[Mimedefang] Should I try to do MIMEDefang with Mailscanner forbackup MX

Steve Campbell campbell at cnpapers.com
Sat Jun 24 08:55:54 EDT 2006 

Alan, Atanas,

Thanks for the detailed descriptions of all of your ideas. 

I thought, though, some comments on my situation would clear up a few things in
the event that this thread continues.

I have set up two servers for a specific reason other than for having backup MXs
for the domains. I work at a newspaper, actually, a JOA. There are two main
newspapers published here, plus a company (the JOA part)that manages the
production and all other non-editorial facilities, including the IT department.
I separated the servers by domain (each newspaper and the JOA have their own
domain) to distribute the total load across the servers. Sweet and simple and
easy. We do not have a lot of money for servers, (at least I don't get much of
it), so the dual role for servers. The better way would be a real gateway for
the MX instead of using a mail drop, but that's the financial decision I must
live with. Since my primary job is administration of our Internet servers, and
not just our mail services, my time is spread thinly across all of these services.

I configured sendmail using mostly domains as the criteria for everything. As
you both know, there are quite a few different ways of setting up sendmail to
recognize who is local, what should be relayed, how to define the path for the
relay to the next server, etc. So in my case, if email comes in to the primary
MX for a domain, it knows by the domain name, that it should use the local
delivery to the mailbox. If mail arrives on the backup MX, it knows it should
relay it, and where to relay it, because of the domain the mail is addressed to.

This works very well, is easy to manage, but does cause the very problem I am
having with spammers who use the backup MX to send mail through. I see two
solutions that will fix the immediate setup - milter-ahead and MIMEDefang. Both
provide ways of predetermining user validity on relayed mail. milter-ahead is a
commercial product involving some expense, MD does not. Any solution using the
access DB means changing the sendmail configuration scheme. Anti-virus and spam
is eventually taken care of by MailScanner and it's AV programs it uses, so this
is not a problem. It can happen on either server, whether it's the primary or
backup MX.  

I could try to write my own milter, but this would be time consuming, and would
rub against my other duties. I know C, but do not know Perl yet. (Had to say
that since it's the main theme of the list), but this is not a problem, as I am
learning Perl and have not asked for coding suggestions. Or I could change how I
have sendmail setup, either using the various db files sendmail uses, or script
something on the backup MX to let the primary know who the users are and insert
that into the access file. At the moment, the access file is used for denying
only, other than the default entries need to allow the domains and localhost.

Both of you have presented valid information, but I thought it best to let you
know of my sendmail admin ability. You can judge for yourself how extensive that
is based on what I have said here. I know there is always more to learn about
sendmail. My comments about using sendmail improperly was based on the fact that
everyone is saying "use the access file to block these backdoor emails", whereas
I chose to do it differently before this was a real problem. I still may change
the way I have configured sendmail, but for now, that seems to be a little bit
of test-and-see-what-happens.

These servers are pretty hefty, and are rarely down. My load problems are mostly
due to the buildup sendmail process of non-deliverable mail, not delivery of
real mail. 

Sorry it's so windy, and I really do appreciate what you all are putting into
this question. I am a bit surprised by the general opinion of the MD list that I
shouldn't use MD. But that just shows the honesty of it's members, and not a
mine-is-the-best-product-no-matter-what attitude.

Keep up the great work and thanks so much. At the very minimum, I am considering
how I set up sendmail as a solution.

Steve





-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

More information about the MIMEDefang mailing list