[nycbug-talk] Postfix filter for Exchange

Peter Wright pete at nomadlogic.org
Thu Jul 27 12:17:50 EDT 2006 

>
> On Jul 27, 2006, at 11:31 AM, Pete Wright wrote:
>
>> Hi All,
>> 	So for some reason we run exchange as our mail store, and
>> frankly I'd rather not start another fight as to how we should
>> probably move
>> to more robust mail solution.  we do have an issue where runaway
>> scripts
>> start generating *ton's* of email in a very short period of time.  We
>> have been trying our best to resolve this issue by bludgening those
>> who
>> write the offending code, but it still happens from time to time.
>>
>> 	So, to help us out with this I am going to propose putting a
>> Postfix filter infront of the exchange server to kill these mail bombs
>> before they take down exchange.  The exchange admin's promise there is
>> nothing they can do to properlly rate limit, or kill these mail bombs
>> before spooling them.  I am not so sure about that, but do not have
>> the
>> time to learn exchange.
>>
>> 	Has anyone implemented such a solution for a highvolume
>> mailserver, if so any caveat's i should be looking out for?  Or is
>> there
>> a sendmail milter that does this already that i don't know about?
>>
>> thanks!
>> -pete
>>
>
>
>
> Hey Pete,
>
> 	We currently run a brightmail solution in front of ours, but I've
> done the same thing in the past with spam assassin and even tied
> procmail in for my personal mailbox. The easiest way to pull this off
> is to monkey with your mx preferences and firewall rules. Setup your
> new postfix server with all of your rules as a higher mx pref than
> your exchange server. Then you can controll access to your exchange
> server via your firewall. I am of course assuming that you are using
> three distinct pieces of equipment for this. Anyway, doing this
> allows you to toggle access by the general public to your exchange
> server directly. Just remember to always allow access to it from the
> postfix box.
>
> Cheers,
> Mikel
>


one of the things that makes this easier for us is that this is a private
mail server.  we already have solutions in place to protect our exchange
box from the wild (thank god!), and we do limit who can connect to the
machine locally - but we do not have bastion SMTP servers internally yet. 
so at this point for us we just have to project ourselves from ourselves
;)

-pete


-- 
~~oO00Oo~~
Peter Wright
pete at nomadlogic.org
www.nomadlogic.org/~pete
310.869.9459

More information about the talk mailing list