At SANBI we do spam filtering on a dedicated machine, where we run qpsmtpd with various plugins. The faces the big scary Internet and then any mail that passes its filters is delivered to our main mailserver, where the mailboxes live. Some years ago I wrote a plugin for qpsmtpd that does recipient checking, i.e. it connects to the main mailserver and uses the RCPT TO command to check if the mail can be delivered. I discovered a significant gotcha with this approach: any mail passing the spam filter was being accepted. I.e. I’d accidentially created an open relay (but only for non-spam-filter-triggering mail). So this post is just a note to self (and others that might make this mistake): your final mail server should treat the spam filtering proxy as an external mailserver, i.e. relaying should not be permitted. I did this by changing the mynetworks setting in the main mailserver’s Postfix configuration to exclude the spam filtering server’s IP. (Note that exclusions must be before inclusions in this statement, so !<spam filter IP> had to come before <spam filter IP’s network>.)
POSTSCRIPT: I forgot that we use our spam filter machine as a mailserver for external clients (when authenticated with SMTP AUTH), so my plan didn’t work. Turns out that what I actually needed was to enable the check_rcpt plugin together with my own plugin, because check_rcpt checks for mail relaying.
PPS: The correct response from a plugin if you think the message is kosher is DECLINED, not OK. OK means we’re sure the message is OK, whereas DECLINED means pass it to the next plugin. Drat!