1

I have 3 servers: server 1 and 2 are listed as mx servers for different domains and server 3 is for amavis/spamd/clamd filtering for both server 1 & 2. My plan is to have 'first pass' postfix listen on ports 587 and 25 on servers 1/2 and pass mail to amavis through server 3 port 10024.

The idea would then be to send mail after filtering back to the original server on port 10025, which would not have a filter directive (defined in master.cf). The best way I can think to do this would be to have an smpt client (postfix if possible) look up the mx record for the recipient domain (result=mx_host) and send the mail to [mx-host]:10025. This would not be an open relay because I would configure it only to accept mail from the loopback address (and thus from amavis).

However, I cannot seem to find how one would configure postfix smtp (or other) to deliver by default to port 10025.

Summary: 1) Is this path the right one to go down for remote spam/virus filtering? If not, what is better? 2) If it is, how can I get mail back to the queue on the correct server.

Thanks in advance,

Ed

erm410
  • 183
  • 3

2 Answers2

0

I had to solve such as problem a while back and from what I researched such a setup would not be possible.

What I had to do was have the MX servers forward all the email to the amavis server using plain SMTP. This allowed for greater flexibility and a standard configuration. Having an extra mail daemon was worth it because it potentially allowed us to configure what mail would bypass or not the amavis server. This also allowed the email to be forwarded quickly from the front servers so that they could handle the next emails without having to wait the spam processing.

Antoine Benkemoun
  • 7,314
  • 3
  • 42
  • 60
0

Never do spam filtering on backend servers. You must do spam filtering on the frontend servers during the SMTP dialog. If you do spam filtering on backend servers you expose yourself to do Backscatter. Because you have to inform the sender that your backend server didn't deliver the mail (RFC 5321).

If you only have an incoming rate of 20 mails per second (including Spam) then you can do spam filtering on the frontend servers without tuning. Everything above is also no problem but needs some experience.

Community
  • 1
mailq
  • 17,023
  • 2
  • 37
  • 69
  • What if the filter does not create any bounces but only rewrites headers and leaves the user to decide what to do to it (manually or using procmail)? Would this still leave me exposed? And running amavis on the servers takes up ALL of my RAM. Adding more to both servers would be more expensive than just getting another server. – erm410 Nov 06 '11 at 16:59
  • @erm410 If you let the user decide, then you don't need a filter. In this case the user filters for you which is not what you intended to do. You need something like `policyd-weight` and `postscreen` to relieve the load before amavis. And consider selective greylisting. – mailq Nov 06 '11 at 17:27