-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve,
Steve Campbell wrote: [snip] >> >> a) MIMEDefang does things like relay checks, sender checks, and >> recipient checks that MailScanner doesn't do. > > This is where I want to remove the backup MX senders. This type of scenario has been debated in a number of different mail related lists over time. One thing you need to consider is that, it is perfectly reasonable for legitimate mailers to hit your secondary MX server even if your primary MX server is running. This could be related to temporary failures on your primary MX causing the sending server to retry your secondary MX, or it could be cached information about which MX server to connect to. Because of this, you need to be really careful about blocking mail coming into your secondary server. > >> b) MailScanner does bulk AV and AS checks, instead of one at a time >> checks (which may lead to a net gain in efficiency). > > I would leave the MS/SA functions as they are. They would still do the AV and > AS > checks, but probably have less emails to check as MD has deleted the spammers' > attempt around the primary MX. Although both servers are primary and secondary > MX servers, they are deleting at the MTA, so both have less process cycles due > to reduced MS/SA emails to check. > if your only means of reducing the load of your AV/SA scanning is based on the point of the connection, you may find that the effort to implement this doesn't provide quite the impact that you hope for or expect. [snip] > > The real problem I saw is that I can't find online man pages for > mimedefang-filter, and most stuff I saw dealt with the md_check_smtp_*, or > something like that, for checking if a user is a valid recipient on a server. > Sorry, I'm at home now and don't have my notes in front of me. > in my setup, I have a machine that hosts multiple domains (MX1) and a backup MX (MX2) for those multiple domains. not as complicated a setup as yours, but on a basic level I have MX2 use md_check_smtp_server against MX1 to validate users and reject on invalid users right off. I also have duplicate spamassassin and AV software installations on each of the MX servers, sharing a mysql database hosted on a third machine (spamassassin). in this situation, if MX1 is offline, the mail coming into MX2 is still checked for viruses and run thru SA. if it passes those phases, it's queued for delivery to MX1 when it becomes available. if not, it's rejected as appropriate. this ensures that legitimate connections to MX2 (even if MX1 is available) aren't rejected, and worst case scenario is that while MX1 is offline and unable to validate users, some mail for unknown users may be queued and sent to MX1 when it's available, and then rejected causing MX2 to generate a DSN. as this happens so infrequently, I feel it's a reasonable compromise. > One for, one against. > > I have just started playing with milters, so I like something that is > configurable, more so than those that are fairly single-purposed. MIMEDefang is an extremely powerful tool that gives you a broad range of possibilities for mail filtering. The downside is that you need to know at least the very basics of Perl in order for it to be configurable to your tastes. (and obviously the more you know about Perl, the better you can tweak it to your tastes) I definitely recommend that you learn Perl, as doing so would allow you to easily do what you're looking to do with MIMEDefang. HTH Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEmLLWE2gsBSKjZHQRAl37AJ9VSoFtKdm81ihLrMuK0JM1BDcP+wCeJoMd uI+4Zmxm2KSNzhdGRAUfQvM= =lFCG -----END PGP SIGNATURE----- _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
