[Mimedefang] SMTP AUTH password can be used in Mimedefang?

sosogh sosogh at 126.com
Mon Nov 24 05:45:36 EST 2008 

For example:
                           user at backend.com
outside world -----------> backend server
                           1.1.1.1

I assume that:
1.user at backend.com is mail address in backend server
2.IP of backend server is 1.1.1.1
3.MX record of backend.com points to 1.1.1.1

The backend mail server holds three service:
1.SMTP service(serve for outbound mails)
2.MX service(serve for inbound mails)
3.POP3 service

My users's outlook recognizes that POP3 server and SMTP server are both 1.1.1.1
Outside world recognizes that mail server of domian backend.com is 1.1.1.1

Now I want to set a "transparent anti-spam proxy " for backend server
I can change IP of backend server, 
and I donot want to deploy these three service in separate server

>You could configure the backend server to accept mail from the mail only proxy, 
> that way anybody not honoring your MX records is lost.

If I do so , any SMTP connnection from users's outlook will be blocked by backend server.

>That's easily prevented, either by configuring the backend server
>itself to reject unauthenticated connections from IP addresses
>that do not belong to your own organization or by blocking
>access to the SMTP port of the backend server from the outside
>on your firewall.

My user's outlook must access to backend server,but their IP are dynamic


So I have to set a "proxy",I set proxy server in a "bridge" mode,make it transparent.
the network is as follow:


                   eth0     eth1          eth0
outside----------->    proxy   ----------> backend   
                    ==bridge== 
                      2.2.2.2              1.1.1.1

I have to redirect any "SMTP to 1.1.1.1:25" to 2.2.2.2:25 using this cmd on proxy server :
/sbin/iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 25 -j DNAT --to-destination 2.2.2.2

>Why would it need to do that? In other words: what relevance does
>the SMTP authentication have for the operation of your anti-spam
>relay?

Both these connections:
1.from outside world to 1.1.1.1:25
2.from user's outlook to 1.1.1.1:25
are DNAT to 2.2.2.2:25,
so "proxy server" should verify SMTP authentication

>How do you authentificate your users, with sendmail or postfix?
Postfix . Because I set this "proxy server" with postfix and mimedefang
postfix verify valid recipients like this:
postfix call mimedefang , mimedefang call the function "md_check_against_smtp_server"


sub filter_recipient
{
    my($recip, $sender, $ip, $host, $first, $helo,
       $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_;
    return md_check_against_smtp_server($sender, $recip,"filter.domain.tld","1.1.1.1"); 
} 


------------------				 
sosogh
2008-11-24

More information about the MIMEDefang mailing list