qmail relay to Exchange

[agreene2112]

I'm trying to get the following setup working and underway.

Incoming mail comes into my system

Internet > qmail w/SpamAssassin + AntiVirus > Exchange 2003 > Users

Outgoing mail

Users > Exchange 2003 > Internet

On the incoming side of things, I would want to do some sort of "quarantine" to allow users the ability to allow or block based on their preferences. Also would like the ability to include the usage of RBLs. Is there a better way to do this? I'm currently also evaluating the Barracuda, but my director tasked me to find out if there's any way to do the job just as well, but using open source software. Any help on this will be greatly appreciated.

 

[thedaver]

I think your incoming email program is very sensible.
Outgoing mail should probably also go out the qmail gateway:
1) to prevent exposing Exchange to the "real world" and
2) to prevent your network from sending virii
Thus I'd propose an architecture change in that area. This might be entirely based upon personal preference, so use your own risk tolerances...

As to quarantine, I'd really not endorse that. If your virus scanner finds a virus-infected message, kill it. Kill the message absolutely and without a care. 99.9999% of email-bourne virii are sent by 'bots without any awareness of the user affected. As a result attempting to even process the message itself is a waste of time. You, as administrator, could be a "nice person" and research the sending host, find that network admin, and submit the virus evidence. Frankly I'm guessing that killing off the virus is more aligned with your other responsibilities.

As to RBL, you should most certainly enable the use of the RBLSMTPD functionality in qmail. I have had great results from the XBL-SBL list run by spamhaus.org.

If can swing it, I REALLY recommend patching qmail with the CHKUSER v2.x patch. It allows you to deny email at the smtp connection based upon a user being known or not. Given your use of Exchange that might be prohibitive, but its really beneficial.

Thus if you use RBL to block known bad hosts and you use CHKUSER to block undeliverable recipients (which can evolve into homegrown RBL records) then you have a very powerful arsenal against the bad guys.

I've started a small project around using CHKUSER delivery information to populate RBLSMTPD entries in your tcp.smtp file.

http://www.bantcp.com/

Check it out IF you implement CHKUSER patch from tonix:

http://www.interazioni.it/opensource/chkuser/

Good luck.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[agreene2112]

I whole-heartedly agree with you on killing virii as they come in. My quarantine question was regarding spam - it seems as if we have a great many e-mails from customers, vendors, etc that come in as spam currently.

I am inclined to take your suggestion about scanning outgoing e-mail for virii, just as an added layer of security.

Our current implementation has Symantec Mail Security for SMTP in the role that I am wanting the qmail server to fill. It utilizes RBLs and we will likely continue to use the spamhaus RBL.

I find that filtering out spam is a VERY fine line and my users (like all users) complain when they feel they get too much spam and also complain when the get the occasional false positive (and rightly so).

I mainly just wanted to respond by saying that I appreciate the response and will update as I get nearer to what I'm planning to do. I have a test environment right now so I'm pretty free with it.

 

[thedaver]

Ah, quarantining spam.... Indeed a tricky bit.

There are an increasingly large number of mail reader softwares that are including local filters and spam filters. In addition, using something like postfix is a way, through some effort, to provide user-specific filters.

It's really hard to implement anything well, as you know, on the server end that satisfies everybody's interest. This is particularly difficult if your normal business traffic triggers many spam filters on the way in (ie. attachments or phrases such as "credit card" or "mortgage application").

Frankly, I tell them that the only solution will be a central one. False positives can be mitigated by allowing more email through. Spam content and approaches are ever evolving and its something that educated users will appreciate as a major challenge to administration if you are able to communicate effectively.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[agreene2112]

I found the following for sendmail:

http://www.numbski.net/softs/quarantine.html

Didn't know if anyone's had luck getting to work with qmail or not. That's part of what made me think it was possible.

 

[thedaver]

I would admit that qmail - without vpopmail - is not really the easiest to cobble together a per-user anti-spam solution. I've never liked sendmail.

Exim and postfix have gotten good reviews in this realm.

To be honest, however, it's probably not a best practice to have users accessing your gateway server to parse quarantined mail. Wasn't clear from your note whether that was planned or not...



D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[agreene2112]

I definitely wouldn't want them to access it directly, but just trying to come up with some way to do it in a kind of a roundabout fashion. I also didn't want to have to re-invent the wheel if it had already been done.

So far today I've got the qmail forwarding to the Exchange box and added in the RBLs. I've installed SpamAssassin, but haven't had a chance to test it yet. I've also got the IMF running on Exchange, but that may be redundant.

Thanks again for all of your help thus far! I'll post a step-by-step of what I've done for us Linux newbs/Windows admins.