scanning
virus/spam.
Pro: Can be restarted automatically if a scan crashes.
Con: Messages are accepted even if invalid.
3) Amavisd - alternative to Mainscanner, same architecture
4) Cyrus - doesn't seem to be a package nor complete port in the tree?
There are a variety of notes available, but not a lot of good
information about *why*. Prefer to stay with sendmail as it's in the
base install, and we have used SM/MS/ClamAV/SA in the past with some
success so there's a little intertia towards that solution.
Any pointers to good resources for details would be greatly appreciated.
Lee
