We have 1 box facing the internet, and a bunch of boxes to handle pop3/SA/Clam.
For 10k email addresses, we had until recently a duron700 with 384MB facing the internet, and it worked fine. We just upgraded it to an athlon 1100 with 1GB. This runs postfix, rejects some network blacklisted email, rejects invalid users, and passes it to various inside servers based on the first letter of the user's email address. We use the virtual table to do this, other people might use ldap. This lets us have anywhere from 1 to 27 servers doing the heavy duty work. /usr/local/mis/dns/etc/passwd.end is a file regularly rsync'd from our main server holding people's accounts/aliaess/webpages/SA settings. mx1:/etc/postfix # crontab -l */30 * * * * /usr/local/mis/sbin/mirror.mis mx1:/etc/postfix # more /usr/local/mis/sbin/mirror.mis #!/bin/bash rsync -avW --stats [EMAIL PROTECTED]::mcn.mis /usr/local/mis/dns echo processing passwd into virtual file /usr/local/mis/sbin/passwd2virtual > /etc/postfix/virtual.temp echo processing aliases into virtual file cat /usr/local/mis/dns/etc/aliases.full >> /etc/postfix/virtual.temp echo -e "[EMAIL PROTECTED] [EMAIL PROTECTED]" >>/etc/postfix/virtual.temp cp -f /etc/postfix/virtual.temp /etc/postfix/virtual echo rebuilding db /usr/sbin/postmap /etc/postfix/virtual mx1:/etc/postfix # cat /usr/local/mis/sbin/passwd2virtual #!/bin/bash echo midcoast.com virtual for lusername in `cat /usr/local/mis/dns/etc/passwd.end |grep -v ^[0-9] |cut -d: -f1` ; do letter=`echo $lusername |cut -b0-1` echo [EMAIL PROTECTED] [EMAIL PROTECTED] done for lusername in `cat /usr/local/mis/dns/etc/passwd.end |grep ^[0-9] |cut -d: -f1` ; do letter=`echo $lusername |cut -b0-1` echo [EMAIL PROTECTED] [EMAIL PROTECTED] done Thus, if it's not in the virtual file, it doesn't get through to the boxes with SA. The boxes with SA/Clam/pop3 are pretty beefy. A dual 1ghz PIII won't go far. It's almost all CPU bound for SA/Clam. (SA using most of it). More rules and tests = more thorough spam detection for the most part. We have some boxes as dual opteron 246 with 2GB, and other boxes are 2600xp machines with 1GB. Keeping it fast will let it process a queue more quickly if it cpu cycles to spare. We use DNS A records to direct various letters email to specific physical machine IP addresses. a.mail.midcoast.com and b.mail.midcoast.com might go to different machines. Perdition does pop3 redirecting based on username (or any other criteria) for the customer access. If you don't want to develop a complicated distributed system and don't expect more than 4000 email boxes, just throw outright CPU horsepower at it. On Wed, Jan 18, 2006 at 03:12:32PM -0700, Alan Fullmer wrote: > Yes they are rejecting mail for unknown users. > > However, currently I have it discard flagged spam, rather than reject it. > Granted there are some that SA does not catch, therefore go into the whole > limbo situation. > > I currently have no way for this machine to check the validity of a user. :( > It resides on the 3rd box and by then it's already 'processed it'. > > I'm almost now wondering if there is another issue I may have overlooked. > If you're running that on one machine, makes me wonder. I will investigate > on that part. > > > -Alan Fullmer > www.xnote.com > www.zoobuh.com > > > -----Original Message----- > From: Bowie Bailey [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 18, 2006 2:44 PM > To: 'SpamAssassin Users' > Subject: RE: Load Balancing with Postfix [and SpamAssassin] > > Alan Fullmer wrote: > > > > The setup works, however I get so backlogged. For example, running a > > mailq as we speak, comes up with: > > 35918 Kbytes in 5257 Requests. > > > > It eventually gets through, and during the night it catches up. I am > > seeing delays up to 3 hours sometimes. I tail -f the maillog file > > and it's constantly running, so there is definitely activity. > > Running top indicates 4 main processes with spamd indicating the > > slowdown is, indeed, with SpamAssassin. I originally thought it > > might have something to do with the Bayes database, but for fun, I > > deleted it to see what would happen. Same result. > > > > I am running a dual P3 1ghz machine currently and have plans to > > upgrade that to a dual xeon 3ghz. However, I know this is only a > > temporary solution and at this point I'm not sure that it's enough. > > Are your gateway machines rejecting mail for unknown users? > > If the two SA boxes are accepting all mail for the domain, then they > have to scan mail that will never be delivered. Even worse, once your > mailbox machine rejects the mail, you will have to generate a bounce > message. And if the email had a faked From address, this bounce message > will be undeliverable and will sit in your queue until it times out and > generates a double-bounce to postmaster. > > I went from three virus scanning machines and a separate mailbox > machine, to a single machine that runs ClamAV and SpamAssassin as well > as hosting the mailboxes. > > -- > Bowie -- /* Jason Philbrook | Midcoast Internet Solutions - Internet Access, KB1IOJ | Hosting, and TCP-IP Networks for Midcoast Maine http://f64.nu/ | http://www.midcoast.com/ */