Many thanks for your solution based on using the local sendmail installation.
That makes sense and sendmail will then be taking care of routing the mails to
the qmail server, a nice solution which I will give a go. So is this basically
the only solution if someone wants to use spamd on a dedicated box?
-----
Original Message -----
From: Benny Lofgren <bl-li...@lofgren.biz>
To: ML mail
<mlnos...@yahoo.com>
Cc: "misc@openbsd.org" <misc@openbsd.org>
Sent: Tuesday,
October 25, 2011 1:37 PM
Subject: Re: dedicating a server to spamd
On
2011-10-25 11.09, ML mail wrote:
> I am currently running spamd on an OpenBSD
firewall which does greylisting to protect a qmail linux mail server on a DMZ
and was wondering if it would be possible to have both tasks (firewalling and
spamd/greylisting) on two different physical machines so that the firewall
would just do packet filtering and another separate machine just greylisting?
>
> The problem here what I see is that the dedicated greylisting machine
would have somehow to redirect IP addresses which are not on the greylist to
the mail server. As far as I know this is not possible with a machine having
only one NIC.
>
> Any ideas on recommendation on how to achieve this?
* Set
up a spam filter box with PF and spamd as usual.
* Let PF forward to the
internal sendmail.
* Set up /etc/mail/access in that sendmail, list all
domains you accept
mail for and mark them as RELAY
* Set up
/etc/mail/mailertable, listing the same domains as in the
access file. Tag
each with SMTP:[ip.of.your.qmail.host]. This will make
sendmail relay incoming
mail to accepted domains to your qmail server.
* Don't forget to makemap(8)
the access and mailertable files!
This setup will give you an additional
benefit in that the spam filter
box spools incoming mail for the qmail server,
so if it is inoperative
you won't lose any mail.
The disadvantage is that it
can't reject mail with unknown To: addresses
because it has no knowledge of
what mailboxes are defined in the qmail
box. This may or may not be a problem
to you; invalid destinations will
cause qmail to send an error reply mail so
any real users will be
notified of their mistake anyway. Unfortunately spam
almost always have
fake From: addresses, which means you will also
inadvertently spam
innocent people with qmail:s rejection mails. :-/
(I
suppose this can be solved by using LDAP and having sendmail on the
incoming
spam filter box check the validity of each incoming To: address
but I have
never tried that myself so I can't vouch for its viability.)
Oh, and if you
use this kind of setup, you would probably want to send
outgoing mail from
qmail via this server as well, since many "smart"
spam filtering schemes
elsewhere assume that mail sent from domain x.y
must have x.y in the MX record
as well. :-/
Regards,
/Benny
--
internetlabbet.se / work: +46 8 551
124 80 / "Words must
Benny Lofgren / mobile: +46 70 718 11 90
/ be weighed,
/ fax: +46 8 551 124 89 / not
counted."
/ email: benny -at- internetlabbet.se
