Loading ...
Sorry, an error occurred while loading the content.

Re: Relaying email to exchange

Expand Messages
  • Kevin Blackwell
    I have 2 mx records. The primary is Exchanges edge server that has it s own internal spam filtering. The secondary is poxtfix server relaying mail to the edge
    Message 1 of 9 , Feb 14, 2013
    • 0 Attachment
      I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should be behind the Exchange edge server? 

      Kevin

      On Thu, Feb 14, 2013 at 1:36 PM, Reindl Harald <h.reindl@...> wrote:


      Am 14.02.2013 20:31, schrieb Kevin Blackwell:
      > I'm using postfix to relay email to our exchange server.
      >
      > The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed
      > email shows a from address of the email relay server and not the originating ip address.
      >
      > Is there a was to configure postfix to relay male but retain the received from IP address when it was received by
      > postfix?

      wrong setup

      the spamfilter has to be on the MX directly in front of
      both machines and especially in front of exchange

      what do you imagine happens if spam would be caught
      on the exchange? well, it jectes while postfix in front
      of it has received it

      now you have two choices and btoh are completly wrong:
      * get a backscatter
      * drop messages which you accepted with 250 silently
        which is not permitted per law




      --
      Kevin Blackwell
    • Reindl Harald
      DO NOT TOP POST IF YOU GOT A REPLY BELOW YOUR MESSAGE ON MAILING-LISTS, SEE MY REPLY AT BOTTOM WHILE I REFUSE TO REPAIR THE THRAED BECAUSE NOBODY WOULD PAY THE
      Message 2 of 9 , Feb 14, 2013
      • 0 Attachment
        DO NOT TOP POST IF YOU GOT A REPLY BELOW YOUR MESSAGE
        ON MAILING-LISTS, SEE MY REPLY AT BOTTOM WHILE I REFUSE
        TO REPAIR THE THRAED BECAUSE NOBODY WOULD PAY THE WORK

        Am 14.02.2013 21:41, schrieb Kevin Blackwell:
        > I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary
        > is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should
        > be behind the Exchange edge server?
        >
        > On Thu, Feb 14, 2013 at 1:36 PM, Reindl Harald <h.reindl@... <mailto:h.reindl@...>> wrote:
        >
        > Am 14.02.2013 20:31, schrieb Kevin Blackwell:
        > > I'm using postfix to relay email to our exchange server.
        > >
        > > The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed
        > > email shows a from address of the email relay server and not the originating ip address.
        > >
        > > Is there a was to configure postfix to relay male but retain the received from IP address when it was received by
        > > postfix?
        >
        > wrong setup
        >
        > the spamfilter has to be on the MX directly in front of
        > both machines and especially in front of exchange
        >
        > what do you imagine happens if spam would be caught
        > on the exchange? well, it jectes while postfix in front
        > of it has received it
        >
        > now you have two choices and btoh are completly wrong:
        > * get a backscatter
        > * drop messages which you accepted with 250 silently
        > which is not permitted per law


        i say simply the spam-filter has to be on the
        MX and not on a relay server after, how you
        design your infrastructure is yours

        > Is there a was to configure postfix to relay male but retain the
        > received from IP address when it was received by postfix?

        is simply impossible

        your postfix connects to the exchange
        the connection happens per TCP/IP

        how do you imagine that postfix retains anything
        in this case postfix is the client

        the client is not in the position to decide what UP the
        server sees for a connection, otherwise any netfilter
        would be impossible, and no, throw away the idea to
        rely on whatever headers for such decisions

        i would never setup a mail system at all where the final destination
        does spam-filtering, there are solutions dedicated for spam-filterung
        and the already filtered mails are dlivered to the final destination

        no need for two MX records at all

        one is enough - if is down, well that is the reason for
        why mail queue where invented, if the MX is down for
        maintainance - so what, try later again deliver the
        message, that is how SMTP was designed to work
      • Simon Walter
        ... I think perhaps that is a bit of hasty advice. I m quite sure given a large enough infrastructure and traffic load that you d want two or more MX records
        Message 3 of 9 , Feb 14, 2013
        • 0 Attachment
          On 02/15/2013 06:10 AM, Reindl Harald wrote:
          >
          > no need for two MX records at all

          I think perhaps that is a bit of hasty advice. I'm quite sure given a
          large enough infrastructure and traffic load that you'd want two or more
          MX records with a different SMTP server sitting behind each IP address.
          I could (and have been) wrong though.

