Hi all !

This is the topo:

This is the problem:

I want to setup a transparent mail proxy, which will filter all spam/virus mails from local mail servers to the Internet. The requirement is if a local mail server A send a mail, the SMTP traffic will get to the Internet through my mail proxy (in fact, SMTP traffic will be redirected to the proxy, it's not a relay). If it's a spam/virus mail, it'll be discarded. Else, the SMTP traffic will be forward to the Internet. But the Internet mail servers must see the SMTP traffic as if it is from local mail server A, not from my proxy.

I have searched through several popular softwares like Postfix, ASSP, ProxSMTP. But they don't match the requirement. (Or I just cannot figure how to do)

Any suggestions, please ?

Thanks .

I do not think transparent means what you think it means (sorry princess bride.)

A transparent proxy is visible but requires no setup by the end user typically.

why would mail need to come from a local mail server? The from address wouldn't change at all, surely that's all that matters? once email leaves your networks you have no idea where the email goes, it could go through 50 other SMTP relays without your knowledge. Just configure a postfix server (or similar) as a mail relay for the internal machines and off you go.

Acid is correct and pretty much any of the standard mailers (postfix, sendmail, exim) with the appropriate packages installed (ala spammassassin, clamav, amavis, etc.) and configured can do the job you're looking for.

...

We have so many local mail servers behind the firewall (could be several hundreds), so the mail traffic would be enormous. If I setup the proxy as a relay, all outgoing mail traffic will be seen as originating from one IP: my proxy. With such a big amount of mail traffic coming from a single IP, I'm afraid my proxy IP will be listed as a spam source itself although I could have deployed spam filter at the proxy (all outgoing mails are not spam).

PS: I have configured a postfix server as a relay, but I couldn't figure out how to make it transparent without using iptables NAT and MASQUERADE. In my opinion, if using NAT, the performance of the server would be decrease dramatically. It's not suitable for such big mail traffic.

No, you've got some logic wrong there. The IP of the mail source must change at a basic level as you want to have the email servber not 100% in line with the traffic, so if you don't change the IP address it will be impossible to establishg a TCP connection between your relay and the destination. Are these addresses behind firewalls private or public addresses? Are you not going out to a internet facing firewall which is then natting all traffic to a public IP anyway?

Transparent can mean a LOT of things. You seem to genuinely think you need something that you can't find though, so can you describe *EXACTLY* what you want to acheive in terms of SMTP headers, including samples of headers that have been subjected to a conventional relay and have then become unsuitable, highlighting why. Which level of OSI (etc.) do you think the transparency will occur? A transparent web proxy operates at http level, not tcp/ip level, whilst other transparent services, like load balancers do with at the tcp/ip level meaning that possibly other than MAC addresses there really is no evidence at all of the proxy being there. Maybe it's just a case of suppressing additional headers? I really can't see what you'd need to achieve, other than an ease of convenience in terms of not using an explicit relay, which I'm sure you can easily do with dnat as in your diagram to push anything on port 25 sideways to a relay. I've not done this before TBH, but can't see a reason it wouldn't work fine.

I'm sorry if the phrase "Local mail servers" confuses you. I mean they're our customers' mail servers, and they all have public IP.

When a MTA connect to another MTA, the receiving one will see the IP of sending one. I've viewed the log file and see the line like . I suppose most spam filter will look at this info to blacklist spam source.

So I'd like the receiving MTAs in the Internet to see our customers' mail servers IP instead of our proxy IP. Because if receiving MTAs see that much of SMTP traffic coming from a single IP, I think they will enlist the proxy IP as spam source.

Do spam filters work that way ?

There's nothing wrong with a mail server sending a lot of mail. Are you going to be sending more mail than GMail's servers? I doubt it. You want to run this mail server in the first place to filter out spam, right? So you shouldhave a good level of confidence that whatever you're sending out is not spam anyway, so as long as you do that part correctly, you should have no worries in the volume as the quality should be there to match.

Same time though, this might be interesting... http://smtp-proxy.klolik.org/ as this does appear to deal with some of the more subtle parts of SMTP, e.g. auth. As with the above discussion though, it is only transparent at SMTP level, not IP.

Thanks mate, I see it more clear. I will plan a test soon and confirm some results back later.

Besides, I found a better documented software (at least in configuration file):