[exim] infrastructure design and security

Hi guys,

a friend's company's intranet is screened off by two DMZs from the
internet. On the outer firewall they have an smtp proxy which is
accepting all mail before handing them over to the internal exchange server.

Since the firewall's smtp proxy is a dumb-ass, it accepts every single
arriving mail, without any check whatsoever, naturally producing
collateral spam, in case the mail can not be delivered by the internal
exchange server.

I recommended using exim with sa and clamav to do protocol-time spam-
and virusscanning and avoid collateral spam. This would be accomplished
by putting them on a box in the outer DMZ and turning off the firewall's
smtp proxy.

My friend had two objections to this, both stemming from security concerns:
1. Currently, nobody has direct access to any box in the outer DMZ. So
an attacker would need to break into the smtp proxy of the firewall
first, for which the manufacturer assumes liability. On the other hand,
open source software running on an open source OS does not assume
liability in case of break-ins.
2. Since machines in the outer DMZ can be potentially hacked, putting
the virus scanner there instead of the inner DMZ, seems risky to my
friend. Because if the virus scanner on the exim machine gets hacked, it
can be manipulated to never detect any virus, and then he would have no
protection against email-borne viri.

Still, judging from reading the list, it seems that the concept of
running exim plus sa and clamav on one box accessible from the big bad
internet seems a common approach. How do you guys address my friend's
concerns? What countermeasures do you take? Is anybody aware of an
exploit of exim?

Thanks for your feedback.
Patrick