How does the average user know who is in a group

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

thatitguy
Posts: 58
Joined: Fri Sep 29, 2006 12:53 pm
Location: Northeastern USA, Planet Earth (usually)
Contact:

Postby thatitguy » Thu Jul 26, 2007 12:40 pm

Got it, thank you!

One of the reasons I wrote the script I did to build the virtusertable on the perimeter system, was so that I could use all of the internal Sendmail tools for dnsbls and address checking, and use the SpamAssassin Milter. That way, all of the filtering is managed by Sendmail, which means that it keeps the load from scanning invalid emails to a minimum.

So my message flow is like this:
Message from Internet bound for user@domain.com goes to Sendmail on perimeter system. Sendmail checks for valid user (against the virtusertable that my script generates on the Scalix server, copies up to the perimeter system, and activates), DNSBLs, and DNS hoaxiness. If it catches any of that going on then it rejects the message and moves on, without ever receiving the body of the email (saving CPU cycles and *LOADS* of bandwidth in the process). If the message passes all the nasty Sendmail tests, then Sendmail receives the message and passes it into the ClamAV and SpamAss Milters.

If ClamAV milter sees a virus, the message disappears forever (configurable of cource but that's my preference). Frankly, I almost never get those because viral messages always trip up on DNS or being sent from a DNSBL IP address.

If SpamAss Milter tags the message, then Sendmail forwards the message to an address local to the digester (an entry in /etc/aliases like "|/usr/bin/spamdigester") which initiates the quarantine process and stores the message in the MySQL database for future review/ delivery/ deletion as part of a Digest email.

If the message is clean, then it gets sent on to the ultimate destination address as defined in virtusertable (i.e. user@scalix.domain.com).

The idea is to minimize user interaction with Junkmail, while ensuring that they get to review the messages that get tagged and keep the control over mailflow. No special knowledge necessary, no folders to manage for misclassified messages etc..

So, in short, my users never see this script happening, or interact with it in any way - it's all automated, behind the scenes stuff, expressly to keep them from having to deal with the incredible amount of junk out there.

Ultimately, if it's possible, I'd love to have Sendmail be able to query the Scalix server directly, as a message is being received, in real time, and do away with the virtusertable. However, using a polled virtusertable has some advantages that would be difficult to do with realtime queries, such as having 'unpublished' PDLs that only local Scalix users can send to (although I suppose that's what ACLs are for :).

The big motivator to write this whole mess was the way that Scalix works: It *receives* all messages and *then* scans them for spamminess or viral content. All the DNSBL and DNS stuff has to be hooked into my sendmail later on, after the message is received, which is *intensely* wasteful of bandwidth and CPU cycles, and *seriously* mucks up the works when Sendmail tries to reject a message. By moving to a perimeter solution, I accomplished several goals: Reject invalid messages before the message body is received, use wicked DNSBL filtering, and skip spam scanning all the messages that never leave the Scalix system (i.e. messages sent from one Scalix user to another).

On one particular site, I eliminated over 75% of all the mail that was coming to the server simply by implementing the Sendmail DNSBLs at the perimeter. That's 75% less CPU cycles wasted on junk mail, and 75% less false negatives (at least). That site after a year of using all this and using Bayes autolearn in SpamAssassin, now rarely has false negatives (less than 1/day/user), and simply doesn't get false positives.

*Whew* sorry for the long winded post ;) And thanks for the PM... I hope I didn't completely miss the point of what your script does!
Rubin Bennett
Chief High Commander and Janitor
rbTechnologies, LLC
http://rbtechvt.com
+1.802.223.4448

mikethebike
Posts: 566
Joined: Mon Nov 28, 2005 4:16 pm
Location: England

Postby mikethebike » Fri Jul 27, 2007 4:23 am

Hi Rubin,

as you have seen the script I sent is purely for a user to send an email, with the pdl as the subject. The script checks the pdl is valid (omshowpdl -l all), then lists the members (omshowpdln) and returns the result to the sender.

Sounds like your script does exactly what you want, and real time lookups may be the way to go for your future...maybe using ldap lookups?
You could maybe get around the issue of "hiding" pdls from the outside world by only including internet addresses for those that can be mailed from external senders.

Mick


Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 2 guests