Loading ...
Sorry, an error occurred while loading the content.

Re: Postfix as an SMTP proxy?

Expand Messages
  • mouss
    ... In general, you should not redirect traffic transparently ... The common approach is to block port 25: - TCP traffic from one of your IPs to a foreign
    Message 1 of 6 , Nov 1, 2010
    • 0 Attachment
      Le 01/11/2010 10:36, Nicholas Sideris a écrit :
      > Hello,
      >
      > I am in a case, where I need to configure a postfix daemon for acting as an SMTP server, where some spam-filtering and some anti-virus would run in parallel in the box. This would be a help, for a local ISP, to control spam relayed outside from his own network and thus avoiding IPs to get blacklisted, etc. Now my problem. The users can use the SMTP server directly, thus if they select mysmtp.mynetwork.com everything is okay.
      >
      > Now, we do suppose that a few users do have a valid subscription for an SMTP server, outside our network, say theirsmtp.theirnetwork.com. That foreign server uses SMTP auth as well. Obviously, redirecting that traffic first to our proxy, results in complete e-mail delivery failure.
      >
      > Is any way to handle this? Preferable methods.
      > a) Our SMTP proxy, talks with the foreign SMTP and sends the e-mail accordingly.
      > b) Our SMTP proxy, just forwards the commands, without checking the e-mail for spam/virus (not vey wise, but if there's no other solution, is part of the foreign server's responsibility to do these checks)
      > c) Our SMTP proxy, just sends the e-mail directly to the recipient after checking it, without ever talking to the foreign SMTP server (it can cause problems with DKIM and SPF domains, but in any case, it may be helpful).

      In general, you should not redirect traffic "transparently"...

      The "common" approach is to block port 25:
      - TCP traffic from one of your IPs to a foreign IP on port 25
      - TCP traffic from a foreign IP with source port 25 to one of your IPs
      then your customers can use port 587.

      you can allow few customers to send directly (by whitelisiting their IP
      from the block-25 rule).


      This way, you don't need an smtp proxy.

      > [snip]
      >
    • Victor Duchovni
      ... Don t silently redirect users SMTP traffic. Your options: - Join the SpamHaus PBL as an ISP, and add your IPs to the PBL. Allow users to request being
      Message 2 of 6 , Nov 1, 2010
      • 0 Attachment
        On Mon, Nov 01, 2010 at 11:36:00AM +0200, Nicholas Sideris wrote:

        > Hello,
        >
        > I am in a case, where I need to configure a postfix daemon for acting
        > as an SMTP server, where some spam-filtering and some anti-virus would
        > run in parallel in the box. This would be a help, for a local ISP, to
        > control spam relayed outside from his own network and thus avoiding IPs
        > to get blacklisted, etc. Now my problem. The users can use the SMTP server
        > directly, thus if they select mysmtp.mynetwork.com everything is okay.

        Don't silently redirect users' SMTP traffic.

        Your options:

        - Join the SpamHaus PBL as an ISP, and add your IPs to the PBL. Allow
        users to request being exempted from the PBL.

        - Block port 25 outbound, and allow users to request having the
        filter removed. Operate a reliable relay that users may elect
        to use. Don't block port 587.

        - Deploy something similar to the Symantec 8600 (aka Turntide)
        SMTP traffic shaping appliance, that can rate limit outgoing
        spam without rerouting the SMTP connection (limitation:
        it can't see through STARTTLS).

        --
        Viktor.
      • Stan Hoeppner
        ... Is this what you refer to Victor? http://www.symantec.com/business/brightmail-traffic-shaper -- Stan
        Message 3 of 6 , Nov 1, 2010
        • 0 Attachment
          Victor Duchovni put forth on 11/1/2010 12:27 PM:

          > - Deploy something similar to the Symantec 8600 (aka Turntide)
          > SMTP traffic shaping appliance, that can rate limit outgoing
          > spam without rerouting the SMTP connection (limitation:
          > it can't see through STARTTLS).

          Is this what you refer to Victor?

          http://www.symantec.com/business/brightmail-traffic-shaper

          --
          Stan
        • Rich
          Nick I have a simple and elegant solution that has been working for years. I am using postfix, spamassassin with spampd proxy server and god-forbid, a purchase
          Message 4 of 6 , Nov 1, 2010
          • 0 Attachment
            Nick I have a simple and elegant solution that has been working for
            years. I am using postfix, spamassassin with spampd proxy server and
            god-forbid, a purchase piece of software for antivirus from Command
            Central called Vexira. It is a simple setup and has worked for us.

            On 11/1/2010 5:36 AM, Nicholas Sideris wrote:
            > Hello,
            >
            > I am in a case, where I need to configure a postfix daemon for acting as an SMTP server, where some spam-filtering and some anti-virus would run in parallel in the box. This would be a help, for a local ISP, to control spam relayed outside from his own network and thus avoiding IPs to get blacklisted, etc. Now my problem. The users can use the SMTP server directly, thus if they select mysmtp.mynetwork.com everything is okay.
            >
            > Now, we do suppose that a few users do have a valid subscription for an SMTP server, outside our network, say theirsmtp.theirnetwork.com. That foreign server uses SMTP auth as well. Obviously, redirecting that traffic first to our proxy, results in complete e-mail delivery failure.
            >
            > Is any way to handle this? Preferable methods.
            > a) Our SMTP proxy, talks with the foreign SMTP and sends the e-mail accordingly.
            > b) Our SMTP proxy, just forwards the commands, without checking the e-mail for spam/virus (not vey wise, but if there's no other solution, is part of the foreign server's responsibility to do these checks)
            > c) Our SMTP proxy, just sends the e-mail directly to the recipient after checking it, without ever talking to the foreign SMTP server (it can cause problems with DKIM and SPF domains, but in any case, it may be helpful).
            >
            > What I need, is some configuration instructions about how to achive such a functionality.
            >
            > Best Regards
            > N. Sideris
            >
            >
          • Victor Duchovni
            ... Yes. -- Viktor.
            Message 5 of 6 , Nov 1, 2010
            • 0 Attachment
              On Mon, Nov 01, 2010 at 01:43:05PM -0500, Stan Hoeppner wrote:

              > Victor Duchovni put forth on 11/1/2010 12:27 PM:
              >
              > > - Deploy something similar to the Symantec 8600 (aka Turntide)
              > > SMTP traffic shaping appliance, that can rate limit outgoing
              > > spam without rerouting the SMTP connection (limitation:
              > > it can't see through STARTTLS).
              >
              > Is this what you refer to Victor?
              >
              > http://www.symantec.com/business/brightmail-traffic-shaper

              Yes.

              --
              Viktor.
            Your message has been successfully submitted and would be delivered to recipients shortly.