Solved

Setting up mailscanner with exim for passthrough to exchange

Posted on 2004-03-23
13
1,140 Views
Last Modified: 2007-12-19
A company has a NT4 server running Exchange 5.5 sp4 on a local network with port 25 forwarded to it for receiving mail purposes.  The company's IP address matches the MX record.  At this point they are not willing to upgrade their Windows server but are concerned about the amount of Spam and virus email they receive.

I would like to set up a Linux box (preferably Debian) to sit on the LAN and take all the incoming port 25 messages, scan them for viruses and spam, and immediately forward them along to the exchange server.  I only care about incoming mail, if it is more simple I'd rather just have the exchange server handle the outgoing mail.

I have been reading up on this and I'd like to use Exim with Mailscanner, which appear to integrate really well with Spamassassin and a scanner like f-prot.  I do understand how Exim receives mail and scans it, but I have not found any information on how to configure Exim to pass the mail to the exchange server.

Let's say I make the Linux box 192.168.1.20.  The MX record points to the router, which points port 25 to 192.168.1.20 (the Linux box).  Exim receives and processes the mail...  How does Exim at this point know to push the message along to the exchange server (call it 192.168.1.25)?  Do I need to create an alias for the domain, do I hard-code the IP address into exim.conf, or what?

I would also to enable the Linux box to poll the exchange server for HAM (legit mail marked as spam) and run sa-learn on it.  This isn't necessary but it would be nice.

Thank you for all of your comments.
0
Comment
Question by:raybass
13 Comments
 
LVL 40

Assisted Solution

by:jlevie
jlevie earned 100 total points
ID: 10662491
I'd suggest using Sendmail rather than Exim since Sendmail is the "native MTA" for MailScanner development. Since this server will simply be a relay server the Sendmail config will be very simple and the differences in Exim vs Sendmail probably won't apply. It'll pretty much wind up being a "set it up and let it run sort of thing".

There are a few different ways that one can configure Sendmail to act as an inbound relay, depending on how you want it to work. My preference, although it does incur a slightly greater administrative burden, is to give the Sendmail server the knowlege of all of the local accounts and accomplish the relay with either aliases (single domain) or virtusertable (multiple domains). This helps reduce the load on the exchange server because Sendmail will then only be forwarding mail that corresponds to an account on the exchange server. It's also possible to tell Sendmail to relay everything, regardless of whether it is for a valid account or not, to exchange via virtusertable or relay-domain. Note that relay-domain can't be used if you want to have any local accounts on the Mail Relay system. When using aliases for forwarding the aliases records look like:

user:             user@exchange.domain.tld

and for virtusertable they are simlar:

user@domain.tld       user@exchange.domain.tld


I also prefer to configure the exchange server to use the Sendmail box as an outgoing relay. This allows any internal virus infections to be quarantined within your domain and via the virus reports those machines can be readily identified.

There are two ways to get SPAM/HAM from the exchange server to the Mail Realy. One would be to configure the spam & ham "accounts" on exchange to forward everything to the accounts on the Linux server. The other, if the IMAP or POP connector is installed on exchange, is to use fetchmail on Linux to retrieve messages from those exchange accounts.
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 10662712
Use eximconfig to set up your exchange server as the smarthost value.
0
 
LVL 3

Author Comment

by:raybass
ID: 10665162
Thanks for the replies, both of you.  I'll experiment with it and report back.
0
 
LVL 3

Author Comment

by:raybass
ID: 10665243
jlevie,

how would I look to configure sendmail to relay to another host without creating a local user account for everyone on the exchange server?  I'm looking for as little administrative hassle as possible.

thanks
0
 
LVL 20

Accepted Solution

by:
Gns earned 400 total points
ID: 10666764
When I (not so long ago) set this type of mx-gateway up, I chose Postfix (for security and ease of configuration)... But Exim should do equally well:).
(Jim, you'd recommend Sendmail anyway...:-):-)
To my way of thinking there is little need to investigate Sendmail, apart from some "statistics packages for MailScanner" that seem to presume a Sendmail implementation.

Regardless of MTA, the structure will be the same with two mailservers (one for incoming and one for outgoing)... And I do agree with Jim that you should perhaps aim at letting the mx-gateway handle both incoming and outgoing mails.

