Q about mail proxy servers and setups

Sometimes a large company will have a proxy server set up in the DMZ and then send it to their internal mail server. I understand that ideally, the proxy server would be replaces with a SpamAssassin/MTA setup.

However, sometimes, client, security and company policy needs outweigh logic.
I can think of several things this might break, depending on if you count that proxy server as an internal/trusted server.

#1, SPF. SPF helo, SENDERID

  The proxy will be adding a received header, and announcing 'HELO/EHLO' using its own name, not the senders.
  (please no bitching about SPF)
#2, many blacklists that depend on the last received header (the proxy
will normally put on in)

For Amavisd/others that use p0f, all we get is signature of the proxy. Smtp ratelimiting, greyisting, even recipient verification break. You can't drop the SMTP session when the sender sends you an email with a bad address, the proxy has already accepted it. You can't use 4xx errors in your policy server to do greylisting on policy blacklisting because you are sending the 4xx error to the proxy.

On amavis, if we use MY_NETS policy, and we put the proxy ip in the 'localnets', it will spam the spam and virus contact address on every email from the 'local network'.

If you don't put it in there, it breaks some of the things I mentioned above.

Anything else I missed?
Any solutions other then take the proxy server out and replace it with the SpamAssassin/MTA combo?

-- 
Michael Scheidell, CTO
Office: 561-999-5000 x 1259
Direct: 561-939-7259
Join SECNAP at SecureWorld Detroit 9-10
http://www.secnap.com/events for free and discounted seminar tickets  
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see 
http://www.spammertrap.com
_________________________________________________________________________