On Fri, 2007-06-08 at 08:26 -0700, snowcrash+exim-users wrote:
> hm, ok re: the DENYs ...
>
> i'm not clear, though, as to why i would/might generate bounces, and
> more than normal, i presume.
>
> is this 2-box config, with one Gateway "front-ending" one/many other
> servers a fairly common implementation scenario?
Yes, it is. It's also a well-documented way to generate backscatter,
assuming that the "edge" Exim instance doesn't have full knowledge of
the valid recipients of the "core" Exim. The fact that you are running
Exim in the first place makes this less likely, as you can share
userlists trivially (or "on demand" with recipient verification callouts
from your "edge" server to the "core" server).
> mostly, yes. AND, an attempt to let the router/fw box do its job and
> keep as much 'noise' off my LAN as possible. once an inbound email
> passed all the non-content-scanning filters & incremental delays @ the
> gateway, it' odds of being rejected "just" on virus/spam content would
> be significantly lower -- not zero, i know.
As long as you have consistent configuration on each machine, the
likelihood of an AV/AS hit on the "core" machine is zero.
> i'd considered this, but decided against because i thought i'd be
> significantly increasing network/lan traffic due to "multiple passes"
> of the offloaded message.
>
> e.g., for an "ok" message, the message would pass back-n-forth to the
> LAN-server/scanner *5* times,
>
> gateway -> lan AV scanner
> lan AV scanner -> gateway
> gateway -> SA scanner
> SA scanner -> gateway
> gateway -> IMAP store
>
> which _seems_ to me a 'bad' way to do things.
...and is also not correct.
The reality would be:
Data Flow Type
Message edge -> core AV scan
Result core -> edge Hit/Not hit
Message edge -> core SA Scan
Result core -> edge SA report
Message edge -> core Message delivery
Note that the "Result" data is far smaller, in most cases, than the
message itself; and that the first pass will only take place for
messages with MIME parts of an appropriate type anyway (the malware
condition is quite choosy, as it should be).
> am i just better off avoiding the gateway altogether, and passing the
> message to the lan-based server in the first place? if so, that seems
> counterintuitive ...
Nope.
Make sure your gateway has knowledge in some way of the valid recipients
on your lan-based server, as previously mentioned. Run ClamAV on both
machines (this way you will catch *outbound* virus infections, too), but
SA on only one and call it accordingly from the gateway.
To reduce the load further, make use of Exim's ability to reject based
on avrious other criteria. I have a number of machines at my fingertips
which use fairly complex tests, but the first one - which is the most
effective - is a logic test to check the incoming IP against three DNS
blocklists, and reject the connection if 2 or more are hit. That stops
your AV/AS being triggered in the first place.
Graeme