On 2011-10-25 15.17, ML mail wrote:
> Many thanks for your solution based on using the local sendmail installation.
> That makes sense and sendmail will then be taking care of routing the mails
> to the qmail server, a nice solution which I will give a go. So is this
> basically the only solution if someone wants to use spamd on a dedicated box?
I wouldn't say it's the *only* solution, but it is the solution I've been
running with for several years and it works great in our environment.
Regards,
/Benny
>
> ----- Original Message -----
> From: Benny Lofgren <bl-li...@lofgren.biz>
> To: ML mail <mlnos...@yahoo.com>
> Cc: "misc@openbsd.org" <misc@openbsd.org>
> Sent: Tuesday, October 25, 2011 1:37 PM
> Subject: Re: dedicating a server to spamd
>
> On 2011-10-25 11.09, ML mail wrote:
>> I am currently running spamd on an OpenBSD firewall which does greylisting
>> to protect a qmail linux mail server on a DMZ and was wondering if it would
>> be possible to have both tasks (firewalling and spamd/greylisting) on two
>> different physical machines so that the firewall would just do packet
>> filtering and another separate machine just greylisting?
>>
>> The problem here what I see is that the dedicated greylisting machine would
>> have somehow to redirect IP addresses which are not on the greylist to the
>> mail server. As far as I know this is not possible with a machine having
>> only one NIC.
>>
>> Any ideas on recommendation on how to achieve this?
>
> * Set up a spam filter box with PF and spamd as usual.
>
> * Let PF forward to the internal sendmail.
>
> * Set up /etc/mail/access in that sendmail, list all domains you accept
> mail for and mark them as RELAY
>
> * Set up /etc/mail/mailertable, listing the same domains as in the
> access file. Tag each with SMTP:[ip.of.your.qmail.host]. This will make
> sendmail relay incoming mail to accepted domains to your qmail server.
>
> * Don't forget to makemap(8) the access and mailertable files!
>
> This setup will give you an additional benefit in that the spam filter
> box spools incoming mail for the qmail server, so if it is inoperative
> you won't lose any mail.
>
> The disadvantage is that it can't reject mail with unknown To: addresses
> because it has no knowledge of what mailboxes are defined in the qmail
> box. This may or may not be a problem to you; invalid destinations will
> cause qmail to send an error reply mail so any real users will be
> notified of their mistake anyway. Unfortunately spam almost always have
> fake From: addresses, which means you will also inadvertently spam
> innocent people with qmail:s rejection mails. :-/
>
> (I suppose this can be solved by using LDAP and having sendmail on the
> incoming spam filter box check the validity of each incoming To: address
> but I have never tried that myself so I can't vouch for its viability.)
>
> Oh, and if you use this kind of setup, you would probably want to send
> outgoing mail from qmail via this server as well, since many "smart"
> spam filtering schemes elsewhere assume that mail sent from domain x.y
> must have x.y in the MX record as well. :-/
>
>
> Regards,
> /Benny
>
>
--
internetlabbet.se / work: +46 8 551 124 80 / "Words must
Benny Lofgren / mobile: +46 70 718 11 90 / be weighed,
/ fax: +46 8 551 124 89 / not counted."
/ email: benny -at- internetlabbet.se
