The tricky thing with all designs is that they're so individual in taste
and function! But here's my take on the matter:
I'd personally put an al-cheapo box in front of the exim machine running
iptables and with a default INPUT chain policy of DROP, and then use
port-forwarding to pass port 25 connections on to the exim box on a
reserved IP address. This I tend to find takes a lot of work off the
mail server itself and lets it use CPU cycles for something more
constructive than dropping packets from skidiots who have nothing better
to do than run port scanners!
I'd then have the exim box listening on port 25, using exiscan against
MailAssassin for spam filtering (I just love that combination - works a
real treat!), as well as controlling executable attachment ingress and
using the demime and regex features as well.
I've also got a modified authpopd deamon which allows remote users to do
pop-before-smtp so that they can relay through the machine if they've
managed to successfully log in.
You can off course use TLS/openSSL in conjunction with all this, but I
wouldn't neccessarily use opening a TLS/openSSL connection as an
"authentication" mechanism for allowing relaying (maybe I'm just
misinterpreting your mail here?).
Later
Konrad
On Thu, 2003-02-13 at 16:03, Brett Thorson wrote:
> I have configured exim to work with majordomo and mailman, and I think it is
> great. It is so nice not to have to go work with those sendmail configs
> anymore. So now I am trying to clean some stuff up, and implement some new
> features. I have a "design" floating around in my head, but I was wondering
> if someone might have the time to just take a peek at it to say "Right idea,
> do it" or "Oh my gosh you have it all wrong". Thank you VERY much in
> advance.
> ---------------------------
> The mail server would be outside the firewall, and be used for incoming e-mail
> from everyone, and relaying for employees outside our network (working from
> home, authenticated with TLS / OpenSSL).
>
> We would have a spam filter program accepting mail on port 25. If the mail
> passes through the filter, then it gets sent into Exim for processing on an
> unadvertised SMTP port. Exim would restrict connections to this hidden port
> to the output of the SPAM filter (Same machine basically). It would also
> stop relaying.
>
> I would also like to run a relay for home users. Using the SSMTP port, accept
> and verify users, and then allow that mail to be sent through anywhere.
>
> Do I have the basics right? Or would I look at an option where everyone
> connects to port 25. Then if they don't start a secure connection
> TLS/Openssl with authentication I deny forwarding, and pass them to the spam
> filter. If they do open a secure connection and authenticate properly, I let
> them do whatever they want.
>
> Advice, or even "Look at this document for clues" would be greatly
> appreciated. Thank you all so much for your support thus far. The user
> community here is great!
>
> Cheers
>
> --Brett Thorson
> Foretec Seminars Inc
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
--
***********************************************************************
*
* Konrad Michels
* System Administrator
* Surfkitchen Limited
* Abbey House
* 1650 Arlington Business Park
* Theale
* RG7 4SA
* United Kingdom
* Tel: +44 118 929 8079
*
***********************************************************************