On Fri, 2009-05-22 at 09:06 +1000, Barney Desmond wrote:
> 2009/5/22 Steve <steve.h...@digitalcertainty.co.uk>:
> > This 'BSMTP' munged MTA looks to offer very little more than Postfix
> > save for some Rate Control/Throttling/Better logging ? From my early
> > explorations with Postfix, it can mostly do all of this anyway or am I
> > missing something?
>
> We've also pulled apart a well-known anti-spam appliance at work. That
> wasn't my project, so I don't know if we're talking about the same
> one, but my guess is that the appliance could be using an older
> version of postfix that's less fully-featured. Upgrading newer
> versions of the appliance to newer versions of postfix would mean
> actually doing some real *work*...
>
> > The real question I guess I am asking - is it possible to have three
> > instances of Postfix running on the same box, listening on different
> > ports, with separate queue directories? Actually, it would be more
> > accurate to ask HOW someone would implement this and what benefits it
> > could give in production?
>
> Before multi-instance support in 2.6 you'd just make yourself a
> separate set of directories, tweak your configuration a bit and make
> another initscript. The benefits depend on what you want to do;
> sometimes you can't get exactly what you want out of a single
> instance; one example might be sender-dependent trickery, where
> corporate policy dictates that you need to do something. The
> "something" probably isn't possible in a single instance of postfix
> because it's irrelevant to getting the job done (sending mail).
> Multiple instances may also make it easier to manage a complex setup
> (eg. performing filtering, scanning, etc).
>
Let me say there was something 'fishy' about the one I pulled apart. It
was running an older version (with an old Mandrake Kernel too boot).
Looking at it a bit further this 'bsmtp' MTA seems to be nothing more
than a front end proxy for Postfix. The multiple queues (I have now
discovered after a little reading of the docs here) are all Postfix.
The feature set that this 'bsmtp' proxy seems to offer are;
1. Recipient Verification checks via one of three mechanisms in sequence
a. LDAP/AD query (able to query one or more LDAP servers)
b. SMTP Recipient Verification (sends a test message to server
from 'postmaster'
c. Flat text file of allowed recipients
I'm sure postfix can do all of this. I don't use it with LDAP myself,
but it is happy to scan a PostgreSQL backend looking for valid
recipients. I'm sure I read that it had LDAP support that was just as
easy to set up.
2. Rate/Anti DNS control
a. If IP X is seen more than 50 times in 30 minutes block it.
The ANVIL feature seems to be the answer to this, but I must confess it
does not appear to work when I test it with a stream of connections.
Probably more of a config blunder on my part.
3. SPF
Mixed emotions about that one myself.
In a nutshell, apart from doing something slightly differently to
Postfix, it would appear you've hit the nail on the head. It must come
down to an older Postfix version on the appliance concerned.
