Loading ...
Sorry, an error occurred while loading the content.

Relaying email to exchange

Expand Messages
  • Kevin Blackwell
    I m using postfix to relay email to our exchange server. The problem I m running into is the spam filtering on the exchange filter is being bypassed because
    Message 1 of 9 , Feb 14, 2013
    • 0 Attachment
      I'm using postfix to relay email to our exchange server. 

      The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed email shows a from address of the email relay server and not the originating ip address.

      Is there a was to configure postfix to relay male but retain the received from IP address when it was received by postfix? 

      --
      Kevin Blackwell
    • Reindl Harald
      ... wrong setup the spamfilter has to be on the MX directly in front of both machines and especially in front of exchange what do you imagine happens if spam
      Message 2 of 9 , Feb 14, 2013
      • 0 Attachment
        Am 14.02.2013 20:31, schrieb Kevin Blackwell:
        > I'm using postfix to relay email to our exchange server.
        >
        > The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed
        > email shows a from address of the email relay server and not the originating ip address.
        >
        > Is there a was to configure postfix to relay male but retain the received from IP address when it was received by
        > postfix?

        wrong setup

        the spamfilter has to be on the MX directly in front of
        both machines and especially in front of exchange

        what do you imagine happens if spam would be caught
        on the exchange? well, it jectes while postfix in front
        of it has received it

        now you have two choices and btoh are completly wrong:
        * get a backscatter
        * drop messages which you accepted with 250 silently
        which is not permitted per law
      • Kevin Blackwell
        I have 2 mx records. The primary is Exchanges edge server that has it s own internal spam filtering. The secondary is poxtfix server relaying mail to the edge
        Message 3 of 9 , Feb 14, 2013
        • 0 Attachment
          I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should be behind the Exchange edge server? 

          Kevin

          On Thu, Feb 14, 2013 at 1:36 PM, Reindl Harald <h.reindl@...> wrote:


          Am 14.02.2013 20:31, schrieb Kevin Blackwell:
          > I'm using postfix to relay email to our exchange server.
          >
          > The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed
          > email shows a from address of the email relay server and not the originating ip address.
          >
          > Is there a was to configure postfix to relay male but retain the received from IP address when it was received by
          > postfix?

          wrong setup

          the spamfilter has to be on the MX directly in front of
          both machines and especially in front of exchange

          what do you imagine happens if spam would be caught
          on the exchange? well, it jectes while postfix in front
          of it has received it

          now you have two choices and btoh are completly wrong:
          * get a backscatter
          * drop messages which you accepted with 250 silently
            which is not permitted per law




          --
          Kevin Blackwell
        • Reindl Harald
          DO NOT TOP POST IF YOU GOT A REPLY BELOW YOUR MESSAGE ON MAILING-LISTS, SEE MY REPLY AT BOTTOM WHILE I REFUSE TO REPAIR THE THRAED BECAUSE NOBODY WOULD PAY THE
          Message 4 of 9 , Feb 14, 2013
          • 0 Attachment
            DO NOT TOP POST IF YOU GOT A REPLY BELOW YOUR MESSAGE
            ON MAILING-LISTS, SEE MY REPLY AT BOTTOM WHILE I REFUSE
            TO REPAIR THE THRAED BECAUSE NOBODY WOULD PAY THE WORK

            Am 14.02.2013 21:41, schrieb Kevin Blackwell:
            > I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary
            > is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should
            > be behind the Exchange edge server?
            >
            > On Thu, Feb 14, 2013 at 1:36 PM, Reindl Harald <h.reindl@... <mailto:h.reindl@...>> wrote:
            >
            > Am 14.02.2013 20:31, schrieb Kevin Blackwell:
            > > I'm using postfix to relay email to our exchange server.
            > >
            > > The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed
            > > email shows a from address of the email relay server and not the originating ip address.
            > >
            > > Is there a was to configure postfix to relay male but retain the received from IP address when it was received by
            > > postfix?
            >
            > wrong setup
            >
            > the spamfilter has to be on the MX directly in front of
            > both machines and especially in front of exchange
            >
            > what do you imagine happens if spam would be caught
            > on the exchange? well, it jectes while postfix in front
            > of it has received it
            >
            > now you have two choices and btoh are completly wrong:
            > * get a backscatter
            > * drop messages which you accepted with 250 silently
            > which is not permitted per law


            i say simply the spam-filter has to be on the
            MX and not on a relay server after, how you
            design your infrastructure is yours

            > Is there a was to configure postfix to relay male but retain the
            > received from IP address when it was received by postfix?

            is simply impossible

            your postfix connects to the exchange
            the connection happens per TCP/IP

            how do you imagine that postfix retains anything
            in this case postfix is the client

            the client is not in the position to decide what UP the
            server sees for a connection, otherwise any netfilter
            would be impossible, and no, throw away the idea to
            rely on whatever headers for such decisions

            i would never setup a mail system at all where the final destination
            does spam-filtering, there are solutions dedicated for spam-filterung
            and the already filtered mails are dlivered to the final destination

            no need for two MX records at all

            one is enough - if is down, well that is the reason for
            why mail queue where invented, if the MX is down for
            maintainance - so what, try later again deliver the
            message, that is how SMTP was designed to work
          • Simon Walter
            ... I think perhaps that is a bit of hasty advice. I m quite sure given a large enough infrastructure and traffic load that you d want two or more MX records
            Message 5 of 9 , Feb 14, 2013
            • 0 Attachment
              On 02/15/2013 06:10 AM, Reindl Harald wrote:
              >
              > no need for two MX records at all

              I think perhaps that is a bit of hasty advice. I'm quite sure given a
              large enough infrastructure and traffic load that you'd want two or more
              MX records with a different SMTP server sitting behind each IP address.
              I could (and have been) wrong though.

