Testing Different Mail Server Configurations?

bsaxon asks: "I am looking for advice on methods that would allow the testing and debugging of different mail server configurations, particularly different ways of handling spam and mail filtering. What are different ways that different mail configurations can be tested? Currently, we have two servers running Linux that check all incoming/outgoing mail for viruses and spam, using software that works with Sendmail. After incoming mail is processed, it is relayed to its final destination, in a mailbox on a MS Exchange server. One server handles the actual processing of mail, and the other server just queues mail when the other server is down or overworked. Basically, I would like to have all mail duplicated, before reaching any filters or virus scanners or blocklists, with one copy continuing its normal route to the production server and the other copy of the message going to the test mail server. Can it be done at the DNS level or through Sendmail or are there other ways that this could be achieved? I am only looking for suggestions that deal with different methods of testing different mail server configurations, not actual suggestions for filtering mail."

Call Sun

[Anonymous Coward]

Call Sun Microsystems. Go to their website and look into Sun Java Enterprise System Messaging Server 6. Complete IMAP, POP, HTTP, SMS solution with SIEVE, Spamassassin, Brightmail, MIMESweeper and other connectibility. They'll even design and deploy the entire layout for you.

Or, you could run your business on a patched system full of about a dozen various components and try to get them all to work properly together.

Re:Call Sun

[walt-sjc]

But using a dozen components together is the unix way. I install just what I need, configure each to support exactly what I need, and it just works. Exactly the way I want it to. And it's free.

Now I have NEVER used SJESMS6, but are you telling me that Sun has a "utopian" integrated messaging server that doesn't totally suck ass like every other integrated messaging server? And I can afford it for my non-profit? And I can run it on Linux?

Re:Call Sun

[saintp]

I do use Sun's JMS. You can run it on Linux, and your non-profit can probably afford it. But it sucks for small deployments. The damn thing is just too powerful for most people; if you can't afford to hire a dedicated employee just to run the mail server, it's not for you. It's not a magical happy land, like the OP described; it's got a UI that makes your eyes bleed, about a bajillion config files, and inconsistencies up the wazoo. We've used it for four years, and now we're switching to Postfix + Courier IMAP + Maildir and a few other free, open-source components.

Re:Call Sun

[op00to]

So you're basically saying that, when you look very closely, the sun solution is no different than the equivalent F/OSS solution.

(I Am A Mail Administrator, In A Sun Shop)

Re:Call Sun

[saintp]

Funny, but no. The F/OSS stuff -- at least once you get away from Sendmail -- is comprehensible to the average mortal. Have you ever done a basic Postfix config? It's a breeze. Even more advanced Postfix configs are comparatively easy to wrap one's mind around. The giant monolith that is the JMS is, perhaps for a dedicated mail admin, understandable, but for the rest of us -- general purpose sysadmins who have to keep a handle on not only email, but also file services, web servers, user support, and a

How many different ways can things be done?

[Evro]

"I want to do a bunch of things. How many ways can I do them?"

Anyway, what we're currently doing where I work is, we have a Barracuda [barracudanetworks.com] for spam/virus filtering, and that relays mail to our Exchange server for delivery. Barracuda has some nice features, including LDAP validation of recipient email addresses, and it's been working pretty well for us so far. If you're dealing with a large volume of mail, a turnkey solution is a nice time saver.

Re:How many different ways can things be done?

[Evro]

We've only had ours for about 2 weeks but we've been pleased with it so far - no problems yet. Our previous solution was a homebrew system that required a lot of maintenance.

Re:How many different ways can things be done?

[chivo243]

We have the Cuda spam firewall in place, maybe a year, and this week we should see delivery of the Cuda spyware firewall. I am tingly all over;>0 These "purpose built" appliances work 24/7, no tinkering needed or allowed! I even see the ads for the Cuda networks here on the dot.... why is this guy trying to re-invent the wheel? Too much free time perhaps? must be an inventor....

Re:How many different ways can things be done?

[nathanmace]

Mind if I ask what the homebrew system was? Was there anything specfic about it that required so much maintenance? Or was it just one of those "One more thing that I have to tinker with..."?

Re:How many different ways can things be done?

[itwerx]

...have you had any trouble with your Barracuda?

Other than a couple of software bugs in the 2.x version range it's been fine.

Re:How many different ways can things be done?

[chivo243]

Only with one firmware update 1.6? when we test drove the spyware firewall, the reporting via e-mail was not working correctly...

Re:How many different ways can things be done?

[itwerx]

Only with one firmware update 1.6? when we test drove the spyware firewall, the reporting via e-mail was not working correctly...

Ah, that would be a whole different animal. The spyware filter is a relatively new addition to their product line. My post above was referring to the spam filter which has been around for some years now.

Re:How many different ways can things be done?

[chivo243]

another great feature is... you can route outgoing mail through it too! Too cool!

Easy Way

[g-san]

Assign both servers the same IP and then you just plug and unplug the network cable real fast...

hmmm

[karearea]

I use Mdaemon for Windows (yes flameproof suit is on) and there is an option to also send all email to another server.

I would go with the idea of sticking another server in front of your live system that can send the email to the different points, I would assume that if a 'dumb-arse' windows app can do it something like sendmail should be able to do.

I can't give you any more than that (as little as it is) but I would be interested in knowing your solution. It sounds like a cunning plan (so cunning you coul

Re:No flak jacket required

[hlygrail]

So what if it runs on Windows? I've been running MDaemon for many years now (at home) and have had a grand total of > 4 spam messages and zero virus-infected attachments since installation. As long as your network is secure, the host box is tightened down, and you properly configure all the niceties (SpamAssassin, RBLs, Bayesian Filtering, etc.), you're good to go.

Contrast that to the 30-50 per day I was getting before through another ISP (Earthlink). I'm surprised how few people even know about MDae

Use of qmail - simple solution

[under_score]

I use qmail for my servers and it can do this quite easily in a number of ways. There are lots of good online documents about qmail [lifewithqmail.org] as well as the official qmail site [qmail.org]. The simplest method is probably a default install with a .qmail-default file in the alias directory which has two entries in it. Each entry could be a different destination email address or local account. This would certainly duplicate the email coming through, but may not be the best way to do your job. Working with the qmail-smtpd program may get you a solution closer to your needs. Good luck!

Re:Use of qmail - simple solution

[Saeed al-Sahaf]

"I have Qmail up and running on my little LAMP box on my DSL, and I have no problems at all!"

Well. Yes. That's nice...

Since nobody's actually answering your question...

[isaac]

Yeah, so nobody actually read your question. Welcome to slashdot and sorry about that. You really need to understand how email and the internet work a bit better if you thought DNS could do this for you. What you're asking for is a slightly more difficult problem than just "sendmail | tee -a foo".

If you're stuck on sendmail, these might help:
http://www.nber.org/copy-out.html [nber.org]
http://www.milter.info/sendmail/milter-bcc/ [milter.info]

If you want to give other MTA's a whirl for this purpose, google "tee postfix" and see the postfix mailing list thread or try that qmail foo suggested by another poster.

Basically, there are different "problems" with each method, but it's late and I want to go home so you'll have to do your own homework. A few likely complications: recipient checks, source IP checks, header munges interfering with spam filtering

-Isaac

Re:Since nobody's actually answering your question

[bsaxon]

Hey, thanks for replying to my question. I'm not sure what I was thinking with DNS actually. I must have been thinking of something particular to how our network is or how servers are setup, but I'm not sure. Either way, I may just been absent minded at the time, but I can't think of anything would be logical. =)

Re:Since nobody's actually answering your question

[Intron]

For a set of test users, sendmail can duplicate messages using the aliases file. Give each of those users two destinations. There may be a way to wildcard all users, but I'm a sendmail novice of only 5 years.

Re:Since nobody's actually answering your question

[g-san]

Yeah, so nobody actually read your question. Welcome to slashdot and sorry about that.

Sorry? It's just another desperate attempt to get slashdot to do someone's job. You linked to an 8 year old solution yourself. And besides, he lost me just after the fourth, "different." Then I saw he had two linux servers getting the mail first and I knew he'd be just fine ;)

Exim

[KagatoLNX]

Exim [exim.org] can do this quite simply. I dare say that it is the most flexible mailer in existence (Sendmail might be as flexible, but it can't be done without a PHD in m4). Assuming you want to set up a relay server that mails to both the real server and a test server (I think that was the question), I would try the following.

In an Exim configuration file, you specify a list of routers that deliver the message. At a certain point, you'll usually either use a dnslookup router or some local delivery router to either forward a message to another host or deliver it locally respectively. In your case:

• use the standard dnslookup for remote delivery
• don't do any local delivery
• use the manualroute router to deliver to the main host, set the generic router option unseen=yes
• use another manualroute router to deliver to the test host

The unseen option (detailed here [exim.org] in chapter 15 of the specification) allows the first router to accept the message, but still pass it on to the next router.

I have used this method to do almost the exact thing you are doing here (although it was for logging purposes rather than testing). A word of warning... Your test server may generate bounce messages. Also, your relay server (the exim server in this case) may generate bounces if the test server refuses to accept messages. You can fix the latter by setting the errors_to option to the empty string on the test router (thus indicating bounces be dropped).

Removing the bounce address this way has the undesirable effect of causing the envelope sender on the test server to always be set to the bounce address () which makes it difficult to test things like sender verification.

It is possible to suppress relay bounces but preserve the sender address by saving the current sender in the address_data variable and reinstating it by setting the return_path to that in the transport that the router uses. This is ugly, but exists for this purpose (among others).

Then you only have to suppress bounces on the test server. This problem is inherent in delivering to two servers in parallel. If it is Exim, this is can be done with the errors_to option on your routers as above. This again defeats the purpose, because it is hardly a production configuration for testing purposes (can't test any bounce-related functionality). If the server is not Exim, you'll have to find some other way to suppress bounces.

Keep in mind, no matter what system you put in place for relaying, you will have to suppress bounces if you don't want to confuse your inbound mailers (often customers) with strange bounces on messages that were delivered, but generated a bounce on the test server.

Note that if you are really serious about testing your mail server and doing spamblocking, you'll probably do callouts. Callouts (a nice feature that Exim excels at) go through the initial delivery of a bounce message back to the sender address (but stops short of an actual delivery). This tests whether the return address can receive mail. In the event of common spam with AOL or Yahoo addresses, you stop accepting the address as soon as they close the account (or possibly never accept it if it is a faked account). Callouts are cached to a certain degree, so they are not a very bad performance hit either.

The reason I mention this is that it that effective features like this make it really difficult to block off bounces from your test server effectively. The only way I have been able to test something like this effectively is by moving the IT department (not the support desk though) mail onto a test server completely, bypassing any clever relaying. Make no mistake, a mail server in general, and a well spam-hardened server in particular, will be almost impossible to test effectively (without interfering with regular users) in parallel to your existing mail (i.e. duplic

Re:Exim

[walt-sjc]

Exim is Awesome as a gateway (especially if you use Exchange internally. Exchange can't be trusted to speak directly to the outside world.) Exim is also awesome as your main mail server as well. And it scales, easily handling mail for many thousands of users.

As for testing, tossing the full email feed at it and dealing with all the problems may not be the best course of action for the reasons the poster above went into. I usually setup a test sub-domain for testing.

Re:Exim

[Achromatic1978]

Note that if you are really serious about testing your mail server and doing spamblocking, you'll probably do callouts. Callouts (a nice feature that Exim excels at) go through the initial delivery of a bounce message back to the sender address (but stops short of an actual delivery). This tests whether the return address can receive mail. In the event of common spam with AOL or Yahoo addresses, you stop accepting the address as soon as they close the account (or possibly never accept it if it is a faked ac

Nitpickers university

[majello]

Hi!

Sorry to be annoying, but i consider your approach - while intuitive - basically flawed. If you are testing with constantly changing input data, it is very hard to determine the effect of any changes to your configuration. What you would do instead is capture a days worth of data, or maybe more, and hack together some script that lets you replay the day against you test configuration. thus you can always make suer that any changes you made haven't messed up the configuration. you can also vary replay speed to do some stress testing, and you might want to consider building up a set of "interesting" mails to use as testcases.

testing with an unknown and essentially random input set has its values, but i consider it incomplete.

cheers, Stefan

procmail?

[Marrow]

You could try to forward all your mail (perhaps using an external program)
using procmail.

I assume your test server isnt going to do anything with the mail but crunch it.

This is a test

[TheRealMindChild]

BE E E P

Yes, I know it was already posted...

[chivo243]

...but I am told that the Barracuda boxes are hardened linux of some flavor, the rep(that sold us ours) was either closed lipped or didn't know more than that.