On 1/8/2013 10:47 AM, Titanus Eramius wrote:
> I'm a little unsure about best practice here, hence the question.
>
> Running /usr/sbin/spamd from the SpamAssassin package to scan mail, I've
> integrated it into /etc/postfix/master.cf with the following
> lines
> ---
> smtp inet n - n - - smtpd -o
> content_filter=spamassassin
> ...
> spamassassin unix - n n - - pipe
> flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain}
> -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
> ---
>
> And then in /etc/postfix/main.cf there's added the line
> ---
> spamassassin_destination_recipient_limit = 1
> ---
>
> However, this scans both incoming and outgoing mail, but for outgoing I
> plan on using rate-limiting to avoid spamming the net (to much), in
> case an account gets hacked.
>
> So I searched the web, and constructed this alternative to use in
> master.cf
> ---
> 26 inet n - n - - smtpd -o content_filter=spamassassin
> smtp inet n - n - - smtpd
> ---
>
> Using iptables, all incoming connections to port 25 could then be
> directed to port 26. The server only have one ip-address.
>
> The question then is, is this a practical solution, or can it be done
> smarter, for example with less work and without using iptables, or
> maybe some other way entirely?
>
Using iptables to separate traffic is a reasonable solution.
Probably a good idea to add a comment to master.cf documenting what
you've done.
The more typical way to do this is for local mail to use the
submission port 587. Sometimes folks redirect port 25 on the local
network to 587 as a migration aid.
-- Noel Jones
