Michael Scheidell wrote: > Sometimes a large company will have a proxy server set up in the DMZ and > then send it to their internal mail server. > I understand that ideally, the proxy server would be replaces with a > SpamAssassin/MTA setup. > > However, sometimes, client, security and company policy needs outweigh > logic. >
You are free to do whatever your policy dictates, as long as this introduces no nuisance for others. "your freedom stops where that of others starts". > I can think of several things this might break, depending on if you > count that proxy server as an internal/trusted server. > > #1, SPF. SPF helo, SENDERID > The proxy will be adding a received header, and announcing 'HELO/EHLO' > using its own name, not the senders. > (please no bitching about SPF) > #2, many blacklists that depend on the last received header (the proxy > will normally put on in) > These are easily solved by correctly configuring trusted_networks. > For Amavisd/others that use p0f, all we get is signature of the proxy. > Smtp ratelimiting, greyisting, even recipient verification break. You > can't drop the SMTP session when the sender sends you an email with a > bad address, the proxy has already accepted it. You can't use 4xx > errors in your policy server to do greylisting on policy blacklisting > because you are sending the 4xx error to the proxy. > If mail is accepted at the edge of the network, it can no more be bounced. backscatter is no more acceptable. if you can't block invalid mail at the edge, then you have a choice between: 1- deliver to someone that will check whether the message is legitimate, and the sender was not forged. inform the company/customer/... that when someone mistypes the boss address, the possibly sensitive message is read by an employee. 2- silently discard. inform the company/customer/whomever that their mail system is not reliable and may discard mail without notice. and BTW, tell the boss to buy more hardware to cope with a queue of invalid recipients mail... a better alternative is to tell all users to open an account at gmail, yahoo, ... This may not look "professional", but it will at least avoid polluting the mailboxes of the rest of us. > On amavis, if we use MY_NETS policy, and we put the proxy ip in the > 'localnets', it will spam the spam and virus contact address on every > email from the 'local network'. > > If you don't put it in there, it breaks some of the things I mentioned > above. > > Anything else I missed? > Any solutions other then take the proxy server out and replace it with > the SpamAssassin/MTA combo? > >
