On 2011-10-25 15.17, ML mail wrote: > Many thanks for your solution based on using the local sendmail installation. > That makes sense and sendmail will then be taking care of routing the mails > to the qmail server, a nice solution which I will give a go. So is this > basically the only solution if someone wants to use spamd on a dedicated box?
I wouldn't say it's the *only* solution, but it is the solution I've been running with for several years and it works great in our environment. Regards, /Benny > > ----- Original Message ----- > From: Benny Lofgren <bl-li...@lofgren.biz> > To: ML mail <mlnos...@yahoo.com> > Cc: "misc@openbsd.org" <misc@openbsd.org> > Sent: Tuesday, October 25, 2011 1:37 PM > Subject: Re: dedicating a server to spamd > > On 2011-10-25 11.09, ML mail wrote: >> I am currently running spamd on an OpenBSD firewall which does greylisting >> to protect a qmail linux mail server on a DMZ and was wondering if it would >> be possible to have both tasks (firewalling and spamd/greylisting) on two >> different physical machines so that the firewall would just do packet >> filtering and another separate machine just greylisting? >> >> The problem here what I see is that the dedicated greylisting machine would >> have somehow to redirect IP addresses which are not on the greylist to the >> mail server. As far as I know this is not possible with a machine having >> only one NIC. >> >> Any ideas on recommendation on how to achieve this? > > * Set up a spam filter box with PF and spamd as usual. > > * Let PF forward to the internal sendmail. > > * Set up /etc/mail/access in that sendmail, list all domains you accept > mail for and mark them as RELAY > > * Set up /etc/mail/mailertable, listing the same domains as in the > access file. Tag each with SMTP:[ip.of.your.qmail.host]. This will make > sendmail relay incoming mail to accepted domains to your qmail server. > > * Don't forget to makemap(8) the access and mailertable files! > > This setup will give you an additional benefit in that the spam filter > box spools incoming mail for the qmail server, so if it is inoperative > you won't lose any mail. > > The disadvantage is that it can't reject mail with unknown To: addresses > because it has no knowledge of what mailboxes are defined in the qmail > box. This may or may not be a problem to you; invalid destinations will > cause qmail to send an error reply mail so any real users will be > notified of their mistake anyway. Unfortunately spam almost always have > fake From: addresses, which means you will also inadvertently spam > innocent people with qmail:s rejection mails. :-/ > > (I suppose this can be solved by using LDAP and having sendmail on the > incoming spam filter box check the validity of each incoming To: address > but I have never tried that myself so I can't vouch for its viability.) > > Oh, and if you use this kind of setup, you would probably want to send > outgoing mail from qmail via this server as well, since many "smart" > spam filtering schemes elsewhere assume that mail sent from domain x.y > must have x.y in the MX record as well. :-/ > > > Regards, > /Benny > > -- internetlabbet.se / work: +46 8 551 124 80 / "Words must Benny Lofgren / mobile: +46 70 718 11 90 / be weighed, / fax: +46 8 551 124 89 / not counted." / email: benny -at- internetlabbet.se