On Fri, 2007-06-08 at 08:26 -0700, snowcrash+exim-users wrote: > hm, ok re: the DENYs ... > > i'm not clear, though, as to why i would/might generate bounces, and > more than normal, i presume. > > is this 2-box config, with one Gateway "front-ending" one/many other > servers a fairly common implementation scenario?
Yes, it is. It's also a well-documented way to generate backscatter, assuming that the "edge" Exim instance doesn't have full knowledge of the valid recipients of the "core" Exim. The fact that you are running Exim in the first place makes this less likely, as you can share userlists trivially (or "on demand" with recipient verification callouts from your "edge" server to the "core" server). > mostly, yes. AND, an attempt to let the router/fw box do its job and > keep as much 'noise' off my LAN as possible. once an inbound email > passed all the non-content-scanning filters & incremental delays @ the > gateway, it' odds of being rejected "just" on virus/spam content would > be significantly lower -- not zero, i know. As long as you have consistent configuration on each machine, the likelihood of an AV/AS hit on the "core" machine is zero. > i'd considered this, but decided against because i thought i'd be > significantly increasing network/lan traffic due to "multiple passes" > of the offloaded message. > > e.g., for an "ok" message, the message would pass back-n-forth to the > LAN-server/scanner *5* times, > > gateway -> lan AV scanner > lan AV scanner -> gateway > gateway -> SA scanner > SA scanner -> gateway > gateway -> IMAP store > > which _seems_ to me a 'bad' way to do things. ...and is also not correct. The reality would be: Data Flow Type Message edge -> core AV scan Result core -> edge Hit/Not hit Message edge -> core SA Scan Result core -> edge SA report Message edge -> core Message delivery Note that the "Result" data is far smaller, in most cases, than the message itself; and that the first pass will only take place for messages with MIME parts of an appropriate type anyway (the malware condition is quite choosy, as it should be). > am i just better off avoiding the gateway altogether, and passing the > message to the lan-based server in the first place? if so, that seems > counterintuitive ... Nope. Make sure your gateway has knowledge in some way of the valid recipients on your lan-based server, as previously mentioned. Run ClamAV on both machines (this way you will catch *outbound* virus infections, too), but SA on only one and call it accordingly from the gateway. To reduce the load further, make use of Exim's ability to reject based on avrious other criteria. I have a number of machines at my fingertips which use fairly complex tests, but the first one - which is the most effective - is a logic test to check the incoming IP against three DNS blocklists, and reject the connection if 2 or more are hit. That stops your AV/AS being triggered in the first place. Graeme -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
