Good morning all,
I have a bit of an odd situation that I would like to get your opinions
and possible solutions to.
I have a redhat box running as my firewall using iptables. I also have
an anti-virus scanning appliance inside our network that all incoming email
traffic is directed to for scanning. All rerouting is done by iptables.
Our actual email server that our users get their mail from resides off
site, external to our firewall.
Also, the firewall is our outgoing SMTP hub running postfix. Any email
destined for our domain is rerouted inside to our av scanner. Incoming email
bypasses postfix and is sent directly to the av scanner. (Postfix only
listens on the internal interface).
Once scanned, the email is submitted to our SMTP hub to be mailed out to
our actual mail server, offsite.
We have two mx records for our internet dns. MX 10 points to our
firewall so that incoming mail gets scanned. MX 20 points to the offsite
email server. This works because once mail is submitted to our firewall/SMTP
hub, postfix times out trying to send to MX 10 (of course) and then sends
the mail to MX 20.
This works really well and is so far quite reliable. The only thing
about it is that since the mail destined for our domain has to timeout on
the first MX record, it takes quite a while to receive mail in and also to
send mail to someone locally.
I thought about using iptables to just forward the connections directly
to the offsite mail server, but so far I have not been able to come up with
a rule or rules that would do the trick. I can't just forward all SMTP
connections from the av scanner directly to the offsite mail server as that
would also forward any bounce messages or other error messages to people
trying to send mail in. The offsite mail server will just refuse those
messages and that will just clog the av scanner with undeliverable/deferred
messages.
In an attempt to find a way to do what I need to do with iptables, I
used tcpdump to attempt to isolate the smtp traffic coming from the firewall
machine as it attempted to deliver mail to our domain. I was trying to match
the host ip address of the firewall going to smtp to itself, but it never
matched. It only matched when it began to send the messages to the offsite
firewall.
I thought about decreasing the timeout in postfix to reduce the amount
of time to takes to send the messages, but I don't want to affect mail going
to other domains.
Any thoughts or ideas on how I may be able to speed up the delivery
times would be appreciated.
Thanks,
Bradley Brown
Systems Administrator
Segrest Farms, Inc
Gibsonton, FL
bradley@segrestfarms.com
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:24:25 EDT