Re: [Exim] Split services exim / spamassasin / amavis

Top Page
This message is part of the following thread:
M+++\the complete thread tree sorted by date
MMMMMChristopher Chaduka at <-
MOllie Cook at ->
Delete this message
Reply to this message
Author: Bruce Richardson
Date:  
To: Exim users list
Subject: Re: [Exim] Split services exim / spamassasin / amavis
On Wed, Mar 24, 2004 at 11:40:00AM +0100, Volker Lieder wrote:
> This is a multi-part message in MIME format.
> --
> [ Picked text/plain from multipart/alternative ]
> Hallo List,
> we have a mail server with the services listed above.
> Because of a high load on the machine we want to install a 2nd machine which
> handles the services amavis and spamassasin.
> The MX-Record for our domain shows the actual running machine.
> This machine should get the mails, send it for virus and spamchecking to the 2nd machine.
> The 2nd machine should after checking send the mails back to the first machine
> which contains the mailboxes.
> Has anybody such an installation running or information for a setup?

Spamassassin will be the least difficult problem: if you are running spamassassin
from a classic filter, you simply need to change the host that spamc is
connecting to. If you are using exiscan, all you have to do is change
the spamd_address parameter.

As for running amavis on a separate box, you simply need to configure
the mta on the amavis box to route all mail through the original box.
Then you need a router on your original box that routes all the mail
that you want virus-scanned through the amavis box. Something like
this:

viruscheck:
driver = manualroute
condition = ${if {eq {$sender_host_address}{AMAVIS}}{no}{yes}}
route_list = * AMAVIS byname
transport =remote_smtp
no_verify

Where AMAVIS is a macro containing the ip address of the amavis box.
Now, the above example isn't the most secure, since somebody
compromising the amavis host could send anything they wanted. So you
might want to take any or all of the following precautions: 

    1.  Add another NIC to the original box and put the amavis box
        on a private subnet visible only to it and the original box.


    2.  Add a cryptographic header to all mail routed through the
            amavis box.  Have the amavis box add a second header to all
            mail it receives from the original box.  Check for both on
            any mail that the original box receives back.


You also need to take extra care with bounce messages.

--
Bruce

The ice-caps are melting, tra-la-la-la. All the world is drowning,
tra-la-la-la-la. -- Tiny Tim.
Bruce

I object to intellect without discipline. I object to power without
constructive purpose. -- Spock
Bruce

If the universe were simple enough to be understood, we would be too
simple to understand it.


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Greylisting + multiple MX hosts -> multiple attempts[Exim] Permission denied: stat() error for->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)