I think I see what you're trying to do.
I'd set up the mail scanners to use smtproutes for the domains they're
processing, and use authentication on port 587 for relaying to the plesk
host.
Then to block incoming mail from other hosts, remove these domains from
the rcpthosts file. That will make plesk accept email for those domains
only from authenticated connections.
I think that'll do what you're looking to achieve.
P.S. QMT is getting less tightly coupled as changes are made, so using
it in specialized roles will get easier all the time. It's pretty simple
now to pick and choose what functionality you wish to keep with your
QMT by simply turning off services you don't use. It'll continue to get
easier to do though, with less bloat. The latest packages are a big move
toward removing bloat, as the build environment is no longer needed.
This is also a boon to security.
Thanks.
--
-Eric 'shubes'
On 09/30/2014 04:53 PM, Faris Raouf wrote:
Eric, your advice is always appreciated - never hesitate to give it!
I didn't explain the situation fully for brevity - the mailscanners do have
spamdyke. They do all the email spam blocking, scanning etc, but only for
particular domains.
And since they do so, I don't want the Plesk box to do any scanning at all
on email that comes from them, but I do want it to totally reject any mail
that comes from any other IP (e.g. spammers sending to www A record and
ignoring MX record), hence the need to whitelisting the scanner's IPs and
blacklisting all other IPs.
But I only want to do this on the Plesk box for those domains that the
mailscanners handle - there are other domains on the Plesk box that have no
external scanner and do need the full assistance of spamdyke, spamassassin
and clamd running on the Plesk box.
I've done some testing and it works pretty well so far. The x-y wildcard
works with an ip-blacklist-entry line.
QMailToaster is almost what I want as a mailscanner, but does more than I
need really in that it designed to act as a full mailserver rather than just
as an AV/AS node. I am going to investigate it more, as I think it is really
interesting.
I've previously looked at Mailscanner with the Baruva GUI but it took me
many hours of attempting to install all sorts of python this and python that
and totally failing to get them all to install or compile even when
following a step-by-step (many, many pages!) instruction list, so I gave up.
-----Original Message-----
From: [email protected] [mailto:spamdyke-users-
[email protected]] On Behalf Of Eric Shubert
Sent: 30 September 2014 02:31
To: [email protected]
Subject: Re: [spamdyke-users] Blacklist all, but allow 1 or 2 IPS?
I don't want to tell you what to do, but spamdyke is pretty much useless
in
that configuration. In order to be effective, spamdyke needs to be on the
perimeter, connecting directly to the sending servers. You'll need to put
spamdyke in front of the mailscanner nodes for it to be at all effective.
Have you thought of putting the mailscanner nodes behind spamdyke?
That'd be fairly easy to do, but you'd need 2 qmail hosts to accomplish
it, one
with spamdyke in front, and another behind handling delivery.
For that matter, you could put a postfix server (or whatever else you
like, like
exchange perhaps) behind the mailscanner nodes. That would be an
effective, and I would guess fairly common configuration.
Personally, I would simply use QMailToaster and forget about the
mailscanner nodes. ;)
--
-Eric 'shubes'
On 09/29/2014 03:59 AM, Faris Raouf wrote:
Can someone point me in the right direction please?
I'm setting up a couple of av/anti-spam mailscanner nodes. These nodes
will process email for two particular domains, then send the filtered
messages on to a more general purpose hosting/email system that's
running spamdyke and deals with email for many other domains.
I want to stop this hosting system from accepting mail from any IPs
other than the mailscanner nodes, but just for these two particular
domains.
I know how to create a domain-specific config file for spamdyke. What
I'm not terribly sure of is how to blacklist all and allow only the
IPs I want.
Can I do it by ip-blacklisting 1-254. and ip-whitelisting the IPs I
want?
e.g, in the domain-specific config file:
#blacklist all
ip-blacklist-entry=1-254
And in my global spamdyke.conf I'd have the mailscanner nodes
whitelisted, so I don't have to do it in lots of files if they ever
change IPs):
#whitelist IPs of mailscanners
ip-whitelist-entry=1.1.1.1
ip-whitelist-entry=2.2.2.2
Or does the 1-254 format only work when I'm using an ip blacklist FILE?
Any help/suggestions would be appreciated!
(background - I don't want to run clamd/Spamassassin on emails coming
in from the IPs of the mailscanner nodes, but have no way to switch
scanning off only for email that comes in via a particular IP. My only
option is, therefore, to switch off av/sa completely for the domains
in question on the hosting system, and then only allow email to come
in for them from the IPs of the mailscanners. The system running
spamdyke also hosts normal email for other domains, so I can't
firewall port 25 or anything like that..)
Thanks,
Faris.
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
