On Mon, 9 Nov 2009, Jay Parker wrote:
> We have been using a Barracuda spam appliance delivering to a local mail
> system, and are migrating to hosting user email with Google Apps. We
> will be migrating users gradually, and rather than forward all users'
> email through the Barracuda to the local system and then forward some of
> them on to Google Apps, we (naively!) decided to point our MX records to
> a "front-end" exim box that could do LDAP lookups for recipient
> addresses and send email either directly to Google Apps or to the local
> system via the Barracuda.
>
> The problem with this arrangement (obvious to you, and now to me, but
> unanticipated) is that the Barracuda doesn't get the chance to reject
> the spam until after the front-end system has already accepted it,
Why not ask Barracuda to forward some of the emails they receive to
Google, and skip the local router?
> making me a potential source of backscatter unless I do something
> clever.
Not much clever about it except disabling bounces (unless your antispam
is at least as good as Barracuda/Gmail). I'm afraid I don't really know
how to disable bounces, but you could try excluding them from your
outbound SMTP router:
dnslookup: (or smarthost:)
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
*! senders = :*
no_more
(add the line marked with *...*)
> QUESTION 4: Is there any way to require stronger sender verification
> for responding with a bounce message than for the original receipt?
BATV.
> QUESTION 5: This is philosophical instead of technical, but I'm still
> trying to get my head wrapped around all the implications of the
> backscatter problem. Are there *any* sorts of bounce messages that are
> still practical to send out these days?
Yes, local bounces TO local users, i.e. that don't leave your mail system.
I would prefer not to accept bounces over the net, but I'm afraid that
falls foul of postmaster checks at least.
> gateway if it isn't? It starts to seem as if in order to completely
> avoid the possibility of backscatter, I'd have to avoid any sort of
> tiered SMTP design and have all MX records pointed directly to the
> final destination mail servers, which sounds like overkill.
It's OK to have tiered servers as long as your inbound
(Internet-reachable) servers can guarantee delivery of all mail that they
accept. Ideally, they would verify recipients and not forward email to
third-party systems that you cannot force to accept all mail.
> QUESTION 6: Are there any options for doing this right that still allow
> me to front-end the Barracuda with the exim box?
I don't think you'll keep the efficacy of the Barracuda service if it
can't check the sender's IP address, so I woulnd't like to try if I were
you.
Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |
