You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Joshua, C.S. Chen" <cs...@asiaa.sinica.edu.tw> on 2006/03/24 09:14:30 UTC
2nd mail server problem
Hi folks,
I am using spamassassin 3.1.0 and it works well. Now in my institute, we
have 2 mx (mail servers) see it's dns record
myinstitute.edu.tw. 300 IN MX 100 mail2.myinstitute.edu.tw.
myinstitute.edu.tw. 300 IN MX 2 mail1.myinstitute.edu.tw.
Now in most cases, spam goes to mail1 and got dropped. This is great.
But then the spam tries to go ahead for mail2, and I did not enable
mail2 for spamassassin (because it is mainly for redundancy, and not
powerful enough). This makes mail2 extremely busy to send reply to the
spammer of user unknown or other reporting messages.
My question is, if I don't want mail2 to run spamassassin, just for
relaying messages to mail1 (as it's main purpose--redundancy), how can I
configure mail2 "NOT TO" reply the spammer for the undelivery?
Thanks in advance
Joshua C.S. Chen
Re: 2nd mail server problem
Posted by Vincent Li <vi...@gmail.com>.
On 29-Mar-06, at 12:11 AM, Joshua, C.S. Chen wrote:
> Looks like I have to enable SA in the 2nd server. It might be a spam
> hole if the spam sent to 2nd first, then forcily relayed to the
> primary.
>
If you are running postfix MTA on your 2nd server, you can map your
email user list of main MTA server to your 2nd server (configure
relay_recipient_maps parameter in main.cf) , the non-exist email
address will be rejected immediately at SMTP session.
>
> Thanks for all your opinions
>
> Cheers
> Joshua
>
Actually, you don't need to run a 2nd server for redundancy, if your
main MTA is off line, legitimate sender MTA will queue it's email and
try later, you would not lost email.
Vincent
Re: 2nd mail server problem
Posted by "Joshua, C.S. Chen" <cs...@asiaa.sinica.edu.tw>.
Hi all,
Here is my conclusion:
Many experts seem to have this same opinion: To enable 2nd, 3rd,,,etc
mail server the same defence (antivir, antispam) as the primary one.
Because the spamer knows the weak point/path to spam.
So I decide to 'join' all the experts that post the above idea.
Thanks for your comments and help
Cheers
Joshua
Alan Premselaar wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Joshua, C.S. Chen wrote:
>
>
>> Looks like I have to enable SA in the 2nd server. It might be a spam
>>hole if the spam sent to 2nd first, then forcily relayed to the primary.
>>
>>
>>
>>
>Sorry for the late response, I'm just catching up on some backlog.
>
>Here's my personal opinion: your secondary mail server should have
>stronger restrictions on it than your primary mail server.
>
>The reason I say this is because for some time now it has been a common
>spammer practice to hit your secondary, terciary, etc. MX servers first
>with the assumption that they are typically configured with fewer
>restrictions or merely, as yours is, as a store-and-forward.
>
>For specific reasons I'm unable to implement greylisting on my primary
>MX server however, it's perfectly acceptable for me to enable it on my
>secondary MX server.
>
>On top of that, I have value user checks, antivirus checks and share the
> bayes database (using MySQL) with the primary MX server for
>spamassassin checks.
>
>Because your secondary MX is in place for "in case the primary mail
>server fails" you should have to have the same kind of horsepower. my
>secondary server is significantly lower powered than my primary MX server.
>
>in the case that the primary server is still running, the secondary will
>most likely only be dealing with SPAM anyways, and it won't matter if it
>takes awhile to process those messages. in the case that the primary
>server is down, well, your users aren't going to be getting their email
>anytime soon anyways so it shouldn't matter if it takes a bit more time
>to process those incoming mails.
>
>if the mail coming into the 2nd MX server is SPAM, it should reject it
>(not bounce) properly either way, if it's not SPAM, it should accept it
>and then pass it off to the primary MX server once it's back up and running.
>
>this scenario has been working well for us here for the past 2 years or so.
>
>Alan
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFENj0vE2gsBSKjZHQRArxzAJwIZ3zyz00psNgFWTkgMqhua9fqDACg2ecD
>R/So24Tv3qHBAjOI/Aqymxk=
>=rZvg
>-----END PGP SIGNATURE-----
>
>
Re: 2nd mail server problem
Posted by Alan Premselaar <al...@12inch.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua, C.S. Chen wrote:
> Looks like I have to enable SA in the 2nd server. It might be a spam
> hole if the spam sent to 2nd first, then forcily relayed to the primary.
>
>
Sorry for the late response, I'm just catching up on some backlog.
