Re: Suggestions for a greylisting proxy?
> We're looking to experiment with greylisting on our servers. However,
> we're currently married to qmail, and that requires a complete
> re-compile in order to build greylisting in. So, we're looking into a
> greylisting proxy.
I'm using spey
as a proxy on a small to medium sized mail server. Works perfect for me.
Disclaimer: When I installed it about 1.5 years ago I had to fix some
issues with it, mainly concerning dropped incoming connections from
mailservers which aren't really RFC compatible (hell knows what crap
some people are using as MTA ;-) These issues should be fixed in the
current version of spey. But I never checked myself.
> But, we're concerned about the pitfalls of this. The ones that we can
> see immediately are: 1) SMTP authentication (for our own users sending
> from foreign domains), and 2) TLS/SSL connections. The proxies we've
I configured spey with a separate IP. Use mail.yourdomain.foo for your
users and mailin.yourdomain.foo as MX record. Configure spey to listen
to mailin only. This additionally gives you the ability to switch on
greylisting on a per domain basis, if you're doing multi-domain mailservice.
To solve 1) and 2) configure a separate qmail port on localhost, which
spey can use to connect to. Disable authentication (and relaying of
course) and STARTTLS for this port.
Secure connections aren't possible with spey, as it can't handle SSL/TLS
itself. Tunneling is not an option, as greylisting happens according to
the MAIL FROM and RCPT TO commands which are issued after the STARTTLS
only. Of course you could decide to skip greylisting for secure
connections. Then tunneling becomes possible, but needs some tweaking in
the spey sourcecode, as far as I know.
Final hint: Best option is to use a modern MTA like postfix2, of course.
But as I understand this is not an option for you at the moment.
CHECON EDV-Consulting und Redaktion
Claus Herwig * Barer Straße 70 * 80799 München
+49 89 27826981 * Fax 27826982 * firstname.lastname@example.org