Loading ...
Sorry, an error occurred while loading the content.
 

Re: Relaying email to exchange

Expand Messages
  • Reindl Harald
    DO NOT TOP POST IF YOU GOT A REPLY BELOW YOUR MESSAGE ON MAILING-LISTS, SEE MY REPLY AT BOTTOM WHILE I REFUSE TO REPAIR THE THRAED BECAUSE NOBODY WOULD PAY THE
    Message 1 of 9 , Feb 14, 2013
      DO NOT TOP POST IF YOU GOT A REPLY BELOW YOUR MESSAGE
      ON MAILING-LISTS, SEE MY REPLY AT BOTTOM WHILE I REFUSE
      TO REPAIR THE THRAED BECAUSE NOBODY WOULD PAY THE WORK

      Am 14.02.2013 21:41, schrieb Kevin Blackwell:
      > I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary
      > is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should
      > be behind the Exchange edge server?
      >
      > On Thu, Feb 14, 2013 at 1:36 PM, Reindl Harald <h.reindl@... <mailto:h.reindl@...>> wrote:
      >
      > Am 14.02.2013 20:31, schrieb Kevin Blackwell:
      > > I'm using postfix to relay email to our exchange server.
      > >
      > > The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed
      > > email shows a from address of the email relay server and not the originating ip address.
      > >
      > > Is there a was to configure postfix to relay male but retain the received from IP address when it was received by
      > > postfix?
      >
      > wrong setup
      >
      > the spamfilter has to be on the MX directly in front of
      > both machines and especially in front of exchange
      >
      > what do you imagine happens if spam would be caught
      > on the exchange? well, it jectes while postfix in front
      > of it has received it
      >
      > now you have two choices and btoh are completly wrong:
      > * get a backscatter
      > * drop messages which you accepted with 250 silently
      > which is not permitted per law


      i say simply the spam-filter has to be on the
      MX and not on a relay server after, how you
      design your infrastructure is yours

      > Is there a was to configure postfix to relay male but retain the
      > received from IP address when it was received by postfix?

      is simply impossible

      your postfix connects to the exchange
      the connection happens per TCP/IP

      how do you imagine that postfix retains anything
      in this case postfix is the client

      the client is not in the position to decide what UP the
      server sees for a connection, otherwise any netfilter
      would be impossible, and no, throw away the idea to
      rely on whatever headers for such decisions

      i would never setup a mail system at all where the final destination
      does spam-filtering, there are solutions dedicated for spam-filterung
      and the already filtered mails are dlivered to the final destination

      no need for two MX records at all

      one is enough - if is down, well that is the reason for
      why mail queue where invented, if the MX is down for
      maintainance - so what, try later again deliver the
      message, that is how SMTP was designed to work
    • Simon Walter
      ... I think perhaps that is a bit of hasty advice. I m quite sure given a large enough infrastructure and traffic load that you d want two or more MX records
      Message 2 of 9 , Feb 14, 2013
        On 02/15/2013 06:10 AM, Reindl Harald wrote:
        >
        > no need for two MX records at all

        I think perhaps that is a bit of hasty advice. I'm quite sure given a
        large enough infrastructure and traffic load that you'd want two or more
        MX records with a different SMTP server sitting behind each IP address.
        I could (and have been) wrong though.

        --
        htholidays.com
      • Luigi Rosa
        ... Hash: SHA1 ... As Reindl Harald pointed out, the spam filter should be in only one place: the border server. If you add something like (che the
        Message 3 of 9 , Feb 14, 2013
          -----BEGIN PGP SIGNED MESSAGE-----
          Hash: SHA1

          Kevin Blackwell said the following on 14/02/2013 20:31:

          > I'm using postfix to relay email to our exchange server.
          >
          > The problem I'm running into is the spam filtering on the exchange filter
          > is being bypassed because the relayed email shows a from address of the
          > email relay server and not the originating ip address.
          >
          > Is there a was to configure postfix to relay male but retain the received
          > from IP address when it was received by postfix?

