>> Why not send the mail directly from the av scanner to the "real" mail
>> server? Also, why not scan outgoing mail for virii as well?
>
> The firewall is the only machine that knows of an outside world and that
> is
> the way I like it. Allowing the av scanner access to the outside world
> even
> in such a small way as for smtp traffic is more potential trouble than I
> really want to deal with.
> Eventually we will be scanning outbound mail... but the system had to
> work
> correctly first. ;-)
Sorry, let me clarify. What I mean: let the firewall route outgoing smtp
traffic from the av scanner to its nominal destination. The incoming mail
would still go to the "real" mail server offsite (which only accepts
outside traffic destined for your domain, hopefully), and only mail from
that server or from the internal clients would be relayed to the scanner.
Smtp traffic from everywhere else would be dropped by the firewall.
>>
>> Then it would be a simple matter of transparently routing all av scanner
>> traffic to where it "wants" to go, and bouncing all incoming and
>> internal
>> mail to the av scanner.
>
> I actually attempted this and wound up creating an open relay out of my
> av
> scanner... took me three days to get our domain cleared from the rbl's!
> Again, letting the firewall make the decisions in this case, I feel is
> the
> wisest... even if I am being overly cautious.
If your scanner ended up being an open relay, it seems like you may have
been masquerading your incoming connections - I inadvertently did this at
one point as well.
However, I see that you've found a solution using the postfix
configuration, so all this has become purely academic.
Levi
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:27:17 EDT