I've got a handful of Plesk machines of various versions and operating systems, each hosting mail as well as web sites. Anyone who has dealt with Plesk knows that it can be pain to keep locked down. Between qmail's tendency to support backscatter spam and insecure contact forms published by users in PHP and ASP, there is a lot of potential for spamming and getting listed in RBLs.
In addition to locking down these machines as tightly as possible, I want to funnel all outbound mail to one or more outbound-only mail relays that have the ability to scan the mail for spam before sending it on its way.
I'd prefer Postfix, but I'm open to just about any open source solution. There are many, many tutorials for filtering inbound spam, but very few that even address the outbound spam problem, and most of those have little useful info.
Even a method to have Postfix sequester all outbound mail into a special queue that I could scan with home-rolled scripts and then re-inject into the outbound queue would be an option.
Any and all ideas and suggestions welcome.
A solution would be blocking outgoing access to outside SMTP servers (port 25 tcp outbound) on your exit firewall and require the servers to use your SMTP as a smarthost, and implementing the SPAM and AV solutions on your own smarthost. You can keep allowing ingoing SMTP access to their MX servers.
You can do that with Postfix or Exim plus a tool like Mailscanner. Just remember that this can be a pretty big hit and you need really to think on the capacity of that (or those) servers, since if your outgoing email is in large numbers you will probably have a heavy load to process. Maybe you can think about load balancing the outgoing servers with HAProxy or similar solution.