              --
              htholidays.com
            • Luigi Rosa
              ... Hash: SHA1 ... As Reindl Harald pointed out, the spam filter should be in only one place: the border server. If you add something like (che the
              Message 6 of 9 , Feb 14, 2013
              • 0 Attachment
                -----BEGIN PGP SIGNED MESSAGE-----
                Hash: SHA1

                Kevin Blackwell said the following on 14/02/2013 20:31:

                > I'm using postfix to relay email to our exchange server.
                >
                > The problem I'm running into is the spam filtering on the exchange filter
                > is being bypassed because the relayed email shows a from address of the
                > email relay server and not the originating ip address.
                >
                > Is there a was to configure postfix to relay male but retain the received
                > from IP address when it was received by postfix?

                As Reindl Harald pointed out, the spam filter should be in only one place: the
                border server.

                If you add something like (che the documentation before adding this parameters)

                reject_invalid_hostname
                reject_non_fqdn_hostname
                reject_non_fqdn_sender
                reject_non_fqdn_recipient
                reject_unknown_sender_domain
                reject_rbl_client cbl.abuseat.org
                reject_rbl_client sbl.spamhaus.org
                reject_rbl_client pbl.spamhaus.org

                to smtpd_recipient_restrictions you block nearly 90% of spam

                My advice is to disable antispam on Exchange _and_ Outlook (if you have any)
                and filter in just one point.

                This is useful also if you want to debug the filter, i.e. if a user asks why a
                mail has been rejected.

                Of course smtpd_recipient_restrictions alone is not an antispam filter, you
                should also add at least an antivirus scanner.



                Ciao,
                luigi

                - --
                /
                +--[Luigi Rosa]--
                \

                Talk is cheap because supply exceeds demand.
                -----BEGIN PGP SIGNATURE-----
                Version: GnuPG v1.4.11 (GNU/Linux)
                Comment: Using GnuPG with undefined - http://www.enigmail.net/

                iEYEARECAAYFAlEduNEACgkQ3kWu7Tfl6ZSC1QCgymM8xcjCLLMn/9C0HqrHn6Ln
                JPsAoIKeVd2RkEcHUMi2yZYz84yZJVIq
                =lOiv
                -----END PGP SIGNATURE-----
              • Stefan Foerster
                ... Wrong setup. If you have more than one MX, each of them should apply the exact same content filter policies. Either buy a second Exchange edge server or
                Message 7 of 9 , Feb 14, 2013
                • 0 Attachment
                  * Kevin Blackwell <akblackwel@...>:
                  > I have 2 mx records. The primary is Exchanges edge server that has it's own
                  > internal spam filtering. The secondary is poxtfix server relaying mail to
                  > the edge server as a backup mx record. Are you saying the postfix server
                  > should be behind the Exchange edge server?

                  Wrong setup. If you have more than one MX, each of them should apply
                  the exact same content filter policies. Either buy a second Exchange
                  edge server or get rid of Exchange and buy a second MX running
                  Postfix.


                  Stefan
                • Reindl Harald
                  ... in this case the setup sould be done by people which are knowing what they are doing and you have unlikely a exchange as MX having two MX and only one of
                  Message 8 of 9 , Feb 15, 2013
                  • 0 Attachment
                    Am 15.02.2013 01:30, schrieb Simon Walter:
                    > On 02/15/2013 06:10 AM, Reindl Harald wrote:
                    >>
                    >> no need for two MX records at all
                    >
                    > I think perhaps that is a bit of hasty advice. I'm quite sure given a large enough infrastructure and traffic load
                    > that you'd want two or more MX records with a different SMTP server sitting behind each IP address. I could (and
                    > have been) wrong though.

                    in this case the setup sould be done by people which are
                    knowing what they are doing and you have unlikely a
                    exchange as MX

                    having two MX and only one of them filters spam is dumb
                    the two MX must behave identical from outside
                  • Mikael Bak
                    Kevin, ... A rule of thumb is that if you must have a backup MX you should have the same spam defence as on the primary one. If you can t do that, I suggest
                    Message 9 of 9 , Feb 15, 2013
                    • 0 Attachment
                      Kevin,

                      On 02/14/2013 09:41 PM, Kevin Blackwell wrote:
                      > I have 2 mx records. The primary is Exchanges edge server that has it's
                      > own internal spam filtering. The secondary is poxtfix server relaying
                      > mail to the edge server as a backup mx record. Are you saying the
                      > postfix server should be behind the Exchange edge server?
                      >

                      A rule of thumb is that if you must have a backup MX you should have the
                      same spam defence as on the primary one.
                      If you can't do that, I suggest you drop the backup MX.

                      Alternatively you can hide the exchange behind a postfix, but the you
                      should let postfix do the spam filtering and disable spam filter on the
                      exchange.

                      You must now ask you the question why you need a backup MX.

                      HTH,
                      Mikael
                    Your message has been successfully submitted and would be delivered to recipients shortly.