So now their are three mail combinations that can block spam at the smtp 5xx rejection stage. SA-Mimedefang-Sendmail Postfix-2.xxx-CVS+AMavis SA-Exim
Don't forget Tom Kistner's Exiscan for Exim 4, either. That can do virus scanning too, like Amavisd-new (needs extra virus scanning software.) Amavisd-new can also be used with Exim 4 - but it's not the best choice and doesn't do realtime scanning.
Could you perhaps post the directions on how you accomplished this with the new version of postfix?
The best thing I can do is to attach Wietse Venema's README. It was my basis for configuring everything and works just as described.
Wietse's standpoint is, that he utterly refuses to incorporate anything that does not use standard (rfc-defined) protocols in his software, and Amavisd-new uses smtp/esmtp to talk to the postfix daemons.
The new TLS patch for Postfix 2.0.13 doesn't work properly yet, smtpd and smtp have to talk to Amavisd unencrypted and encryption can't be turned off at the moment to talk to Amavisd (bug), so the smtpd servers should not advertise STARTTLS on an EHLO.
I'm using this new setup on a semi-production/test machine at the moment and it works perfectly. For those anxious about rejecting FPs, even though Postfix gives a "550 UBE rejected" to the client MTA, Amavisd can be configured to save a copy of the rejected mail to a quarantine directory. And (in my case) postmaster gets mail to say what has been quarantined, each time that happens. Just as with SA-Exim, it's possible to list exemptions (spam and virus lovers) whose mail never gets scanned.
Best,
Tony
-- Tony Earnshaw
I love the music of Wagner. The only sound that pleases me more is that of a cat outside my 9th floor window, trying to cling to the glass with its claws.
http://j-walk.com/blog/docs/conference.htm http://www.billy.demon.nl Mail: [EMAIL PROTECTED]
Purpose of the SMTPD pass-through proxy feature ===============================================
Normally, Postfix receives mail, stores it in the mail queue and
then delivers it. The Postfix SMTP server can be configured to
forward all incoming mail to an SMTP proxy server (for example, a
real-time SPAM filter) that inspects all mail BEFORE it is stored
in the Postfix mail queue.
[This is not to be confused with the approach described in the
FILTER_README document, where all mail is inspected AFTER it is
stored in the Postfix mail queue]
This feature is meant to be used as follows:
/ smtp
Internet -> smtpd -> proxy -> smtpd -> cleanup -> queue -> local
Postfix Postfix \ virtual etc.
For reference, this is the normal path through Postfix:
/ smtp
Internet -> smtpd -> cleanup -> queue -> local
Postfix \ virtual etc.
For comparison, this is the FILTER_README approach with an SMTP-based
content filter:
/ smtp
Internet -> smtpd -> cleanup -> queue -> local
Postfix ^ v \ virtual etc.
smtpd smtp
Postfix Postfix
\ /
filter <-
The SMTP proxy server receives unfiltered mail from Postfix and
does one of the following:
1 - Re-inject the mail back into Postfix, perhaps after changing
content.
2 - Reject the mail (by sending a suitable status code back to
Postfix). Postfix passes the status back to the remote SMTP
client. This way, Postfix does not have to send a bounce message.
3 - Send the mail somewhere else.
Limitations
===========
When used with a real-time SPAM filter, this approach allows Postfix
to reject mail before the SMTP mail transfer completes, so that
Postfix does not have to send rejected mail back to the sender.
Mail that is not accepted remains the responsibility of the client.
In all other respects this content filtering approach is inferior
to the existing content filter (see FILTER_README) which processes
mail AFTER it is queued, because that gives you full control over
how many filtering processes can be run in parallel.
The problem with real-time content filtering is that the remote
SMTP client expects an SMTP reply within a deadline. As the system
load increases, fewer and fewer CPU cycles remain available to
answer within the deadline, and eventually you either have to stop
accepting mail or you have to accept unfiltered mail.
A possible workaround is to have the proxy take special action when
the deadline is reached: add a distinctive message header that
triggers a Postfix header_checks FILTER action, or send the mail
into Postfix via an alternative Postfix SMTP server that always
turns on content filtering.
How the Postfix talks to the SMTP proxy
=======================================
When Postfix talks to the SMTP proxy server it generates its own
EHLO, DATA and QUIT commands, and forwards unmodified copies of
the MAIL FROM and RCPT TO commands that the Postfix SMTP server
has approved. All commands are sent without using ESMTP command
pipelining. The SMTP proxy server must accept the same MAIL FROM
and RCPT TO command syntax as the Postfix SMTP server.
Configuration parameters
========================
Parameters that control proxying:
smtpd_proxy_filter (syntax: host:port)
The host and TCP port of the SMTP proxy server. When no host
or host: is specified, localhost is assumed.
smtpd_proxy_timeout (default: 100s)
Timeout for connecting to the SMTP proxy server and for sending
and receiving data. All proxy errors are logged to the maillog
file, but the client sees "451 Error: queue file write error".
smtpd_proxy_ehlo (default: $myhostname)
The hostname to use when sending an EHLO command to the SMTP
proxy server.
Testing the SMTP pass-through proxy feature
===========================================
The following example sets up a null proxy, that is, the Postfix
SMTP server gives the mail directly to another Postfix SMTP server
process.
/etc/postfix/master.cf
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=26
:26 inet n - n - - smtpd
-o receive_override_options=no_unknown_recipient_checks
Note: do not specify spaces around the "=" or "," characters.
The ":26" causes Postfix to listen on the localhost address only.
DO NOT expose the secondary SMTP server to the Internet :-)
The result is as follows:
Internet -> smtpd on port 25 -> smtpd on port 26 -> cleanup -> queue
This configuration is sufficient for stress testing.
Other suggestions for test configurations: use the Postfix smtp-sink
command as the proxy, or something as basic as netcat.
