Michael Scheidell wrote:
Sometimes a large company will have a proxy server set up in the DMZ and
then send it to their internal mail server. I understand that ideally,
the proxy server would be replaces with a SpamAssassin/MTA setup.
However, sometimes, client, security and company
-Original Message-
From: David B Funk [mailto:[EMAIL PROTECTED]
Sent: Monday, September 24, 2007 12:07 AM
To: Michael Scheidell
Cc: users@spamassassin.apache.org; Amavis-Users
Subject: RE: Q about mail proxy servers and setups
On Sun, 23 Sep 2007, Michael Scheidell wrote
Michael Scheidell wrote:
-Original Message-
From: David B Funk [mailto:[EMAIL PROTECTED]
Sent: Monday, September 24, 2007 12:07 AM
To: Michael Scheidell
Cc: users@spamassassin.apache.org; Amavis-Users
Subject: RE: Q about mail proxy servers and setups
On Sun, 23 Sep 2007, Michael
Michael Scheidell wrote:
One thing I would like to see (and this is a different subject:
Marc: take note: Id like to NOT BOUNCE an email back to the victim of
backscatter if they bothered to publish SPF or SENDER ID records that
don't match the incoming.
It's the other way around. you
Michael,
I tried. That was my first suggestion. That would fix graylisting
(which I don't do), fix SPF an SPF HELO, and SENDER ID, blacklisting,
tarpitting, etc.
SPF, sid, blacklisting etc. work just fine on an internal host as long
as the proxy is preserving the information about the
On Sep 23, 2007, at 5:17 PM, Michael Scheidell wrote:
Anyone have an answer that isn't obvious?
I already said I can't put it on the proxy.
No, you didn't. You mentioned that as an option.
And stop being rude to people who answer the question you asked.
--
Jo Rhett
Net Consonance :
Marc, you shouldn't be bouncing e-mails back at all. Use D_REJECT
and make sure you're doing it at the SMTP layer. SPF or DKIM is
irrelevant in this situation.
On Sep 23, 2007, at 5:31 PM, Michael Scheidell wrote:
One thing I would like to see (and this is a different subject:
Marc: take
On Sun, Sep 23, 2007 at 08:31:04PM -0400, Michael Scheidell wrote:
One thing I would like to see (and this is a different subject:
Marc: take note: Id like to NOT BOUNCE an email back to the victim of
backscatter if they bothered to publish SPF or SENDER ID records that
don't match the
If whoever's responsible for the proxy is not able to
implement normal recipient validation, I think this makes a
good case that they aren't able to keep it running adequately.
Its worse, we have to feed it to 'yap' (yet another proxy) and THAT
proxy also does no recipient validation, so
Sometimes a large company will have a proxy server set up in the DMZ and
then send it to their internal mail server.
I understand that ideally, the proxy server would be replaces with a
SpamAssassin/MTA setup.
However, sometimes, client, security and company policy needs outweigh
logic.
I can
Every problem you've named here is solved by putting Amavis/SA on the
proxy instead of the internal system.
If the proxy doesn't do the spam-checking, and the internal system does
I can name a dozen other problems that will occur, the most important of
which will be backscatter. 2-step relay
Michael Scheidell wrote:
Sometimes a large company will have a proxy server set up in the DMZ and
then send it to their internal mail server.
I understand that ideally, the proxy server would be replaces with a
SpamAssassin/MTA setup.
However, sometimes, client, security and company policy
On Sun, Sep 23, 2007 at 01:50:43PM -0400, Michael Scheidell wrote:
Sometimes a large company will have a proxy server set up in the DMZ and
then send it to their internal mail server.
...
#1, SPF. SPF helo, SENDERID
The proxy will be adding a received header, and announcing 'HELO/EHLO'
Anyone have an answer that isn't obvious?
I already said I can't put it on the proxy.
--
Michael Scheidell, CTO
Office: 561-999-5000 x 1259
Direct: 561-939-7259
Real time security alerts: http://www.secnap.com/news
_
This
Thanks, I hadn't thought about the backscatter problem.
If there is a proxy involved, then they HAVE to set (in amavisd) all
final destinations as 'DISCARD' and not BOUNCE.
I also think I will try to look at adding it to trusted networks in SA,
but excluding it from the internal networks in
One thing I would like to see (and this is a different subject:
Marc: take note: Id like to NOT BOUNCE an email back to the victim of
backscatter if they bothered to publish SPF or SENDER ID records that
don't match the incoming.
(and, yes, this would NOT work behind a proxy)
I would like the
On Sun, 23 Sep 2007, Michael Scheidell wrote:
For the purposes of this discussion, the biggest reason I can't be on
the edge where Id like to be is that there is a massive proxy/load
balancer/failover device that does more than email.
Many firewalls 'proxy' the email also, so its not like
17 matches
Mail list logo