On 11/30/2012 7:27 AM, Tomas Macek wrote: > On Fri, 30 Nov 2012, Wietse Venema wrote:
>> Strange, do you really expect Postfix to flip status immediately >> when load drops under the limit, or do you expect it to behave in >> a more rational manner and announce that "peace has come" when the >> load has stayed under the limit for some minimal amount of time? > > And what is the minimal amount of time? I'm still unable to find it, how > much time that means. Tomas, there is a really easy solution to this problem of yours, and it doesn't take in depth technical understanding of the inner workings of Postfix to achieve it. Simply physically separate your inbound public SMTP traffic from your user submission relay traffic. I.e. setup a separate dedicated box that ONLY performs submission on TCP 587 with auth and outbound relay. I.e. disable the smtpd server on TCP 25. And implement Postscreen on the current public SMTP server. Inform your clients that the change will be complete in 14 days, or whatever time frame you choose, and that they must switch submission to the new IP+port with username and password before that deadline. After the deadline, disable submission/relaying on the public SMTP server, forcing stragglers to convert to using the new submission server. Separating these functions doesn't require a second physical server, but it has a number of advantages for you and your users. First is that it fixes the problem of high public SMTP traffic causing problems for submissions. Second, if you have to take one server down for hardware maintenance only one function goes down, not both. Third, if desired, you can locate the two servers in different locations, on different networks. Etc, etc. Many orgs with high traffic loads separate the public SMTP and user submission functions onto separate boxes. Some have entire farms of servers dedicated to each function. -- Stan