[Mimedefang] filter_relay, HELO checks, and minimal filter

mfaurot at atww.org mfaurot at atww.org
Thu Aug 14 15:00:01 EDT 2003 

In article <3F3BCCF0.8000508 at 3dp.com> you wrote:

> First, I had no difficulty creating filter_relay in mimedefang-filter, 
> but then how do I invoke it?:) 

You have to be using mimedefang-multiplexor and mimedefang must be started
with the argument '-r'.  This is documented in mimedefang-filter(5).

> Second, I note that 2% of the messages incoming to our server in the  
> last week, out of about 21,000 messages, have HELO statements saying  
> HELO 66.250.41.20. This 'all-numeric' HELO is using the address       
> assigned as static NAT by our firewall!! Only another 0.6% HELO lines 
> use numeric-only HELOs, so I intend to block all IP-address-only      
> HELOs. Is this something I could be dealing with more easily using    
> and access.db?                                                        

Doing this in filter_relay() is a good way to deal with it.

> I've been wondering how to block incoming mail to things like 'adm',
> 'bin', 'man' and other standard unix account names, that don't
> originate within our domain. What is the proper way to do this using
> access.db?

You can block stuff like this in access_db, but I don't think you're
going to have the ability to make distinctions between accepting mail
for those addresses (why would you even need to?) locally but rejecting
them when coming from outside your domain or local netblock.  If you
decide you don't need to receive mail for those pseudo-users at all,
then use access_db, otherwise you'll be better able to deal with this in
MD.

> Are there particular IDs such as 'root' or 'postmaster' I need to
> leave alone?

postmaster needs to accept mail from "outside".  root could be isolated
for just internal use though.

> Third, currently I am accepting email on one server and forwarding it in 
> to a spam-filtering server on the inside, that then forwards to an 
> internal Exchange server.  Originally I tried running mimedefang/SA 
> directly on the gateway mail server, but it quickly got hosed (a few 
> versions back, and it is an SGI).  Now, in order to do these HELO checks 
> properly, I need to run it again on the gateway.  My idea was to use a 
> very minimal filter with the SA lines commented out, in hopes that this 
> will reduce the load and the machine won't get hosed.   Any comments on 
> this idea?  The idea is some mail will get rejected at the gateway, and 
> the rest will get checked again and SA-checked on the filtering host.

Why not just use a machine with enough horsepower to do a proper job of
being the mail gateway?  That could simplify things all the way around.
Instead of having three machines, just a gateway and the internal
Exchange server.

More information about the MIMEDefang mailing list