[nycbug-talk] spamd with mail gateway and mailserver

[michael]

I recently set up a new network and was having difficulty with spamd on
my firewall and found one simple solution (there may be others) that I
wanted to put in the archives. 

I have a firewall that doubles as my mail gateway.  I list the gateway
as the MX for the domain.  A box behind the firewall is my mailserver.
If mail arrives on the gateway (destined for legit accounts) it is
relayed to the mailserver.  Alternately, I send and recieve all my mail
on the mailserver.  My outgoing mail is relayed back to the gateway and
out to the internet.

Mail from internet to me:
internet --> gateway ---> mailserver

Mail from me to internet:
mua  --> (firewall implied)--> mailserver --> gateway --> internet

Only after I had everything working well, I wanted to add OpenBSD's
spamd to the mix.  The problem was.. there happened to be two kinds of
smtp traffic coming from the outside world into the firewall:  MTA's
trying to deliver mail to me -and- me trying to deliver mail out to the
world.  Well, spamd does not know (or care) who you are when you come
knocking on port 25.. you go into the system.  The first thing my MUA
does is ask to start a TLS session.  spamd does not do TLS.  I tried
some fancy redirection in pf but could not get it to work easily.

Further research uncovered an alternate smtp port.

$ grep 587 /etc/services 
submission	587/tcp	msa	# mail message submission
submission	587/udp	msa	# mail message submission

I told the mailserver to listen on submission, opened that server/port
in the firewall, and changed my MUA to use the new port and all is
well.   *MY* smtp traffic no longer goes thru 25 and does not get
sucked into spamd.

-- 

Michael