Eric, your advice is always appreciated - never hesitate to give it! I didn't explain the situation fully for brevity - the mailscanners do have spamdyke. They do all the email spam blocking, scanning etc, but only for particular domains. And since they do so, I don't want the Plesk box to do any scanning at all on email that comes from them, but I do want it to totally reject any mail that comes from any other IP (e.g. spammers sending to www A record and ignoring MX record), hence the need to whitelisting the scanner's IPs and blacklisting all other IPs.
But I only want to do this on the Plesk box for those domains that the mailscanners handle - there are other domains on the Plesk box that have no external scanner and do need the full assistance of spamdyke, spamassassin and clamd running on the Plesk box. I've done some testing and it works pretty well so far. The x-y wildcard works with an ip-blacklist-entry line. QMailToaster is almost what I want as a mailscanner, but does more than I need really in that it designed to act as a full mailserver rather than just as an AV/AS node. I am going to investigate it more, as I think it is really interesting. I've previously looked at Mailscanner with the Baruva GUI but it took me many hours of attempting to install all sorts of python this and python that and totally failing to get them all to install or compile even when following a step-by-step (many, many pages!) instruction list, so I gave up. > -----Original Message----- > From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users- > boun...@spamdyke.org] On Behalf Of Eric Shubert > Sent: 30 September 2014 02:31 > To: spamdyke-users@spamdyke.org > Subject: Re: [spamdyke-users] Blacklist all, but allow 1 or 2 IPS? > > I don't want to tell you what to do, but spamdyke is pretty much useless in > that configuration. In order to be effective, spamdyke needs to be on the > perimeter, connecting directly to the sending servers. You'll need to put > spamdyke in front of the mailscanner nodes for it to be at all effective. > > Have you thought of putting the mailscanner nodes behind spamdyke? > That'd be fairly easy to do, but you'd need 2 qmail hosts to accomplish it, one > with spamdyke in front, and another behind handling delivery. > For that matter, you could put a postfix server (or whatever else you like, like > exchange perhaps) behind the mailscanner nodes. That would be an > effective, and I would guess fairly common configuration. > > Personally, I would simply use QMailToaster and forget about the > mailscanner nodes. ;) > > -- > -Eric 'shubes' > > On 09/29/2014 03:59 AM, Faris Raouf wrote: > > Can someone point me in the right direction please? > > > > I'm setting up a couple of av/anti-spam mailscanner nodes. These nodes > > will process email for two particular domains, then send the filtered > > messages on to a more general purpose hosting/email system that's > > running spamdyke and deals with email for many other domains. > > > > I want to stop this hosting system from accepting mail from any IPs > > other than the mailscanner nodes, but just for these two particular > domains. > > > > I know how to create a domain-specific config file for spamdyke. What > > I'm not terribly sure of is how to blacklist all and allow only the > > IPs I want. > > > > Can I do it by ip-blacklisting 1-254. and ip-whitelisting the IPs I want? > > > > e.g, in the domain-specific config file: > > > > #blacklist all > > > > ip-blacklist-entry=1-254 > > > > And in my global spamdyke.conf I'd have the mailscanner nodes > > whitelisted, so I don't have to do it in lots of files if they ever > > change IPs): > > > > #whitelist IPs of mailscanners > > > > ip-whitelist-entry=1.1.1.1 > > > > ip-whitelist-entry=2.2.2.2 > > > > Or does the 1-254 format only work when I'm using an ip blacklist FILE? > > > > Any help/suggestions would be appreciated! > > > > (background - I don't want to run clamd/Spamassassin on emails coming > > in from the IPs of the mailscanner nodes, but have no way to switch > > scanning off only for email that comes in via a particular IP. My only > > option is, therefore, to switch off av/sa completely for the domains > > in question on the hosting system, and then only allow email to come > > in for them from the IPs of the mailscanners. The system running > > spamdyke also hosts normal email for other domains, so I can't > > firewall port 25 or anything like that..) > > > > Thanks, > > > > Faris. _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users