Here's my personal opinion: your secondary mail server should have
stronger restrictions on it than your primary mail server.
The reason I say this is because for some time now it has been a common
spammer practice to hit your secondary, terciary, etc. MX servers first
with the assumption that they are typically configured with fewer
restrictions or merely, as yours is, as a store-and-forward.
For specific reasons I'm unable to implement greylisting on my primary
MX server however, it's perfectly acceptable for me to enable it on my
secondary MX server.
On top of that, I have value user checks, antivirus checks and share the
bayes database (using MySQL) with the primary MX server for
spamassassin checks.
Because your secondary MX is in place for "in case the primary mail
server fails" you should have to have the same kind of horsepower. my
secondary server is significantly lower powered than my primary MX server.
in the case that the primary server is still running, the secondary will
most likely only be dealing with SPAM anyways, and it won't matter if it
takes awhile to process those messages. in the case that the primary
server is down, well, your users aren't going to be getting their email
anytime soon anyways so it shouldn't matter if it takes a bit more time
to process those incoming mails.
if the mail coming into the 2nd MX server is SPAM, it should reject it
(not bounce) properly either way, if it's not SPAM, it should accept it
and then pass it off to the primary MX server once it's back up and running.
this scenario has been working well for us here for the past 2 years or so.
Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFENj0vE2gsBSKjZHQRArxzAJwIZ3zyz00psNgFWTkgMqhua9fqDACg2ecD
R/So24Tv3qHBAjOI/Aqymxk=
=rZvg
-----END PGP SIGNATURE-----
Re: 2nd mail server problem
Posted by "Joshua, C.S. Chen" <cs...@asiaa.sinica.edu.tw>.
Looks like I have to enable SA in the 2nd server. It might be a spam
hole if the spam sent to 2nd first, then forcily relayed to the primary.
Thanks for all your opinions
Cheers
Joshua
martin wrote:
>Joshua, C.S. Chen <cschen <at> asiaa.sinica.edu.tw> writes:
>
>
>
>>Hi folks,
>>I am using spamassassin 3.1.0 and it works well. Now in my institute, we
>>have 2 mx (mail servers) see it's dns record
>>
>>myinstitute.edu.tw. 300 IN MX 100 mail2.myinstitute.edu.tw.
>>myinstitute.edu.tw. 300 IN MX 2 mail1.myinstitute.edu.tw.
>>
>>Now in most cases, spam goes to mail1 and got dropped. This is great.
>>But then the spam tries to go ahead for mail2, and I did not enable
>>mail2 for spamassassin (because it is mainly for redundancy, and not
>>powerful enough). This makes mail2 extremely busy to send reply to the
>>spammer of user unknown or other reporting messages.
>>
>>My question is, if I don't want mail2 to run spamassassin, just for
>>relaying messages to mail1 (as it's main purpose--redundancy), how can I
>>configure mail2 "NOT TO" reply the spammer for the undelivery?
>>
>>Thanks in advance
>>Joshua C.S. Chen
>>
>>
>>
>>
>
>Can this just hint to you?
>http://wiki.apache.org/spamassassin/OtherTricks
>Fake MX Records
>...
>So I set my highest MX record to point to an IP address that always returns a
>temporary "Come Back Later" error.
>...
>but you need to spend time to collect ip addresses
>
>
>
>
Re: 2nd mail server problem
Posted by martin <ma...@excite.com>.
Joshua, C.S. Chen <cschen <at> asiaa.sinica.edu.tw> writes:
>
> Hi folks,
> I am using spamassassin 3.1.0 and it works well. Now in my institute, we
> have 2 mx (mail servers) see it's dns record
>
> myinstitute.edu.tw. 300 IN MX 100 mail2.myinstitute.edu.tw.
> myinstitute.edu.tw. 300 IN MX 2 mail1.myinstitute.edu.tw.
>
> Now in most cases, spam goes to mail1 and got dropped. This is great.
> But then the spam tries to go ahead for mail2, and I did not enable
> mail2 for spamassassin (because it is mainly for redundancy, and not
> powerful enough). This makes mail2 extremely busy to send reply to the
> spammer of user unknown or other reporting messages.
>
> My question is, if I don't want mail2 to run spamassassin, just for
> relaying messages to mail1 (as it's main purpose--redundancy), how can I
> configure mail2 "NOT TO" reply the spammer for the undelivery?
>
> Thanks in advance
> Joshua C.S. Chen
>
>
Can this just hint to you?
http://wiki.apache.org/spamassassin/OtherTricks
Fake MX Records
...
So I set my highest MX record to point to an IP address that always returns a
temporary "Come Back Later" error.
...
but you need to spend time to collect ip addresses