[nycbug-talk] Postfix filter for Exchange
pete at nomadlogic.org
Thu Jul 27 12:17:50 EDT 2006
> On Jul 27, 2006, at 11:31 AM, Pete Wright wrote:
>> Hi All,
>> So for some reason we run exchange as our mail store, and
>> frankly I'd rather not start another fight as to how we should
>> probably move
>> to more robust mail solution. we do have an issue where runaway
>> start generating *ton's* of email in a very short period of time. We
>> have been trying our best to resolve this issue by bludgening those
>> write the offending code, but it still happens from time to time.
>> So, to help us out with this I am going to propose putting a
>> Postfix filter infront of the exchange server to kill these mail bombs
>> before they take down exchange. The exchange admin's promise there is
>> nothing they can do to properlly rate limit, or kill these mail bombs
>> before spooling them. I am not so sure about that, but do not have
>> time to learn exchange.
>> Has anyone implemented such a solution for a highvolume
>> mailserver, if so any caveat's i should be looking out for? Or is
>> a sendmail milter that does this already that i don't know about?
> Hey Pete,
> We currently run a brightmail solution in front of ours, but I've
> done the same thing in the past with spam assassin and even tied
> procmail in for my personal mailbox. The easiest way to pull this off
> is to monkey with your mx preferences and firewall rules. Setup your
> new postfix server with all of your rules as a higher mx pref than
> your exchange server. Then you can controll access to your exchange
> server via your firewall. I am of course assuming that you are using
> three distinct pieces of equipment for this. Anyway, doing this
> allows you to toggle access by the general public to your exchange
> server directly. Just remember to always allow access to it from the
> postfix box.
one of the things that makes this easier for us is that this is a private
mail server. we already have solutions in place to protect our exchange
box from the wild (thank god!), and we do limit who can connect to the
machine locally - but we do not have bastion SMTP servers internally yet.
so at this point for us we just have to project ourselves from ourselves
pete at nomadlogic.org
More information about the talk