If you have both a "local DNS on the LAN" holding a "local" MX record, and a public MX record on the internet (perhaps provided by your service provider), you would only need make sure that the public one would point to the externally visible router which in turn would pass all mails to the mx-gateway... An d the mx-gateway should query the local DNS(es) for the local MX record which would point to the MSexchange server... And then you could either let the MSexchange handle outgoing mail (leave as is), or better yet set up the mx-gateway as "smarthost"... Don't remember exactly where the setting is on 5.5 (we have 2k, unfortunately).
Handling outgoing mails through MailScanner makes it less probable that you will succeed in sending viral emails, insulates you from the usual brew of M$ builtin stupidity, makes it easy to do things like enforcing plaintext messages and makes it possible to snoop/archive the entire mass of email traffic in a very convenient way. Choice is yours though:-).

If you set up a smarthost value for the outgoing exim server... Then you'll not be able to pass the outgoing mails from exchange through the mx-gateway... Unless you can limit the "smartness" on the exim side to only include the local domain (this would be fairly easy to do in Postfix, so I imagine exim wouldn't be that hard either).

One nice thing to I've done with Postfix (the incoming server) is to implement a "relay_domain_users_map" type of list... This ensures we only handle mails for valid recipients at the SMTP "RCPT TO: " level... never receiving any missaddressed mails at all, and thus (since we never generate the NDRs... that'd be the sending servers duty:) cannot be used for "NDR-spamming".
I've got a little script running periodically that runs an ldapsearch of our AD (in your case it would be the MSexchange server holding this info) for valid addresses, to update the map file. Upon request I might be persuaded to share it (it's very simple, but since it interracts with the AD needs "login info" etc... 5.5 probably don't need that).

-- Glenn
0
 
LVL 3

Author Comment

by:raybass
ID: 10668683
Glenn,

What you are talking about seems like what I want to do.  I've never heard of this beast of 'local MX records' before though!!  And truthfully, I don't trust that the dns server on the local network is advanced enough to handle MX records.  Could I set up bind9 on the linux box and just tell it to use the localhost for all dns queries?  If so, how the heck do I set a local MX record?  Forgive me for asking this as well, I just spent 20 minutes googling and looking through all the bind documentation I could find and found no definite answer.  Thanks again.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 3

Author Comment

by:raybass
ID: 10668997
I'm experimenting.. I think I got the local mx with a local zone created to mimic the outsize one, so local mx queries for the outside hostname point where I want them to.  this is so cool.  :)
0
 
LVL 20

Assisted Solution

by:Gns
Gns earned 400 total points
ID: 10669016
You  are quite welcome to ask!
"Local" is just a "point of view" type of thing:-). My guess is that you have an old bind implementation "in disguise"... More commonly known as "M$ DNS";-). Has worked OK for us since ... way back. Just check that the MX record on this/these DNS(es) point to your exchange server (I'm guessing they already do, in which case your all set to go...:-).
You do have a "public MX record" handled by your ISPs DNSes, right?
Don't hesitate to ask again if you can't make sense of what I'm saying... I'll try to rephrase as best as I can:)

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 10669027
The local MX should be for your domain... You knew that:-)

-- Glenn
0
 
LVL 3

Author Comment

by:raybass
ID: 13090126
If you guys are still around.... I just wanted to tell you that I finished my project quite some time ago using amavisd-new instead of mailscanner, and I ended up writing a tutorial on it, if you were interested:

http://www.raygibson.net/kb/amavis/

Thanks again for helping me along in the first place.
0
 
LVL 20

Expert Comment

by:Gns
ID: 13092329
I (still) think MailScanner a better solution (richer feature set, can handle larger volumes...), but... amavisd-new is a fine too. Very nice HOWTO Ray, thanks for sharing.
Do you implement callout for recipient (and perhaps sender) verification at the exim level?

-- Glenn
0
 
LVL 3

Author Comment

by:raybass
ID: 13093949
callout... do you mean verification that the user actually exists before the mail is passed?  If that's what you're asking, no I do not.  Though on one server I set up, now that the filters have been trained, it drops anything that spamassassin puts marks over 10, so the exchange has a lot less to deal with anyway.
0
 
LVL 20

Expert Comment

by:Gns
ID: 13101195
> callout... do you mean verification that the user actually exists before the mail is passed?  If that's what you're asking,
> no I do not.
Yep, that's more or less it. A good thing to do for recipients you relay to exchange, since you'll not be susceptible to "NDN-spamming" (meaning a spammer can't send the payload to you with the destination as the forged sender.... Letting exchange generate a nice NDN that go back to it...).
As you say, dropping or quarantining any highscoring spam will greatly alleviate this.

Only bad thing with recipient verification is that you could be vulnerable to a dictionary attack (mapping out your valid recipients)... But as of yet this is a) uncommon, and b) a lesser evil than handling all those mails that really isn't *your* problem... It should be *their* problem, and rejecting at the MTA will make it so.

At least in the docs for exim, this looks fairly simple to implement:-).

Cheers
-- Glenn
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now