It's been an interesting day. I've been trying to come up with a new configuration for the university's mail servers that centers around Postfix. In the past we've used djb's qmail. Qmail has worked well for us but extending it to support features that allow it to continue to be useful in the hostile world of email propogated viruses and spam has simply become too tedious.
At present we have three mail servers: inbound and outbound mail exchangers and a mail store. This structure has worked well for us and I see no reason to abandon it. The problem right now is that the roles of the two mail exchangers are not strictly enforced. Additionally, there are a lot of new features we'd like to add.
The inbound exchanger would ideally be able to make quick decisions about which mails to accept. We already use an rbl. It would be nice to add things like greylisting, spam/virus filtering, and spf support. A mail would then be subjected to a stack of filtering decisions that looks something like this:
| Is the sender a utulsa user? |
| Is the recipient not a valid local user? |
| Is the sending mail server listed in RBLs (spamcop, etc)? |
| Is the sending mail server valid for the sender's domain (SPF)? |
| Is this triplet (remote ip, envelope sender, envelope recipient) greylisted? |
| Is the mail most likely spam (spamassassin)? |
| Is the mail most likely a virus (amavisd-new)? |
I've tried to order this for optimum efficiency. It might not be quite right.
If a mail passes all these tests it will then be passed via a secure lmtp connection of some kind to the mail store.
The outbound mail exchanger would have a much reduced set of tests. Basically the only criteria would be that the mail originate from a local ip address and the sender successfully authenticate themself (SMTP AUTH). It would be nice to have some of the spam/virus features of the inbound exchanger but that may prove impractical.
For the sake of completeness I should note that I fully realize that it is just as important to do everything in your power to ensure that you are not sending spam as it is to not receive it. It is my hope that requiring all outbound mails to be authenticated is adequate for the time being. In the long run we will most likely have to take additional measures.
The outbound mail exchanger is perhaps the most important as it governs deliveries from one local user to another. In both cases, however, it would be nice to be able to prioritize deliveries in such a way that local mails receive precedence.
At the moment it is not feasible for us to implement start-tls on the outbound exchanger. As the Eudora holdouts upgrade this should become possible. With SMTP-AUTH it becomes almost an requirement.
It would also be nice to give useful error messages. If a local user tries to send mail via the inbound exchanger, for instance, it would be helpful to receive a message that points them in the right direction. Hopefully postfix can provide this.
Another possible feature for the exchangers would be a challenge/response system of some kind. Unfortunately, C/R systems, like all email autoresponders, are fraught with peril (backscatter, etc).
...
In a discussion with clark about the advantages and perils of clustering a new concept came up that I very much enjoy: the virtual point of failure.