[Mimedefang] Should I try to do MIMEDefang with Mailscanner for backup MX

[Alan Premselaar]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve,

Steve Campbell wrote:

[snip]

>>
>> a) MIMEDefang does things like relay checks, sender checks, and 
>> recipient checks that MailScanner doesn't do.
> 
> This is where I want to remove the backup MX senders.

This type of scenario has been debated in a number of different mail
related lists over time.  One thing you need to consider is that, it is
perfectly reasonable for legitimate mailers to hit your secondary MX
server even if your primary MX server is running. This could be related
to temporary failures on your primary MX causing the sending server to
retry your secondary MX, or it could be cached information about which
MX server to connect to.  Because of this, you need to be really careful
about blocking mail coming into your secondary server.

> 
>> b) MailScanner does bulk AV and AS checks, instead of one at a time 
>> checks (which may lead to a net gain in efficiency).
> 
> I would leave the MS/SA functions as they are. They would still do the AV and AS
> checks, but probably have less emails to check as MD has deleted the spammers'
> attempt around the primary MX. Although both servers are primary and secondary
> MX servers, they are deleting at the MTA, so both have less process cycles due
> to reduced MS/SA emails to check.
> 

if your only means of reducing the load of your AV/SA scanning is based
on the point of the connection, you may find that the effort to
implement this doesn't provide quite the impact that you hope for or expect.

[snip]

> 
> The real problem I saw is that I can't find online man pages for
> mimedefang-filter, and most stuff I saw dealt with the md_check_smtp_*, or
> something like that, for checking if a user is a valid recipient on a server.
> Sorry, I'm at home now and don't have my notes in front of me.
> 

in my setup, I have a machine that hosts multiple domains (MX1) and a
backup MX (MX2) for those multiple domains.  not as complicated a setup
as yours, but on a basic level I have MX2 use md_check_smtp_server
against MX1 to validate users and reject on invalid users right off.  I
also have duplicate spamassassin and AV software installations on each
of the MX servers, sharing a mysql database hosted on a third machine
(spamassassin).

in this situation, if MX1 is offline, the mail coming into MX2 is still
checked for viruses and run thru SA.  if it passes those phases, it's
queued for delivery to MX1 when it becomes available.  if not, it's
rejected as appropriate.

this ensures that legitimate connections to MX2 (even if MX1 is
available) aren't rejected, and worst case scenario is that while MX1 is
offline and unable to validate users, some mail for unknown users may be
queued and sent to MX1 when it's available, and then rejected causing
MX2 to generate a DSN.  as this happens so infrequently, I feel it's a
reasonable compromise.

> One for, one against.
> 
> I have just started playing with milters, so I like something that is
> configurable, more so than those that are fairly single-purposed.

MIMEDefang is an extremely powerful tool that gives you a broad range of
possibilities for mail filtering.  The downside is that you need to know
at least the very basics of Perl in order for it to be configurable to
your tastes.  (and obviously the more you know about Perl, the better
you can tweak it to your tastes)

I definitely recommend that you learn Perl, as doing so would allow you
to easily do what you're looking to do with MIMEDefang.

HTH

Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEmLLWE2gsBSKjZHQRAl37AJ9VSoFtKdm81ihLrMuK0JM1BDcP+wCeJoMd
uI+4Zmxm2KSNzhdGRAUfQvM=
=lFCG
-----END PGP SIGNATURE-----