Why the second MTA instance?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After enjoying a relaxing upgrade from 1.0.0 to 1.0.1, and
then to trunk
1048 on my test box, my desire to tweak has gotten the
better of me.
I've decided to experiment with removing the second
instance of postfix
on the test box, and it seems that everything JustWorks(tm)
with out it.

What I've done:

replaced $forward_method's default to point to my
destination mail
server in amavisd.conf.
replaced $notify_method's default to point to my
destination mail server
in amavisd.conf.
replaced "Downstream SMTP server" with my
destination mail server in
Maia's System Config page.

What I've noticed:

Everything seems to work just fine.  Mail passes.  Test
virus mails are
quarantined.  Mail rescue works.  I can't seem to see any
problems (yet,
anyway).

So, finally, my question:  why go to the trouble of setting
up the
second MTA instance, and thus have to maintain
$transport_maps?  Is
there really any reason I need to keep MTA:10025 around?  Am
I going to
shoot myself in the foot if I roll out a production server
under such
configuration?



Matt

- --
Matthew Powell / Network Administrator
Kansas State Historical Society
mpowellkshs.org / 785-272-8681, ext. 241
Get Firefox: http://www.m
ozilla.org/products/firefox/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFEa5ehSn2kAfZzhYARAvoiAJ4iyrrH0IbaRDvdtpjrb9lDtqEwnwCe
NsTn
9btbRA8Tx2GrYkgjnb7SAZI=
=+dgD
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Matthew Powell wrote:

> So, finally, my question:  why go to the trouble of
setting up the
> second MTA instance, and thus have to maintain
$transport_maps?  Is
> there really any reason I need to keep MTA:10025
around?  Am I going to
> shoot myself in the foot if I roll out a production
server under such
> configuration?

In simple cases (e.g. when running everything on a single
host), the
"Downstream SMTP server" is your second MTA
instance.  If, as in your
case, your downstream SMTP server is on another host, then
by all means
just have amavisd-maia forward mail to that host instead,
and don't
bother running a second Postfix instance on the amavisd-maia
host.

Basically, a downstream SMTP server is required /somewhere/
in your mail
system, whether it's on the same host (e.g. as a second MTA
instance) or
on a different host (e.g. as a full-fledged MTA), in order
for Maia to
have the ability to release quarantined items downstream of
amavisd-maia
(to avoid having them get caught in the filter again).

The only significant catch when you use a separate host as
your
downstream MTA is that you don't want it to be directly
accessible from
the outside world.  If someone outside your network can send
mail
directly to your downstream MTA (e.g. on port 25), that mail
would
effectively bypass your filters, so you'd want to configure
that MTA to
only accept connections from the amavisd-maia host and your
web server host.

-- 
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthew Powell wrote:
> So, finally, my question:  why go to the trouble of
setting up the
> second MTA instance, and thus have to maintain
$transport_maps?  Is

If the logic for the transport maps is more complicated, as
in, you have many
places to deliver the main message to; or in the most common
case where
everything is on one box.

As long as the mail gets delivered, then it should be fine.


- --
David Morton
Maia Mailguard                        - http://www.maiamailguard
.com
Morton Software Design and Consulting - http://www.dgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFEa6wnSIxC85HZHLMRAtzkAJwOsdpFGDVr6zvh3W8AL+LYLgWQPACb
BbHn
w9+BBFhq8pmNft1BBTEGei0=
=8nx9
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert LeBlanc wrote:

> The only significant catch when you use a separate host
as your
> downstream MTA is that you don't want it to be
directly accessible from
> the outside world.  If someone outside your network can
send mail
> directly to your downstream MTA (e.g. on port 25), that
mail would
> effectively bypass your filters, so you'd want to
configure that MTA to
> only accept connections from the amavisd-maia host and
your web server host.


Great... thanks.  My destination mail server is accessible
via the net,
but I've configured it to not accept mail delivered
directly at it's
host name... (userdomain.tld works, usermailserver.domain.tld
doesn't).  mydestination is so cool. ;)

I'm relieved to know that I'm not doing anything that
could negate the
existence of time & space by canning the second MTA. 
This way seems to
be much more efficient.

Trunk 1048 is looking good, btw.  /etc/maia.conf was a nice
touch, good
work.

Thanks guys.

Matt

- --
Matthew Powell / Network Administrator
Kansas State Historical Society
mpowellkshs.org / 785-272-8681, ext. 241
Get Firefox: http://www.m
ozilla.org/products/firefox/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFEbMeuSn2kAfZzhYARArzoAJ9EAjzVDGEq3W44OlZG2vj2BH07yQCe
NvT0
KK/FGlLRFKy4Lt4uJuRIoIg=
=QNXY
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Matthew Powell wrote:

> I'm relieved to know that I'm not doing anything that
could negate the
> existence of time & space by canning the second
MTA.  This way seems to
> be much more efficient.

In your scenario it is, yes.  That's not true for the folks
running
everything on a single host, obviously.  One way or another,
two MTAs
(or instances) are required--one upstream from amavisd-maia,
the other
downstream.  Whether you decide to run both MTAs on the same
host as the
amavisd-maia process or on other machines is your call,
based on your
network's unique circumstances.  This could be run on one,
two, or even
three hosts.

A one-host scenario:

-> MTA-RX + amavisd-maia + MTA-TX ->

A two-host scenario:

-> MTA-RX + amavisd-maia -> MTA-TX ->

A three-host scenario:

-> MTA-RX -> amavisd-maia -> MTA-TX ->

In all three cases there's an MTA upstream (MTA-RX) and
downstream
(MTA-TX) of amavisd-maia.  The only difference between them
is which
hosts those MTAs are running.  In short, you're not really
"canning the
second MTA", you're just moving it to a downstream
host.

-- 
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

On Thu, 2006-05-18 at 14:14 -0500, Matthew Powell wrote:
>  My destination mail server is accessible via the net,
> but I've configured it to not accept mail delivered
directly at it's
> host name...
>  (userdomain.tld works, usermailserver.domain.tld
> doesn't).  mydestination is so cool. ;)

That's not going to protect you. Your downstream MTA must
NOT be
accessible from the net, period. Or it will be possible for 
spammers to
bypass your filters. In the above scenario, there is nothing
to stop
someone from connecting directly to mailserver.domain.tld
(you said it
was accessible from the Internet), then using an envelope
recipient of
userdomain.tld . If this is really your downstream MTA,
then they can
spam away and bypass all your filters.

--Greg


_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users