Qmail as an email gateway

[tavie]

I am hoping someone has done this and can provide a document..

I have an exchange 5.5 server for internal email and an ISP for POP3 mail external. What I want to do is use RH 9.0 with fetchmail/qmail/spamassasin/ClamAV to parse all POP3 mail for all clients for the POP3 Domain. then I want the good email to be forwarded to their exchange server mailbox so they can download into Outlook. I want to eliminate their POP3/SMTP Client config in Outlook and just use the Exchange Client. I also want all SMTP to go out from the exchange server to the internet bypassing qmail..I don't need to scan what is going out anyway...Any help would be great..I found iceteks email gateway doc but it does not have enough detail...

 

[thedaver]

I'll be happy to comment, but I'd like a little more information on your strategy....

First, what do you want done with "bad mail" and how do you define "bad"?

Second, why do you have a POP3 domain? If you put the qmail gateway in play, and it is public-facing, you would be inclined to make it your public MX mail server and have email delivered through it to Exchange. Thus you'd potentially eliminate all POP3 for the domain in question. This is an all-or-nothing issue for the users, but if you're weening them from POP3 anyhow, that should work.

Third, do you care if you DO use SMTP outbound going through anti-SPAM, anti-Virus? My impression is that you have a Windows local LAN and might want to protect yourselves from both inbound and outbound virus activity by using these filters.

How many users?



D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[tavie]

thedaver...Thanks for replying...

1st...Bad mail in my world is SPAM and any message containing potentially unsafe content...executable content basically... all that should be dropped to a bad mail queue where I can summarily dump it...I would like to queue it so I can examine and build new rules based on what I get....

2nd The business I support hosts their website off site so they have an account set up with 25 pop3 mailboxes. I use exchange as basically a place to dump all email and hold it for them. All users have an internal email in Exchange and a Pop3 account. The qmail gateway will not be public facing..It will sit in DMZ and have all Pop3(110) traffic forwarded to it from the firewall.

3rd I am assuming that I will need to use SMTP since the ISP will not relay from my internal Domain. The internal and External doamian names are different. I do not see any way around this....Thnx....

 

[thedaver]

hrm... ok, a bit unconventional, but I think we can work this out.....

Yes, build the qmail gateway with anti-spam, anti-virus.

Give it a "rcpthost" entry of your public facing domain.

Give it an "smtproutes" value for the domain that is the IP of your Exchange server.

Give it an "smtproutes" value for the Internet that is your ISP's SMTP server. Make sure the ISP trusts this machine by IP address, otherwise its patch time to get it to login to SMTP for relay.

Enable the regular double-bounce stuff per LWQ.

You SHOULD be able to have fetchmail run on the qmail box and forward the POP'd mail to qmail-inject. qmail would see the mail as deliverable to your domain and would know through the configuration that the next "hop" for delivery of that email is your Exchange server. This email would be delivered using a FQDN.

The qmail-scanner/spamassassin/clamav will need to be told of a quarantine email account that you want the bogus/viral/spammy email delivered to on your Exchange server.

This qmail server will not have local email boxes. I believe this means that you do NOT provide a value in the qmail "locals" file.

Then all you should need to do is have each client specify the ISP SMTP server for outbound.




D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[tavie]

thedaver...Yes I am unconventional...The last piece though about the client specifying the ISP SMTP...Couldn't I just use the Internet Mail service in Exchange or will the authentication fail to the ISP SMTP Server??

If that is the case then how would I relay the outbound SMTP traffic back through Qmail all the while using the user-email account and password for authentication ???

 

[thedaver]

Disclaimer: I don't know anything about Exchange, on purpose. You could send outbound SMTP through the client configurations individually, you can probably tell Exchange to send SMTP on behalf of clients as well.

You have the option to send through ISP directly (without spam/virii filtering) or through qmail.

Through qmail, you can either send outbound directly to the internet (if your ISP allows port 25 outbound) or send through the ISP SMTP server if it will accept unauthenticated logins. I believe there is a patch to qmail that allows it to accomodate a login on SMTP outbound, but I'm not versed in it.

Frankly, it's probably easiest, in your context, to send through Exchange to the ISP.



D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[tavie]

thedaver...Thank you for your help you have got me thinking of several scenarios but also I know what I need to configure to make it work....

 

[thedaver]

Last point about sending SMTP to Internet via qmail directly.

I believe you'd have qmail on a private network without an MX record for your qmail box.

In many cases, email servers (following RFCs) would not accept mail from a sender that has no MX record match to the IP of the sender. There are also filters/RFCs that might require reverse DNS or SPF lookups.

In short, you might get viewed as sender similar to a zombie spam email sender. Thus you _could_ send email from qmail directly, but your actual delivery success may vary quite widely depending upon how rigidly the recipient chooses to enforce certain rules and specifications...

Just FYI.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/