On Sat, 2002-03-09 at 10:38, Donald Greer wrote:
> Keith,
> Look through the archives. Somebody posted an answer to this before.
> Basically, what they did, was follow the "simple" configuration
> described in the README.filter and in the shell script they used
> "spamc". I don't know that anyone has used spamproxyd, but the trick is
> that you must bring mail back into Postfix on a DIFFERENT port than the
> default 25, and in the configuration you must set a variable which tells
> postfix not to filter the message again. This is detailed in the
> README.filter as the "Advanced" configuration (sorry, don't have access
> to the docs at the moment).
> So, you should be doing something like this:
> Postfix: Listening on Port 25 and 10025
> spamproxyd: Listening on Port 20025 and configured to forward mail to
> localhost:10025.
>
> (NOTE: Don't forget to block ports 10025 and 20025 with your
> firewalling rules! We don't want you to create an openrelay by bouncing
> mail off spamproxyd into postfix!)
Actually, you can set things up so firewalling is completely unnecessary
if you do everything on the same system (or even between two systems if
one or even both are Internet-visible).
If you put just the port number or name in Postfix's master.cf in the
lefthand-most column, it'll bind to all interfaces for that particular
service.
However, if you put an address:port/name line at the head, it'll bind to
ONLY that address and port.
I use localhost and dummy interfaces with private IPs for a reason. You
cannot touch either from the outside, so why block anything? In so
doing, you greatly simply your machine's security policy (unless you
allow normal people onto that system, but of course, YMMV).
Here's my test box configuration which has two purposes, all of which
done in /etc/postfix/master.cf:
(The first line is wrapped, since Evolution wasn't cooperating with me.
but smtpd-authd has to be at the end, but the other lines are fine.)
192.168.0.101:smtp inet n - - - -
smtpd-authd
-o recipient_restrictions=check_authd,reject
-o content_filter=smtp:localhost:10025
localhost:smtp inet n - n - 10 smtpd
-o myhostname=localhost.intranet.ian-justman.com
The bulk of the system is based on the Debian package with a custom
version of smtpd (in this case, named smtpd-authd which interfaces with
the Authd system (see http://www.authd.org)).
When you start spamproxyd now, you must specify the IP and port to bind
it to, and it will --ONLY-- bind to that port combo. I see no reason to
bind to more than one IP address as this package is not meant to
directly handle incoming mail. As such, I recommend binding the
unfiltered smtpd to an address that that computer and ONLY that computer
can see, such as localhost or a dummy interface ifconfigged with a
private address.
In this case, the 192.168.0.101 address happens to be an ethernet
interface to which I bind only the filtered version (via spamproxyd AND
authd) of smtpd, and since I do not need any additional instances of
port 25, I bind the non-filtered version of smtpd (no authd code,
especially since Listar/Ecartis speaks SMTP and authd generates loggage
for any traffic passed through it) to 127.0.0.1:25. I do the same thing
on my production server with a completely custom build of Postfix (I
just wanted to go to a Debian package version of Postfix so then I'll be
up on all the patches and such).
Hope this helps out a bit.
--Ian.
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