          --
          htholidays.com
        • Luigi Rosa
          ... Hash: SHA1 ... As Reindl Harald pointed out, the spam filter should be in only one place: the border server. If you add something like (che the
          Message 4 of 9 , Feb 14, 2013
          • 0 Attachment
            -----BEGIN PGP SIGNED MESSAGE-----
            Hash: SHA1

            Kevin Blackwell said the following on 14/02/2013 20:31:

            > I'm using postfix to relay email to our exchange server.
            >
            > The problem I'm running into is the spam filtering on the exchange filter
            > is being bypassed because the relayed email shows a from address of the
            > email relay server and not the originating ip address.
            >
            > Is there a was to configure postfix to relay male but retain the received
            > from IP address when it was received by postfix?

            As Reindl Harald pointed out, the spam filter should be in only one place: the
            border server.

            If you add something like (che the documentation before adding this parameters)

            reject_invalid_hostname
            reject_non_fqdn_hostname
            reject_non_fqdn_sender
            reject_non_fqdn_recipient
            reject_unknown_sender_domain
            reject_rbl_client cbl.abuseat.org
            reject_rbl_client sbl.spamhaus.org
            reject_rbl_client pbl.spamhaus.org

            to smtpd_recipient_restrictions you block nearly 90% of spam

            My advice is to disable antispam on Exchange _and_ Outlook (if you have any)
            and filter in just one point.

            This is useful also if you want to debug the filter, i.e. if a user asks why a
            mail has been rejected.

            Of course smtpd_recipient_restrictions alone is not an antispam filter, you
            should also add at least an antivirus scanner.



            Ciao,
            luigi

            - --
            /
            +--[Luigi Rosa]--
            \

            Talk is cheap because supply exceeds demand.
            -----BEGIN PGP SIGNATURE-----
            Version: GnuPG v1.4.11 (GNU/Linux)
            Comment: Using GnuPG with undefined - http://www.enigmail.net/

            iEYEARECAAYFAlEduNEACgkQ3kWu7Tfl6ZSC1QCgymM8xcjCLLMn/9C0HqrHn6Ln
            JPsAoIKeVd2RkEcHUMi2yZYz84yZJVIq
            =lOiv
            -----END PGP SIGNATURE-----
          • Stefan Foerster
            ... Wrong setup. If you have more than one MX, each of them should apply the exact same content filter policies. Either buy a second Exchange edge server or
            Message 5 of 9 , Feb 14, 2013
            • 0 Attachment
              * Kevin Blackwell <akblackwel@...>:
              > I have 2 mx records. The primary is Exchanges edge server that has it's own
              > internal spam filtering. The secondary is poxtfix server relaying mail to
              > the edge server as a backup mx record. Are you saying the postfix server
              > should be behind the Exchange edge server?

              Wrong setup. If you have more than one MX, each of them should apply
              the exact same content filter policies. Either buy a second Exchange
              edge server or get rid of Exchange and buy a second MX running
              Postfix.


              Stefan
            • Reindl Harald
              ... in this case the setup sould be done by people which are knowing what they are doing and you have unlikely a exchange as MX having two MX and only one of
              Message 6 of 9 , Feb 15, 2013
              • 0 Attachment
                Am 15.02.2013 01:30, schrieb Simon Walter:
                > On 02/15/2013 06:10 AM, Reindl Harald wrote:
                >>
                >> no need for two MX records at all
                >
                > I think perhaps that is a bit of hasty advice. I'm quite sure given a large enough infrastructure and traffic load
                > that you'd want two or more MX records with a different SMTP server sitting behind each IP address. I could (and
                > have been) wrong though.

                in this case the setup sould be done by people which are
                knowing what they are doing and you have unlikely a
                exchange as MX

                having two MX and only one of them filters spam is dumb
                the two MX must behave identical from outside
              • Mikael Bak
                Kevin, ... A rule of thumb is that if you must have a backup MX you should have the same spam defence as on the primary one. If you can t do that, I suggest
                Message 7 of 9 , Feb 15, 2013
                • 0 Attachment
                  Kevin,

                  On 02/14/2013 09:41 PM, Kevin Blackwell wrote:
                  > I have 2 mx records. The primary is Exchanges edge server that has it's
                  > own internal spam filtering. The secondary is poxtfix server relaying
                  > mail to the edge server as a backup mx record. Are you saying the
                  > postfix server should be behind the Exchange edge server?
                  >

                  A rule of thumb is that if you must have a backup MX you should have the
                  same spam defence as on the primary one.
                  If you can't do that, I suggest you drop the backup MX.

                  Alternatively you can hide the exchange behind a postfix, but the you
                  should let postfix do the spam filtering and disable spam filter on the
                  exchange.

                  You must now ask you the question why you need a backup MX.

                  HTH,
                  Mikael
                Your message has been successfully submitted and would be delivered to recipients shortly.