Noel Jones put forth on 3/7/2011 7:37 AM: > On 3/7/2011 7:21 AM, Stan Hoeppner wrote:
>> I would suggest you grep your mail log for all outbound smtp connections >> to these 10 IP addresses, and document all the recipient domains. Then >> add all these domains to your slow transport map. If you still get >> those 421 errors, completely disable concurrency. > > Nice explanation and reasonable advice. Thanks Noel. > >> If you still get the >> errors, you probably can't fix the problem until you upgrade to 2.5+ and >> have access to rate delay controls. > > Unfortunately, the newer postfix rate delay controls are still based on > the recipient domain, not the MX destination. Yeah. He can absolutely fix his current problem with it. But if he has to configure huge delays to accomplish it, this obviously creates yet more problems: a backed up queue and mail not delivered in a timely manner. > Maybe some clever firewall rules could help. I recall Wietse talking about implementing something a while back specifically for this case. IIRC it was something like doing an smtp_bind_address type thing with a bunch smtp clients, each bound to a different virtual IP all on a single NIC, and sending out all the IPs round robin fashion to prevent "bad sender IP reputation". My memory is fuzzy on this. In lieu of this, the best solution I can think of is going multi instance, say 6 extra instances, 7 total. The following is not a complete step by step how-to but an overview of the basic steps required. On the primary instance, remove all current restrictions you've put in place WRT this Orange farm problem. Bind 6 new additional IP addresses as virtual NICs. On the "primary" instance do smtp_bind_address to the current existing IP address, and the same for inet_interfaces. Do this for each of the 6 new instances, so all 7 Postfix instances only use one IP address each. On each of the 6 new instances, leave smtp_connection_cache_on_demand enabled, and set smtp_destination_concurrency_limit to 18. This will allow you to have 18 concurrent smtp connections for each of 10 (primary Postfix instance) active queue destination domains hosted by the Orange farm, 180 maximum smtp connections into the Orange farm. Setup a round robin DNS A record, say "outboundlds.yourdomain.tld" pointing to these 6 new IP addresses. At the edge firewall limit the 6 new IPs to outbound TCP 25 traffic only. Configure each of the 6 new Postfix instances as minimally as possible, and to only accept connections from the IP of the primary instance. On the "primary" instance, you will have a transport_map containing all domains for which you've experienced concurrent delivery problems. orange.fr smtp:outboundlds.yourdomain.tld wanadoo.fr smtp:outboundlds.yourdomain.tld ... smtp:outboundlds.yourdomain.tld ... smtp:outboundlds.yourdomain.tld ... smtp:outboundlds.yourdomain.tld With this setup, you now have essentially an outbound farm of 6 Postfix servers sending from 6 IP addresses to picky receivers. As connection concurrency checking is typically performed by smtpd's on an smtp client IP address basis, and as each of those 10 Orange servers will allow 3 connections per IP address, you will now be able to have 18 concurrent smtp connections to each of the 10 servers in that farm, or 180 total concurrent connections. Currently you can get 30 total connections being they start flogging you. I'd think a peak capacity of 180 concurrent connections should be enough to fix your problem. > Hmm, I'll wonder out loud if a check_recipient_mx_access table that > returns FILTER slow: would help. It would affect all recipients of a > multi-recipient message, but maybe that would be acceptable. I like my idea better. ;) But it is a kludge, and much more complex to implement. I've never done it, so it's possible what I've stated above won't work, and was a big waste of my time combing through postconf5 and Googling. :( It sure would be nice if Postfix would simply round robin outbound smtp connections across all inet_interfaces by default, or have a main.cf option allowing an OP to enable such a thing easily. If such a thing is already in postconf5 I couldn't find it. Using multiple instances to simply accomplish outbound connection balancing across multiple interface IPs is overkill. -- Stan
