Re: [exim] exim front-end to barracuda

Top Page
Delete this message
Reply to this message
Author: Chris Wilson
Date:  
To: Jay Parker
CC: exim-users
Subject: Re: [exim] exim front-end to barracuda
On Mon, 9 Nov 2009, Jay Parker wrote:

> We have been using a Barracuda spam appliance delivering to a local mail
> system, and are migrating to hosting user email with Google Apps. We
> will be migrating users gradually, and rather than forward all users'
> email through the Barracuda to the local system and then forward some of
> them on to Google Apps, we (naively!) decided to point our MX records to
> a "front-end" exim box that could do LDAP lookups for recipient
> addresses and send email either directly to Google Apps or to the local
> system via the Barracuda.
>
> The problem with this arrangement (obvious to you, and now to me, but
> unanticipated) is that the Barracuda doesn't get the chance to reject
> the spam until after the front-end system has already accepted it,


Why not ask Barracuda to forward some of the emails they receive to
Google, and skip the local router?

> making me a potential source of backscatter unless I do something
> clever.


Not much clever about it except disabling bounces (unless your antispam
is at least as good as Barracuda/Gmail). I'm afraid I don't really know
how to disable bounces, but you could try excluding them from your
outbound SMTP router:

dnslookup: (or smarthost:)
    driver = dnslookup
    domains = ! +local_domains
    transport = remote_smtp
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
    *! senders = :*
    no_more


(add the line marked with *...*)

> QUESTION 4: Is there any way to require stronger sender verification
> for responding with a bounce message than for the original receipt?


BATV.

> QUESTION 5: This is philosophical instead of technical, but I'm still
> trying to get my head wrapped around all the implications of the
> backscatter problem. Are there *any* sorts of bounce messages that are
> still practical to send out these days?


Yes, local bounces TO local users, i.e. that don't leave your mail system.

I would prefer not to accept bounces over the net, but I'm afraid that
falls foul of postmaster checks at least.

> gateway if it isn't? It starts to seem as if in order to completely
> avoid the possibility of backscatter, I'd have to avoid any sort of
> tiered SMTP design and have all MX records pointed directly to the
> final destination mail servers, which sounds like overkill.


It's OK to have tiered servers as long as your inbound
(Internet-reachable) servers can guarantee delivery of all mail that they
accept. Ideally, they would verify recipients and not forward email to
third-party systems that you cannot force to accept all mail.

> QUESTION 6: Are there any options for doing this right that still allow
> me to front-end the Barracuda with the exim box?


I don't think you'll keep the efficacy of the Barracuda service if it
can't check the sender's IP address, so I woulnd't like to try if I were
you.

Cheers, Chris.
-- 
_ ___ __     _
   / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |