Running amavisd-new on MX hosts?

Mark Martinec Mark.Martinec+amavis at ijs.si
Thu Feb 11 17:56:04 CET 2016 

Dino Edwards wrote:
> E-mail should never be quarantined unless there is a mechanism for the
> recipient to release those messages from quarantine themselves. You
> never want to be responsible for an e-mail NOT reaching its intended
> recipient. People get very upset when they don't receive e-mail they
> believe they should receive. If the e-mail is important enough and not
> receiving it caused them harm or financial loss, they will take you to
> court.
> 
> Let's face it, the decision whether or not an e-mail is legitimate or
> not is made by a machine. That mechanism is not always perfect and it
> will yield  false positives from time to time. The ultimate decision
> of whether to keep or discard that message should be made by the
> recipient not the machine.

Rich Wales wrote:
> My assumption is that if I were to run SpamAssassin and amavisd-new on 
> my
> MX hosts -- which, BTW, are cloud servers -- this would keep junk (or
> suspected junk) from tying up network bandwidth on my main system.

Quanah Gibson-Mount wrote:
> It's illegal to quarantine in some countries. ;)

Quarantining does not imply non-delivering or rejection.

In amavisd quarantining is configured entirely independently from
mail contents (ham/spam/...) and from a decision on its fate
(pass/reject/discard/bounce).

> It's illegal to quarantine in some countries. ;)

What you probably meant is that discarding a message is illegal
(i.e. not delivering and not notifying a sender of non-delivery).

Quarantining by itself is independent from the above requirement,
although it may be subject to privacy and data retention regulations.

One advantage of invoking a content filter directly by a MX mailer
in a pre-queue setup is than an undesired message can be rejected
at an SMTP stage (5xx SMTP status). Independently of this a message
may or may not also be quarantined. Rejecting (not bouncing) a
message lets the true sender be notified of non-delivery, thus
complying with regulations.

(If the plan was to run a content filter in a post-queue setup,
there is no advantage in running it on a MX, as the option of
rejecting a message is already lost).

Even if amavisd is invoked by a MX, it need not run on the
same host as a mailer. Two MX hosts may share a single amavisd
service, as they all communicate through a standard SMTP / TCP
network protocol.

   Mark

More information about the amavis-users mailing list