On Tue, 8 Jan 2008, Peter Smith wrote:
> Here's my situation:
>
> server1: mail gateway, runs Spamassassin
> server2: multi-purpose server. hosts http, mail boxes, pop/imap, runs
> sendmail and Spamassassin.
> example.org: my domain. The MX record points to server1, A record points to
> server2
>
> The problem with this setup of course, is that spammers tend to send
> directly to server2, bypassing server1 (the mail scanner/filter).
>
> My original idea was to either configure server2 to reject mail not arriving
> directly from server1 (either via iptables or sendmail.cf). The problem is
> that I have a dozen or so users who use SMTP AUTH to relay mail out through
> server2. Sometimes this mail will be relayed to 3rd party domains, other
> times it will be sent to fellow users on example.org.
Here's what I've done in a very similar situation;
mx1 & mx2 mail gateways, runs RBLs, custom rules & Spamassassin
(SMTP-REJECT on high scoring spam).
mailserver: multi-purpose server. hosts http, mail boxes, pop/imap, runs
sendmail & ClamAV
mx1 & mx2 do all incoming processing & filtering, then forwrd to
mailserver on a non-standard port.
mailserver: listens on ports 25, 465, 587 for customer submissions,
-requires- SMTP-AUTH. Also listens on non-standard port for messages
processed by MXs, does not require SMTP-AUTH but will -only- accept
messages from MXs.
Important note; MXs have valid recipient lists, SMTP reject bogus
addresses.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
