Florian Leeber wrote:
Bogdan,
try it with the CHKUSER patch for qmail-smtpd, I had the same problems
like you, and I got all issues solved with that. The only thing I have
to solve is the fact that the vpopmail data should be replicated on the
secondary MX. So far this would be no problem except that my domain
users all got their private vpopmail domain directory which is difficult
to replicate ...
FL
there is a patchset including smtp-auth and so on, but unfortunately you
would have to google this...
Ok, what do I have to replicate from qmail/vpopmail for it to work and
not deliver mail localy, but to the primary MX? Replicating everyting,
including maildirs is out of the question.
And what about my ideea to filter outbound connections on a secondary
MX? Can anyone tell me if they spot any cons other than those I
enumerated in my original post?
Bogdan Motoc - CRC schrieb:
I need some advice on setting up a secondary MX for some domains not
handled by me. So far, I've used my mail server
(qmail+vpopmail+simscan+clamav+spamassassin+chkuser) by adding the
domains in question to the rcpthosts file. It works, but even with
virus and spam
filters I'm left with a lot of junk, mainly because there is no valid
user check involved for those domains.
The main reason for setting up this secondary MX is to have a place
for mail to go to when the mailserver that's supposed to receive them
is down. It
works, but there is a downside: my email server is leaking a lot of
junk email, because it is being used to spread spam by sending mails
to inexistent
users on those domains with valid return addresses. The primary MX
refuses the messages, and so they get bounced; exactly what the
spammers intended in
the first place. And this gets my mail server blacklisted, thus
hurting all my users.
The questions are:
1. what are the options for checking if the user is valid and has not
reached it's quota for a setup like mine?
2. how can I stop sending back the emails that the primary MX rejects?
I know there is a solution out there that would cut down spam
drastically if it were used by everyone: SPF.
Unfortunately, it's not. So in my case it can't help, and I can't
afford to reject mail that doesn't explicitly pass SPF check.
So far I've only come up with one scenario that would help somehow:
setting up the secondary MX on another server that doesn't run an MTA
at the
moment, so if it gets blacklisted it won't affect my users. However,
getting the secondary MX blacklisted would hurt the domains in
question in case
of a primary MX failure, i.e. exactly when it's needed the most. I
thought of a workaround: filtering with a firewall connections to
remote port
TCP/25 initiated to destinations other than the primary MX. This
would stop the spreading of spam, but I would still end up with a
huge qmail queue,
and the secondary MX would still see a lot of traffic (the spam
doesn't get out, but it still gets in). And still, there are
blacklists out there that
check if your server accepts mails for inexistent users on your
domains, and will still blacklist you even if not a single
"illegitimate" message was
sent from your ip.
I'm sorry that this is not a genuine vpopmail issue, and thus not
worthy of being broadcasted on this mailing list, but after reading
the [vchkpw]
messages for the past few years, I couldn't think of a better
community to address this to.
Bogdan
!DSPAM:47c46443310549966017019!
