Advanced DNS Management
I am starting this thread and leaving it open so people can post ideas guides. Please don't post answers in this thread, just come in and say "I would like to see a guide on ...." and maybe somebody will write one. Just because you float it does not mean it will get writen, I just throught it would be a nice place for people to get ideas.

Again, please just post ideas for guides here and nothing else, that will help make it easy and slim lined.

--Jim Lester

mail server install guide out of date?(about Part. 4, MailScanner install)


MailScanner Faq-O-Matic : (Category) Postfix :
The Politics behind Postfix and Mailscanner
The Politics behind Postfix and Mailscanner 12/26/2004 by Avery Day. Thanks for the help Drew Marshall. -----------------------------------------------------------------------------------------------------------------------------------------
In no way are the opinions written here reflective of the Mailscanner team or its community. These are the opinions of just one individual and a one day quest set out to understand the delicate politics between the Mailscanner and Postfix communities. Postfix is a awesome piece of software, this writing is in no way intended to offend anyone, its only intended to inform the reader of some interesting information. I am almost certain that this article will draw fire from a lot of people. It's a Dirty Job, But Someone's Got to Do It.

Lets face the simple facts, the Postfix community (mailing list) doesn't think so highly of Mailscanner when used with Postfix. It wasn't the Postfix authors who complained but the users themselves which lead to this witch hunt. Try even mentioning the word Mailscanner on the Postfix mailing list and your likely to be slapped silly. Just search through the Postfix mailing list archives and you will see what I mean. So this was written to summarize some basic information that I have put together.

The problem in the past is this: the Postfix developers had a problem with the way in which Mailscanner accessed Postfix to do its scanning of emails. The Postfix developers complained of the possibility of duplicated or truncated emails when Postfix and Mailscanner were used together. Postfix was designed to only interface with other processes using traditional methods, such as SMTP or LMTP, MailScanner doesn't use these methods but instead sits between the incoming (SMTP) process and the delivery process of many popular MTAs. Using this design, and in common with other MTA installations, Postfix was originally designed with two instances. One just to receive mail and defer the delivery process and the other to just make delivery. MailScanner sits in the middle moving mail from one instance to the other. Unfortunately this required that the active Postfix queue files would be accessed directly by Mailscanner. By placing mail in the deferred queue (explained here Postfix would re-examine the messages to see if they could be delivered yet. This examination while MailScanner was scanning and moving the mail from one process to another could and often did cause duplications or truncated messages.

Basically the Postfix developers strongly advised against doing this. They suggested instead that Mailscanner have its own SMTP engine that could talk to Postfix like Amavis does (explained here The Postfix developers offered no other alternative than this. In my opinion Mailscanner is not designed nor should be designed to speak SMTP. Simplicity has been the key to Mailscanners success. Why make things more complicated than they need to be. Now I am not claiming to be a security expert but wouldn't giving Mailscanner the ability to talk SMTP open up a security concern when having another SMTP engine thrown into the whole delivery process. Besides that, wouldn't this also require more resources for Mailscanner to run, and additionally Postfix, with possibly another transaction that would need to be made (depending on the design). IMHO Mailscanner is virus scanning software not an SMTP engine.

Recently however some changes have been made to allow for a different approach. This new approach does not require Mailscanner to access the active queue. Nor does it require Postfix to be split into two instances. It is still however acessing the Postfix queue but not the active queue, thats the key. Now Instead Postfix puts all incoming email into a hold queue for scanning. By putting a simple line into the Postfix /etc/Postfix/header_checks file (explained here all email is put into the hold queue where from what has been explained to me, this is a safe quiet place that Postfix is no longer actively accessing or changing. Its basically frozen in the process as far as Postfix is concerned. As stated in the man pages for the qmgr: hold = Messages that are kept "on hold" are kept here until someone sets them free (also see man header_checks). Now Mailscanner can safely access these emails in the Postfix hold queue for scanning and then pass it back into Postfix active queue for delivery. To me and a lot of other people this makes perfect sense. This is much simpler approach and takes far less resources and time than to have Mailscanner running its own SMTP engine just so it can talk to Postfix. But the Postfix community and possibly even the developers are still insisting that Mailscanner is not a viable AV scanner for Postfix systems. Respectively, if this is still the case then the Postfix developers need to say something so other solutions can be worked out. The idea behind putting the incoming emails into the hold queue for scanning has eliminated all of the risks that were associated with using Mailscanner and Postfix together in the past. The Postfix website is still insisting that Mailscanner is a risk With the new single instance Postfix setup configuration, I have not seen any proof that would lead me to believe that any problems may arise. After 2 months of using Mailscanner with postfix in the single instance setup design I have not experienced any problems.

Questions or comments, I can be reached here: schrock(at)
