On 2011-10-25 11.09, ML mail wrote:
> I am currently running spamd on an OpenBSD firewall which does greylisting to
> protect a qmail linux mail server on a DMZ and was wondering if it would be
> possible to have both tasks (firewalling and spamd/greylisting) on two
> different physical machines so that the firewall would just do packet
> filtering and another separate machine just greylisting?
>
> The problem here what I see is that the dedicated greylisting machine would
> have somehow to redirect IP addresses which are not on the greylist to the
> mail server. As far as I know this is not possible with a machine having only
> one NIC.
>
> Any ideas on recommendation on how to achieve this?
* Set up a spam filter box with PF and spamd as usual.
* Let PF forward to the internal sendmail.
* Set up /etc/mail/access in that sendmail, list all domains you accept
mail for and mark them as RELAY
* Set up /etc/mail/mailertable, listing the same domains as in the
access file. Tag each with SMTP:[ip.of.your.qmail.host]. This will make
sendmail relay incoming mail to accepted domains to your qmail server.
* Don't forget to makemap(8) the access and mailertable files!
This setup will give you an additional benefit in that the spam filter
box spools incoming mail for the qmail server, so if it is inoperative
you won't lose any mail.
The disadvantage is that it can't reject mail with unknown To: addresses
because it has no knowledge of what mailboxes are defined in the qmail
box. This may or may not be a problem to you; invalid destinations will
cause qmail to send an error reply mail so any real users will be
notified of their mistake anyway. Unfortunately spam almost always have
fake From: addresses, which means you will also inadvertently spam
innocent people with qmail:s rejection mails. :-/
(I suppose this can be solved by using LDAP and having sendmail on the
incoming spam filter box check the validity of each incoming To: address
but I have never tried that myself so I can't vouch for its viability.)
Oh, and if you use this kind of setup, you would probably want to send
outgoing mail from qmail via this server as well, since many "smart"
spam filtering schemes elsewhere assume that mail sent from domain x.y
must have x.y in the MX record as well. :-/
Regards,
/Benny
--
internetlabbet.se / work: +46 8 551 124 80 / "Words must
Benny Lofgren / mobile: +46 70 718 11 90 / be weighed,
/ fax: +46 8 551 124 89 / not counted."
/ email: benny -at- internetlabbet.se
