[OT] Dual-MTA setup and spam filtering (was Re: wallowing out of the spam quagmire)

[Daniel Pittman <daniel@rimspace.net>]

On 26 Jun 2004, Harry Putnam wrote:
> Daniel Pittman <daniel@rimspace.net> writes:
>
>> If you have control over your SMTP server, take a look at the
>> 'amavisd-new' package, which hooks into the loop and deals with SPAM
>> tagging with SpamAssassin as well as virus detection, and works very
>> nicely.
>
> My MTA is sendmail:
> checking this out at: http://www.ijs.si/software/amavisd/
>
> It mentions a `dual sendmail set-up' being required to use it with
> sendmail and says it works best with Postfix.

Ah. What that means is that sendmail lacks some of the routing
flexibility of newer MTA systems, requiring you to run two complete and
distinct instances of it to get inline SMTP filtering...

> I've seen that term ( `Dual Sendmail setup' ) a few times lately but
> haven't really seen anything telling what it means.

Basically, this is the diagram for mail delivery:

  +----------+     +---------+     +-------------+     +---------+
  | internet +-----+ MTA ext +-----+ amavisd-new +-----+ MTA int |
  +----------+     +---------+     +-------------+     +---------+

Mail comes in to the first sendmail on port 25, and is queued to disk. 
It is then sent through amavisd-new via SMTP, which sends it to a second
sendmail. The second sendmail then delivers the mail to the end user.

You can, but don't have to, run both of the sendmail instances on the
same system.

One reason for doing this is because there is a firewall between the two
systems, and you don't want your internal mail server exposed directly,
and vice-versa.

Another is to get something like amavisd-new inline to the SMTP delivery
cycle.

Postfix, for reference, can have a single instance, with only the one
configuration file, etc, and achieve the same results -- effectively,
have one SMTP port that passes stuff to a content filter, and another
which doesn't.[1]

> Do you know what that reference is about?
>
> ==
> (at http://www.ijs.si/software/amavisd/)
> [...]  
>
> It is written in Perl for maintainability, without paying a
> significant price for speed. It talks to MTA via (E)SMTP or LMTP, or
> by using helper programs. Best with Postfix, fine with dual-sendmail
> setup and Exim v4, works with sendmail/milter, or with any MTA as a
> SMTP relay. 'Howto' for qmail available as well.

The 'milter' interface is a way to put something inline to sendmail
during the initial SMTP conversation, rather than after the mail is
queued on disk for the first time.

This works, but I don't personally recommend it as a model. This
document covers why in some detail:

<http://www.postfix.org/SMTPD_PROXY_README.html>

It deals with Postfix, but the 'milter' is connected within sendmail in
the same spot as the 'before queue filter' in Postfix.

    Daniel

Footnotes: 
[1]  Recent versions can even have a single port which does this; I have
     that configuration, and it is quite nice.

-- 
CAUTION: This product exerts a force on every other object in the
Universe, proportional to the product of their masses divided by the
square of the distance between them, center to center.