Thread: Mail relaying, spam and antivirus

Hi,

I'm looking to build some new mail relays to replace our aging sendmail set-up, and would like to consider an alternative MTA such as Postfix or Exim.

We need the following features:


Optional SMTP authentication (against LDAP), otherwise restrict relaying to local domains.

DNSBL

sender verification callbacks and greylisting

spam filtering

virus scanning


We currently use sendmail with SASL, milter-sender, milter-amavis, amavisd, SpamAssasin and ClamAV to acheive all this (minus LDAP), however, I'm not entirely happy with the reliability of this solution.

There seems to be a fair few options for open source software out there that can do this kind of stuff now, and a bewildering array of ways to put them together. My biggest priority is reliability, but clarity of configuration and overall performance are also important.

On the later point, I've seen various reports of some MTA's performing better than others, but nothing that takes into account the whole system including spam and AV filtering. Since Spam and AV filtering will be most of the work done by these servers, it is perhaps more important how efficiently the MTA interfaces to the Spam and AV filtering than the raw speed of the MTA.

So what combinations of software do you folks use and/or recommend?

Cheers,
Ben.

Originally Posted by Cameron Gray

Exim + EximSA + ClamAV + SpamAssassin + MySQL (Config+MessageStore)

Do you mean that Exim is actually storing your spool and/or mailboxes in the MySQL database? I've not come across this feature before and don't seem to be able to find mention of it on Google or the Exim manual. Have you got any pointers to documentation? What are the advantages of doing this?

Originally Posted by samb

I've been using Exim for years and wouldn't use anything else for a large-scale mail deployment.

If you've already got your accounts in LDAP (as implied) then you just need Exim, SpamAssassin and ClamAV. Exim includes the Exiscan-acl patch from version 4.5 so there's no need to mess about patching the source.

We don't have the accounts in LDAP yet but getting them there shouldn't be a problem. I would like to use LDAP as we've got experience using it for mail routing elsewhere and it can easily be reliplicated to every mail server, making the system more scalable and resilient.

We currently have scripts to generate static configuration files from a mysql database and copy these onto each mail server. We will be replacing these with a simpler script to synchronise the data in the master LDAP server to the MySQL database, with a view to phasing out the MySQL database when all the lecacy systems using it have been replaced.

(copying static configuraiton files)

Originally Posted by racksense

This is actually a very good idea for many reasons.

Apart from the KISS philosophy, do you have any in mind?

Unfortunately the author of our current scripts didn't believe in KISS, so it's either a complete rewrite or use LDAP.

As I see it, the pros of using LDAP are:

- replication is taken care of for you
- the data can be accessed directly by multiple types and instances of systems

What are the cons? Reliability?

Originally Posted by Cameron Gray

Learn how routers and transports work and what they are for. The advantage from my point of view is that I bridgehead the POP/IMAP connections which a MySQL mailstore so apart from multiple people accessing the same row (header, content or attachment) it scales rather well.

Also included some rudimentary attachment minimisation on storage, i.e. if the attachments MD5 matches one already stored, just include a pointer rather than store the whole attachment again.

Quite a neat idea. I can see this is potentially quite scalable if you can build a fast enough mysql server, as you can have multiple mail servers feeding into the same database and multiple POP/IMAP servers reading from it. You could do mysql replication as well (although I'm not sure I'd want to, as our experiences with large replicated MySQL databases is they don't always replicate that reliably). Are the POP & IMAP servesr a complete custom job or based on existing ones?

How many man-hours went into building the system?

Originally Posted by samb

I was referring to the storing of messages in MySQL when I spoke about KISS.

I realised that, but its always a worthwhile philosophy to keep in mind. (I just wish I could convince my colleagues of that. :-( )

Originally Posted by samb

LDAP sounds to be a good fit for your scenario - make sure the database is replicated to each node and you'll have a nice setup.

Full consultancy is of course available

Thanks for the offer Sam. We should be able to (and will need to) figure it all out ourselves given time, but time is a luxury we're short of at the moment so we might yet take you up on the offer if you have plenty of experience setting up this kind of system and tuning the anti-virus and anti-spam software.