Author: Peter Bowyer Date: To: exim-users Subject: Re: [exim] handling reject/deny comms in a 2-exim setup
On 10/06/07, snowcrash+exim-users <schneecrash+exim-users@???> wrote: > iiuc NOW, that refers ONLY to the,
>
> > reject invalid recipients at the edge
>
> you mention, leaving me with the probelm on content scan, is that correct?
Correct
> > - configure the content scan on the edge server, but have it call a
> > scanner on an internal server. This might work depending what
> > scanner(s) you're using.
>
> i'm using CLAMAV & SPAMASSASSIN. both of which can listen on either
> UNIX socket or over TCP.
Look at the content scanning stuff in the docs, you can configure the
spam and malware scanner functionality to call a TCP socket. But this
might not do what you want - I don't know if in these particular
cases, Exim will pass the content to be scanned across the socket -
I've a sneaky suspicion it just passes a path/filename - relying on
the process the other end of the socket to open the content file
directly. So you'd need to do this over NFS or similar. Getting nasty.
> > Then the edge server can reject inline when
> > it finds bad content - this is the right way to do it.
>
> my main worry with this approach -- which may be something I have to
> live with if i choose to do it -- is that the message will make
> multiple network traversals from "edge" to "core", even for an OK
> message.
Yes - is internal network traffic that expensive, though?
> > - use a SMTP proxy on the edge server instead of an MTA. This will
> > make the internal server do all the work.
>
> per an earlier recommendation, i'd looked at ASSP as an SMTP proxy ---
> but my understanding was that if deployed ON the "edge" router, the
> 'work' would be done there as well ...
I didn't mean an intelligent proxy like ASSP, which does indeed do the
'work', I meant a simple pass-through proxy - perhaps even just a
reverse NAT. Then there's no work at all on the edge server. In fact,
you don't then need the edge server at all.