spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clifton Royston <>
Subject Re: [AMaViS-user] Q about mail proxy servers and setups
Date Sun, 23 Sep 2007 20:35:10 GMT
On Sun, Sep 23, 2007 at 01:50:43PM -0400, Michael Scheidell wrote:
> Sometimes a large company will have a proxy server set up in the DMZ and
> then send it to their internal mail server.
> #1, SPF.  SPF helo, SENDERID
>   The proxy will be adding a received header, and announcing 'HELO/EHLO'
> using its own name, not the senders.
>   (please no bitching about SPF)
> #2, many blacklists that depend on the last received header (the proxy
> will normally put on in)
> For Amavisd/others that use p0f, all we get is signature of the proxy.
> Smtp ratelimiting, greyisting, even recipient verification break.  You
> can't drop the SMTP session when the sender sends you an email with a
> bad address, the proxy has already accepted it.  You can't use 4xx
> errors in your policy server to do greylisting on policy blacklisting
> because you are sending the 4xx error to the proxy.
> On amavis, if we use MY_NETS policy, and we put the proxy ip in the
> 'localnets', it will spam the spam and virus contact address on every
> email from the 'local network'.
> If you don't put it in there, it breaks some of the things I mentioned
> above.
> Anything else I missed?
> Any solutions other then take the proxy server out and replace it with
> the SpamAssassin/MTA combo?

  I think most of your commenters missed this last paragraph.  (I
sympathise with the difficulty of getting *any* change in place in the
large corporate model, let alone one which involves other departments. 
I spent half last year working as a contract software developer inside
a major multinational, and while I could have offered better solutions
for several areas than their IT department, it would have been useless
for me to volunteer that.)

  #1, semi-correct, but meh.  I'm unconvinced that SPF would help you
very much except as it provides for some useful whitelisting
mechanisms.  The MTA is the wrong place to check it, though; see next

  Your point #2 *can* be worked around at the SpamAssassin level, by
configuring the proxy (or potentially multiple parallely proxy servers)
as part of SpamAssassin's "Trusted networks" configuration.  Note that
trusted and *internal* are not the same; trusted simply means that the
MTA is not subverted and that you can rely on it to tell you where mail
really came in from.  It would require a bit of hacking to do something
similar in amavisd, I think, so you would have to rely on SA's own
blacklisting/whitelisting features.  In this context, if you get the SA
config right, you *can* use SPF by having SA evaluate it, looking back
through the received headers to where it really came in from.  I did
something similar to scan back through received headers in some custom
software I wrote (sadly, not available to open source as I wished to.)

  Graylisting and throttling are pointless once the mail is within
the corporate network, correct.  With regard to p0f, again you've
covered it - part of the information might be there but even if you can
get the proxy to forward you the IP via XFORWARD, it won't have the
fingerprint info.  That too needs to come from the point of contact.

  As to your next-to-last point, it would definitely be *incorrect* to
put the proxy in MY_NETS.  It should be configured in amavisd just as
you would configure an MX server which mail comes through.  That would
be a distinct policy from either MY_NETS or the typical incoming mail
policy, IMHO.

 If the powers-that-be are unable to consider open source as an
alternative, perhaps they would consider some of the commercial
products which can perform similarly to amavisd with enough tuning. 
The problem is that a lot of the commercial products are, not to put a
fine point on it, crap.  When the IT departments are fixated on
Microsoft, and trying to run anything on top of Exchange, that's a
killer.  (Not that Exchange belongs in a DMZ in any case.) I hear Lyris
Mailshield can be made to do some pretty impressive filtering, if you
tweak it enough.

  In summary, if a corporate SMTP proxy filter is inadequate to shield
the corporation from spam, unfortunately you are left with a relatively
limited subset of today's antispam features which you can actually use
on the inside.  In the end, the corporation has to live with (or die
with) the choice of filtering technology it has made.

  -- Clifton

    Clifton Royston  -- /
       President  - I and I Computing *
 Custom programming, network design, systems and network consulting services

View raw message