1) MX1 = first relay used to filter via rbls only, then rest relayed
to MX2
2) MX2 = 2nd relay used with spamassassin and ClamAV for more
filtering,
then rest to the various domains hosted on different servers
-- no local users on MX2
I'm trying to eliminate the backscatter or blowback to MX1 from MX2
for rejected emails.
These MXes are handling about 100k emails daily.
Hi Jack,
procmail probably isn't the right tool for this. You could hack it to
make it work, but I doubt that it's worth the effort. You're also
going to have a heck of a time trying to figure out what's valid
mail and what isn't with your filters (this is the voice of experience
speaking!) You can easily eliminate double bounces by setting
DoubleBounceAddress to an alias that calls procmail, but this won't
address bounces to valid forged addresses (which will get you listed
on spamcop). For those, you could use sendmail rules to rewrite
the envelope sender to a local address on mx1, so something like
yayimaspammer(_at_)example(_dot_)com
might end up being
boounce+yayimaspammer=example(_dot_)com(_at_)yourdomain(_dot_)example(_dot_)com
Then bounce could be a local address and you could filter through
procmail by checking the envelope sender, dropping messages you
don't want to bounce, and rewriting the header again to bounce
to those that you think are valid.
The easiest free solution is to have MX1 keep a local alias or
mailertable file that lists all accounts, and only forward those that
are valid.
It's also a pain in the butt to manage (another voice of experience),
so I'd highly recommend using a milter like milter-ahead for this.
If you've got 100K emails per day you're probably in a position to
pay the one-time $180 fee (or whatever the current exchange rate is
for 90 GBP). Here's the milter-ahead description:
From http://www.snertsoft.com/solutions.php#milter_ahead
This milter implements a "call-forward" technique, which is similar
to a "call-back" (see below), but intended for use by mail gateways
that desire a method of verifying that the recipient of a message
exists on an authoritative mail store before the gateway accepts
the message. Think of it as a poor man's LDAP. Many mail systems
split the functions of mail transfer and that of storage & retrieval
over two or more systems. Historically a mail gateway would always
blindly accept and forward mail to their mail store, but spammers
will often send mail to a domain using a dictionary of user names,
resulting in many error message returns that can sometimes saturate
the mail gateway. Often this situation is compounded by the mail
gateway queuing those useless error messages for days as they
attempt to send them back to the spammers that used throw away
domains or mail servers that are now "off", eventually resulting in
hundreds of "double-bounce" errors being sent to the mail gateway's
postmaster mailbox. `
We went through all of this same stuff at NCSA and found milter-ahead
to be the best possible solution. It's been in production for close
to a year now without any problems, the load on our MX2 server is
significantly lower, and it only took a day for me to install. We also
ended up purchasing the milter-spamc to do one time spam filtering
on each SMTP transaction instead of doing it at the delivery stage
through procmail, saving tons of processing time. Our milter-spamc
configuration only adds a spam score header which we later filter on
through procmail.
Chris
----------------------------------------------------------------------
Christopher Lindsey Technical Program Manager
National Center for Supercomputing Applications (NCSA)
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail