- Previous message: Warrick FitzGerald: "Re: Force Auth by domain"
- Maybe in reply to: Warrick FitzGerald: "Re: Force Auth by domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Warrick FitzGerald (no email)
Date: Sat Oct 01 2005 - 15:32:01 EDT
Keith Matthews wrote:
>On Sat, 01 Oct 2005 14:52:48 -0400
>Warrick FitzGerald <> wrote:
>
>
>
>
>>Was hoping not to have to explain this, but here goes:
>>
>>- The server receives mail for more than one domain
>>- We use a SPAM filter service called MessageLabs
>>- Mail for DomainA.com goes through MessageLabs and is then
>>forwarded to InterfaceA on the mail server
>>- Mail for all other domains go directly to InterfaceB
>>- I have 2 instances of Postfix running on the server. One instance
>>runs on InterfaceA and does not do any more SPAM checking. The other
>>instance receives mail from the world and gets pushed through amavis.
>>- So technically mail for DomainA.com should only be received on
>>InterfaceA, as that's where MessageLabs forwards mail to. The firewall
>>rules in front of InterfaceA also only allow port 25 connections from
>>their network.
>>- The problem is that some smarty pants spammers out there have
>>figured out that you can connect to InterfaceB and inject mail for
>>DomainA.com, technically bypassing the SPAM checks provided my message
>>labs.
>>- What I would like to do is tell the instance of Postfix on
>>InterfaceB that if it receives mail for DomainA.com that it should
>>reject it, as I know it should only be coming in on InterfaceA.
>>Problem is that my external users connect to InterfaceB with their
>>mail clients and DO need to be able to send mail to DomainA.com.
>>
>>
>>
>
>This is one of those moments when I wonder if I'm missing something.
>
>If instance B is not supposed to accept mail for DomainA why have you
>got DomainA in it's destination list (as you seem to have).
>
>
>
Because interfaceB is the one that is publicly available to everyone. So
my users have it's public IP set as their SMTP server in their mail
clients. If I did not have it as a destination:
UserA with these setting on his mail cleint would connect
Send a message to domainA.com
Server would do a MX lookup for DomainA.com
Relay mail to spam filtering service
They would filter it and forward the mail to InterfaceA
It would work, but all local mail being sent by authenticated users
would get relayed throiugh the spam service, when obviously it makes
more sense for it to simply be delivered locally when I know it came
from an authenticated user.
|
|
|