On Wednesday February 17 2010 00:43:04 Alexandre Chapellon wrote: > I'd like to re-focused to my initial questions: "does SA on outgoing > smtp needs specific tweaks? Is it a good idea and does any body already > set it up?"
SA already has some awareness of mail flow direction (inbound vs. outbound) through its trusted_networks/internal_networks/msa_networks settings, and recognizes authentication signs in Received header fields, as well as its whitelist_bounce_relays awareness, so it should be able to deal with things like DUL blacklists correctly. Since you already have split mail paths, i.e. a dedicated MTA for outgoing mail, that's even easier, you can just turn off some dynamic blacklist lookups and adjust some other rules for mail submitted from internal networks or from authenticated roaming users. Is it a good idea to check outgoing mail? It certainly is, as you are already well aware. Mail filtering on a MTA should be combined with blocking outgoing connections to port 25, as already noted by several posters. Allow outgoing connections to mail submission port 587 and to a legacy port 465, but allow outgoing connections to 25 only based on explicit requests from users, and block it by default. Mail submission rate limiting is very effective against traffic bursts from infected PCs. As you are using Postfix, see its anvil(8) service, along with its settings: anvil_rate_time_unit smtpd_client_connection_count_limit smtpd_client_connection_rate_limit smtpd_client_message_rate_limit smtpd_client_event_limit_exceptions A more fine-grained rate control is possible through policy servers, there are a couple of them much praised - check the postfix user ML. As for interfacing SpamAssassin with a Postfix MTA there are some choices, perhaps the most straightforward is using amavisd in place of spamd because it speaks a SMTP protocol directly on its input and output sides, interfacing naturally with Postfix without resorting to pipes, temporary files, scripts, etc. Just turn off anything not needed (like decoding mail), and you end up basically with a spamd lookalike speaking SMTP. The setup offers a fast interface to virus scanners such as clamd, to protect against outbound virus outbreaks too. As a bonus, such setup can offer DKIM signing, and a 'pen-pals' feature when inbound and outbound content filtering uses the same SQL database: grants some bonus score points to inbound replies to previous outbound mail with reversed sender/recipient addresses, similar to an automatic soft-whitelisting, which gradually fades away with time. Depending on mail rate and your needs, you may choose a more common and robust post-queue content filtering setup, or go for a pre-queue proxy content filtering. For improved robustness of a pre-queue setup look for Postfix 2.7.0 with its "smtpd_proxy_options=speed_adjust" feature, the coming amavisd-new 2.7.0, and SpamAssassin 3.3.0 - the combination of new features in all three products is really geared to much better support pre-queue setups. Mark
