Gary wrote: > Matt wrote:
>>> >>>I'm sure you are aware of this Matt, but on your 2 gateway servers, >>>you MUST reject mail to nonexistent users. I don't know if or how you >>>are doing this now, but I've heard that use of a relay_recipients map >>>may be more efficient than LDAP queries, but of course this means that >>>programs have to be written to extract email addresses from LDAP >>>and load them into the map(s), and of course, this would have to >>>automatically happen on a regular basis. >>> >>> >> This thread was only referring to the introduction of amavisd into our >> network. >> Postfix is very well configured and has very restrictive >> smtpd_recipient_restrictions as well as helo_checks, sender_checks, >> recipient_checks, and the like. About 50% of the mail sent to the server >> is immediately rejected (without accepting it first). I assume that >> percentage will increase once postini is abolished. > This is all excellent, but as you describe it here, your server does > not reject mail to nonexistent users. Please correct me if I am mistaken > and it won't be mentioned again. > Unless you reject mail to nonexistent users at your gateway servers, > amavisd-new will have burn time, energy and CPU power processing each > and every one of these worthless mails, not to mention filling up your > deferred queues. Like I said, 83% of my mail is addressed to nonexistent > users. You have to find a way to reject this dictionary attack crap. >> The head relay servers (relay1 and relay2) will now takeover the exact >> configuration our existing mail server has. That way they continue to >> function as our current mail server does. > Your current server delivers mail locally, and the gateway > servers will relay mail, so at least in that respect, they must be > configured differently, but I think this is assumed. >>>>Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or >>>>the LDA... >> I meant the remaining server for each situation. In other words, the >> domains that have relay1 setup as primary MX will have relay2 as >> secondary. The domains that have relay2 as primary will have the >> "remaining server" (relay1) set as secondary. That way its full >> redundancy if one goes down. >> The main mail server will ONLY accept incoming messages from the two 1U's >> Hope that clarifies. > It does, Thanks. > And like Clifton said, "Excellent plan; this is pretty much optimal." >> Regards, >> Matt > Gary V Doh! I am red faced here, but I think I understand what is happening. I am so used to configuring gateway servers that I forgot that it is not necessary to configure an LDA to reject mail to nonexistent recipients, it happens by design with no additional settings. I think that Matt is thinking in terms of an LDA, and not in terms of a relay server. At this point, if postini tries to deliver a message to a nonexistent user, your LDA rejects it, and the reject ends up as just another statistic in your "50% of the mail gets rejected". Postini is the one who pays the price for your reject here, so you don't have to bother yourself about it. Now, when you run your own relay servers, here is what will happen. First understand that by default, a relay server knows nothing about who valid recipients are. It knows to only accept mail to your domains, but that's it. So, your relay server receives a message to a nonexistent user in one of your domains. It get scanned by amavisd-new and is passed to your LDA. The LDA rejects it, and so your gateway server composes a nice DSN and tries to send it to the sender. The sender is of course bogus, so the DSN sits in your deferred queue, and many delivery attempts occur over the next 5 days (Postfix default). Multiply this by 20,000 per day, and in about a week or less you will have no gateway server. You have to use a mechanism to reject mail (at the gateway) addressed to nonexistent recipients. Doing so will drop the volume of mail in the deferred queue by 90%, and will save you from scanning this garbage. I'll bet you the postini server measures its queue lifetime in hours, not days. Gary V ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
