wrong setup

the spamfilter has to be on the MX directly in front of
both machines and especially in front of exchange

what do you imagine happens if spam would be caught
on the exchange? well, it jectes while postfix in front
of it has received it

now you have two choices and btoh are completly wrong:
* get a backscatter
* drop messages which you accepted with 250 silently
which is not permitted per law

I have 2 mx records. The primary is Exchanges edge server that has it's own
internal spam filtering. The secondary is poxtfix server relaying mail to
the edge server as a backup mx record. Are you saying the postfix server
should be behind the Exchange edge server?

Kevin

DO NOT TOP POST IF YOU GOT A REPLY BELOW YOUR MESSAGE
ON MAILING-LISTS, SEE MY REPLY AT BOTTOM WHILE I REFUSE
TO REPAIR THE THRAED BECAUSE NOBODY WOULD PAY THE WORK
i say simply the spam-filter has to be on the
MX and not on a relay server after, how you
design your infrastructure is yours
is simply impossible

your postfix connects to the exchange
the connection happens per TCP/IP

how do you imagine that postfix retains anything
in this case postfix is the client

the client is not in the position to decide what UP the
server sees for a connection, otherwise any netfilter
would be impossible, and no, throw away the idea to
rely on whatever headers for such decisions

i would never setup a mail system at all where the final destination
does spam-filtering, there are solutions dedicated for spam-filterung
and the already filtered mails are dlivered to the final destination

no need for two MX records at all

one is enough - if is down, well that is the reason for
why mail queue where invented, if the MX is down for
maintainance - so what, try later again deliver the
message, that is how SMTP was designed to work

I think perhaps that is a bit of hasty advice. I'm quite sure given a
large enough infrastructure and traffic load that you'd want two or more
MX records with a different SMTP server sitting behind each IP address.
I could (and have been) wrong though.

As Reindl Harald pointed out, the spam filter should be in only one place: the
border server.

If you add something like (che the documentation before adding this parameters)

reject_invalid_hostname
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_rbl_client cbl.abuseat.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client pbl.spamhaus.org

to smtpd_recipient_restrictions you block nearly 90% of spam

My advice is to disable antispam on Exchange _and_ Outlook (if you have any)
and filter in just one point.

This is useful also if you want to debug the filter, i.e. if a user asks why a
mail has been rejected.

Of course smtpd_recipient_restrictions alone is not an antispam filter, you
should also add at least an antivirus scanner.



Ciao,
luigi

- --
/
+--[Luigi Rosa]--
\

Talk is cheap because supply exceeds demand.

Wrong setup. If you have more than one MX, each of them should apply
the exact same content filter policies. Either buy a second Exchange
edge server or get rid of Exchange and buy a second MX running
Postfix.


Stefan

in this case the setup sould be done by people which are
knowing what they are doing and you have unlikely a
exchange as MX

having two MX and only one of them filters spam is dumb
the two MX must behave identical from outside

Kevin,
A rule of thumb is that if you must have a backup MX you should have the
same spam defence as on the primary one.
If you can't do that, I suggest you drop the backup MX.

Alternatively you can hide the exchange behind a postfix, but the you
should let postfix do the spam filtering and disable spam filter on the
exchange.

You must now ask you the question why you need a backup MX.

HTH,
Mikael