Le 08/01/2013 21:48, Titanus Eramius a écrit :
> Tue, 08 Jan 2013 12:39:58 -0600 skrev Noel Jones
> <njo...@megan.vbhcs.org>:
>
>> On 1/8/2013 10:47 AM, Titanus Eramius wrote:
>>> I'm a little unsure about best practice here, hence the question.
>>>
>>> Running /usr/sbin/spamd from the SpamAssassin package to scan mail,
>>> I've integrated it into /etc/postfix/master.cf with the following
>>> lines
>>> ---
>>> smtp inet n - n - - smtpd -o
>>> content_filter=spamassassin
>>> ...
>>> spamassassin unix - n n - - pipe
>>> flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain}
>>> -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
>>> ---
>>>
>>> And then in /etc/postfix/main.cf there's added the line
>>> ---
>>> spamassassin_destination_recipient_limit = 1
>>> ---
>>>
>>> However, this scans both incoming and outgoing mail, but for
>>> outgoing I plan on using rate-limiting to avoid spamming the net
>>> (to much), in case an account gets hacked.
>>>
>>> So I searched the web, and constructed this alternative to use in
>>> master.cf
>>> ---
>>> 26 inet n - n - - smtpd -o
>>> content_filter=spamassassin smtp inet n - n - - smtpd
>>> ---
>>>
>>> Using iptables, all incoming connections to port 25 could then be
>>> directed to port 26. The server only have one ip-address.
>>>
>>> The question then is, is this a practical solution, or can it be
>>> done smarter, for example with less work and without using
>>> iptables, or maybe some other way entirely?
>>>
>> Using iptables to separate traffic is a reasonable solution.
>> Probably a good idea to add a comment to master.cf documenting what
>> you've done.
>>
>> The more typical way to do this is for local mail to use the
>> submission port 587. Sometimes folks redirect port 25 on the local
>> network to 587 as a migration aid.
>>
>>
>>
>> -- Noel Jones
> OK, but using submission more or less removes the problem with
> SpamAssassin. Thank you for the pointer, I'll be sure to use 587
> for relaying from the users.
>
> This raises the question (or at least I think it do), if it's
> possible to "force" the users onto 587 by denying relay access to 25?
fix the problem at the source: force the client to do the work:
use different services for different uses:
[MX service]
port: 25
example DNS name: mx01.example.com
=> no relay
virus and spam filtering...
[submission service]
example DNS name: smtp01.example.com
port 587. if this is hard, port 25 with a specific IP is ok.
SASL auth. when not desirable, IP based access control (thoug this may
be implemented outside of postfix, such as on a firewall)
virus filtering
rate limit and custom checks as needed.
[reverse MX]
example DNS name: mailrelay01.example.com
in small setups, this could be the same service as the submission one.
in larger setups, make this dedicated. it'll take the complexity of mail
routing and "caching" (retry).
...
