Re: Q about mail proxy servers and setups

From: mouss <mouss(at)netoyen.net>
Date: Mon Sep 24 2007 - 08:26:50 EDT

Michael Scheidell wrote:
>> -----Original Message-----
>> From: David B Funk [mailto:dbfunk@engineering.uiowa.edu]
>> Sent: Monday, September 24, 2007 12:07 AM
>> To: Michael Scheidell
>> Cc: users@spamassassin.apache.org; Amavis-Users
>> Subject: RE: Q about mail proxy servers and setups
>>
>>
>> On Sun, 23 Sep 2007, Michael Scheidell wrote:
>>
>>
>>> For the purposes of this discussion, the biggest reason I
>>>
>> can't be on
>>
>>> the edge where Id like to be is that there is a massive proxy/load
>>> balancer/failover device that does more than email.
>>>
>>> Many firewalls 'proxy' the email also, so its not like you
>>>
>> can take it
>>
>>> out.
>>>
>> Is there any chance you can talk them into running a
>> -transparent- SMTP proxy rather than a SMTP relay? It acts
>> more like an ISO layer 2 bridge (but specific to SMTP
>> traffic) so not to disturb the contents.
>>
>>

>
> As you might suspect, one of the IT people at this company who has been
> there 20 years wrote the thing.
>
> I tried.  That was my first suggestion.  That would fix graylisting
> (which I don't do), 

not important. but see below.

> fix SPF an SPF HELO, and SENDER ID,
if the proxy adds the righht Received headers (the same way postfix and sendmail would do), there should be no problem if you configure trusted_networks and internal_networks (thanks to matus for the reminder).

>  blacklisting,
> tarpitting, etc.
>   
> MIGHT fix p0f, but don't know.
>
> I am going to write up a whitepaper on why NOT to put an anti-spam/MTA
> behind a proxy, cite all relevant, good suggestions and send it to them.
>   

it really depends on whether you can add a box before the proxy to implement blacklisting and other things. (but if the proxy needs the client IP, some work is needed. so it's a budget question). Received on Mon Sep 24 08:27:02 2007