          As Reindl Harald pointed out, the spam filter should be in only one place: the
          border server.

          If you add something like (che the documentation before adding this parameters)

          reject_invalid_hostname
          reject_non_fqdn_hostname
          reject_non_fqdn_sender
          reject_non_fqdn_recipient
          reject_unknown_sender_domain
          reject_rbl_client cbl.abuseat.org
          reject_rbl_client sbl.spamhaus.org
          reject_rbl_client pbl.spamhaus.org

          to smtpd_recipient_restrictions you block nearly 90% of spam

          My advice is to disable antispam on Exchange _and_ Outlook (if you have any)
          and filter in just one point.

          This is useful also if you want to debug the filter, i.e. if a user asks why a
          mail has been rejected.

          Of course smtpd_recipient_restrictions alone is not an antispam filter, you
          should also add at least an antivirus scanner.



          Ciao,
          luigi

          - --
          /
          +--[Luigi Rosa]--
          \

          Talk is cheap because supply exceeds demand.
          -----BEGIN PGP SIGNATURE-----
          Version: GnuPG v1.4.11 (GNU/Linux)
          Comment: Using GnuPG with undefined - http://www.enigmail.net/

          iEYEARECAAYFAlEduNEACgkQ3kWu7Tfl6ZSC1QCgymM8xcjCLLMn/9C0HqrHn6Ln
          JPsAoIKeVd2RkEcHUMi2yZYz84yZJVIq
          =lOiv
          -----END PGP SIGNATURE-----
        • Stefan Foerster
          ... Wrong setup. If you have more than one MX, each of them should apply the exact same content filter policies. Either buy a second Exchange edge server or
          Message 4 of 9 , Feb 14, 2013
            * Kevin Blackwell <akblackwel@...>:
            > I have 2 mx records. The primary is Exchanges edge server that has it's own
            > internal spam filtering. The secondary is poxtfix server relaying mail to
            > the edge server as a backup mx record. Are you saying the postfix server
            > should be behind the Exchange edge server?

            Wrong setup. If you have more than one MX, each of them should apply
            the exact same content filter policies. Either buy a second Exchange
            edge server or get rid of Exchange and buy a second MX running
            Postfix.


            Stefan
          • Reindl Harald
            ... in this case the setup sould be done by people which are knowing what they are doing and you have unlikely a exchange as MX having two MX and only one of
            Message 5 of 9 , Feb 15, 2013
              Am 15.02.2013 01:30, schrieb Simon Walter:
              > On 02/15/2013 06:10 AM, Reindl Harald wrote:
              >>
              >> no need for two MX records at all
              >
              > I think perhaps that is a bit of hasty advice. I'm quite sure given a large enough infrastructure and traffic load
              > that you'd want two or more MX records with a different SMTP server sitting behind each IP address. I could (and
              > have been) wrong though.

              in this case the setup sould be done by people which are
              knowing what they are doing and you have unlikely a
              exchange as MX

              having two MX and only one of them filters spam is dumb
              the two MX must behave identical from outside
            • Mikael Bak
              Kevin, ... A rule of thumb is that if you must have a backup MX you should have the same spam defence as on the primary one. If you can t do that, I suggest
              Message 6 of 9 , Feb 15, 2013
                Kevin,

                On 02/14/2013 09:41 PM, Kevin Blackwell wrote:
                > I have 2 mx records. The primary is Exchanges edge server that has it's
                > own internal spam filtering. The secondary is poxtfix server relaying
                > mail to the edge server as a backup mx record. Are you saying the
                > postfix server should be behind the Exchange edge server?
                >

                A rule of thumb is that if you must have a backup MX you should have the
                same spam defence as on the primary one.
                If you can't do that, I suggest you drop the backup MX.

                Alternatively you can hide the exchange behind a postfix, but the you
                should let postfix do the spam filtering and disable spam filter on the
                exchange.

                You must now ask you the question why you need a backup MX.

                HTH,
                Mikael
              Your message has been successfully submitted and would be delivered to recipients shortly.