Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Local mail servers ====> Router/Firewall =====> Internet
|
|
V
Transparent Mail proxy
This is the problem:
I want to setup a transparent mail proxy, which will filter all spam/virus mails from local mail servers to the Internet. The requirement is if a local mail server A send a mail, the SMTP traffic will get to the Internet through my mail proxy (in fact, SMTP traffic will be redirected to the proxy, it's not a relay). If it's a spam/virus mail, it'll be discarded. Else, the SMTP traffic will be forward to the Internet. But the Internet mail servers must see the SMTP traffic as if it is from local mail server A, not from my proxy.
I have searched through several popular softwares like Postfix, ASSP, ProxSMTP. But they don't match the requirement. (Or I just cannot figure how to do)
why would mail need to come from a local mail server? The from address wouldn't change at all, surely that's all that matters? once email leaves your networks you have no idea where the email goes, it could go through 50 other SMTP relays without your knowledge. Just configure a postfix server (or similar) as a mail relay for the internal machines and off you go.
Last edited by acid_kewpie; 12-22-2009 at 12:41 PM.
Acid is correct and pretty much any of the standard mailers (postfix, sendmail, exim) with the appropriate packages installed (ala spammassassin, clamav, amavis, etc.) and configured can do the job you're looking for.
We have so many local mail servers behind the firewall (could be several hundreds), so the mail traffic would be enormous. If I setup the proxy as a relay, all outgoing mail traffic will be seen as originating from one IP: my proxy. With such a big amount of mail traffic coming from a single IP, I'm afraid my proxy IP will be listed as a spam source itself although I could have deployed spam filter at the proxy (all outgoing mails are not spam).
PS: I have configured a postfix server as a relay, but I couldn't figure out how to make it transparent without using iptables NAT and MASQUERADE. In my opinion, if using NAT, the performance of the server would be decrease dramatically. It's not suitable for such big mail traffic.
No, you've got some logic wrong there. The IP of the mail source must change at a basic level as you want to have the email servber not 100% in line with the traffic, so if you don't change the IP address it will be impossible to establishg a TCP connection between your relay and the destination. Are these addresses behind firewalls private or public addresses? Are you not going out to a internet facing firewall which is then natting all traffic to a public IP anyway?
Transparent can mean a LOT of things. You seem to genuinely think you need something that you can't find though, so can you describe *EXACTLY* what you want to acheive in terms of SMTP headers, including samples of headers that have been subjected to a conventional relay and have then become unsuitable, highlighting why. Which level of OSI (etc.) do you think the transparency will occur? A transparent web proxy operates at http level, not tcp/ip level, whilst other transparent services, like load balancers do with at the tcp/ip level meaning that possibly other than MAC addresses there really is no evidence at all of the proxy being there. Maybe it's just a case of suppressing additional headers? I really can't see what you'd need to achieve, other than an ease of convenience in terms of not using an explicit relay, which I'm sure you can easily do with dnat as in your diagram to push anything on port 25 sideways to a relay. I've not done this before TBH, but can't see a reason it wouldn't work fine.
Last edited by acid_kewpie; 12-23-2009 at 02:18 AM.
I'm sorry if the phrase "Local mail servers" confuses you. I mean they're our customers' mail servers, and they all have public IP.
When a MTA connect to another MTA, the receiving one will see the IP of sending one. I've viewed the log file and see the line like
Code:
<receiving_MTA> postfix/smtpd[9335]: connect from <sending_MTA>[x.x.x.x]
. I suppose most spam filter will look at this info to blacklist spam source.
So I'd like the receiving MTAs in the Internet to see our customers' mail servers IP instead of our proxy IP. Because if receiving MTAs see that much of SMTP traffic coming from a single IP, I think they will enlist the proxy IP as spam source.
There's nothing wrong with a mail server sending a lot of mail. Are you going to be sending more mail than GMail's servers? I doubt it. You want to run this mail server in the first place to filter out spam, right? So you shouldhave a good level of confidence that whatever you're sending out is not spam anyway, so as long as you do that part correctly, you should have no worries in the volume as the quality should be there to match.
Same time though, this might be interesting... http://smtp-proxy.klolik.org/ as this does appear to deal with some of the more subtle parts of SMTP, e.g. auth. As with the above discussion though, it is only transparent at SMTP level, not IP.
Last edited by acid_kewpie; 12-24-2009 at 01:46 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.