|
All Archives /
aussie-isp /
2004-12
|
<<< Date >>> | |
| Permanent Link | ||
|
Date: Thu, 2 Dec 2004 17:54:18 +1100
From: Craig Sanders To: Gavin Cato Cc: Sean Finn, aussie-isp Message-Id: <20041202065418.GM22136@taz.net.au> In-Reply-To: <BDD4EFAA.13442%gavin.cato@corp.nexon.com.au> References: <200412020109.iB219hw08718@koala.aussie.net> <BDD4EFAA.13442%gavin.cato@corp.nexon.com.au> Subject: Re: [Oz-ISP] Virus / Mail scanning cluster gateway TRANSPARENT! server |
Followups: <20041202073033.886E11B1C3@melk.ipxc.net> |
|
On Thu, Dec 02, 2004 at 04:13:30PM +1100, Gavin Cato wrote: > Some type of unix, then Postfix with amavisd-new running Clam antivirus + > Spam Assassin. yep. an excellent combination. i'd also suggest postgrey for greylisting. > On 2/12/04 12:09 PM, "Sean Finn" <s e a n . f i n n @ o z s e r v e r s . c o m . a u wrote: > > So in a way, an almost transparent mail scanning server that sits in front of > > an existing mail server, doesn?t need to have pop boxes, just SMTP IN -> > > FILTER -> SMTP OUT it also needs a list of valid recipients for each domain that it is relaying for - so that it doesn't generate backscatter when it gets spam/viruses from forged sender addresses. it is important for ANY backup MX or other mail-relay machine to have a way of verifying that the recipient address is valid, so that it can 5xx reject the message during the SMTP session rather than accept and bounce the message. the latter generates backscatter (sometimes lots of it), while the former does not (spamware and viruses don't implement a full MTA so they don't do bounce processing - they just ignore any error and move on the next victim address) in postfix, this can be done with either a relay_recipient_map, or with the reject_unverified_recipient feature. see the ADDRESS_VERIFICATION_README document that comes with postfix for more details. BTW, some slackers may suggest that relay address verification isn't necessary. don't listen to them. it is necessary, but they're either too slack to implement it or are running crap software that can't do it. > > Multiple IP capabale, that is, the ability to use this standalone scanning > > server to sit IN FRONT of a group of dedicated servers, Mail received on one > > IP address goes out to a specific destination SMTP server. Mail received on a > > DIFFERENT ip address on the scanning server then goes to a DIFFERENT SMTP > > server, thereby allowing one mail scanning server to serve multiple > > destination POP BOX servers. mail servers typically don't route mail based on the IP address/interface it received mail on. it's not a very useful distinction. the most common way of routing mail is by recipient domain - i.e. forward all mail for example.com to server A, all mail for example.com.au to server B, all mail for another.example.com to server C and so on. this can be done with simple transport table entries in postfix, like so: example.com smtp:[serverA.somewhere.com.au] example.com.au smtp:[serverB.somewhere.com.au] another.example.com smtp:[serverC.somewhere.com.au] > > My main goal is to take the filtering / scanning off-server, and create > > clustering for high mail volume domains / servers. yes, this is a good way of doing it....and you can have as many incoming MX boxes as you have rackspace for (use something simple like RR DNS to "load-balance") to spread the filtering workload over multiple machines. if the load gets too high for the current machines just add another sub-$1000 MX box and adjust the DNS records. or two. or ten. best of all, it's built with cheap "disposable" machines. if one dies, just replace it with another off-the-shelf commodity PC. they're cheap. they don't need huge disks, with massive disk I/O bandwidth, they just need enough CPU and RAM to run the spam/virus filters, and enough disk space for the operating system and mail spool. the most expensive individual component will probably be the 1RU rack-mount case, although you could use standard mini-towers if you have enough space in your server room. craig -- craig sanders <c a s @ t a z . n e t . a u (part time cyborg) ---- email "unsubscribe aussie-isp" to m a j o r d o m o @ a u s s i e . n e t to be removed. |
|