[CentOS] sendmail mail relay backscatter issue.
Les Mikesell
lesmikesell at gmail.com
Thu Feb 4 16:19:45 UTC 2010
On 2/4/2010 9:09 AM, Simon Billis wrote:
> Hi,
>>> I would question how "real time" that would be for every email for
>> 6k+
>>> domains. If a few have a large client base, or are expecting
>> responses
>>> from a mass emailing, it might start to take a *while*, unless you've
>> got
>>> pretty heavy duty equipment and networking.
>>
>> It's the same thing the downstream server is going to have to repeat in
>> just a
>> moment anyway, but this time it doesn't have to do the other steps. If
>> you are
>> close to capacity already it might push you over the edge - and be
>> worth
>> scripting a way to maintain that frontend virtuser table that makes it
>> a
>> near-instant hash lookup for the relay sendmail. But for the relay it
>> will be a
>> win either way to avoid the much heavier load of spam-scanning stuff to
>> invalid
>> recipients and making the downstream servers construct bounces.
>
> I hadn't looked at it like that, you may be right, the reduction in scanning
> may provide enough capacity to handle the additional workload from perl. I
> think that I would prefer to have sendmail do the "rcpt to:" rejection
> utilising a map as this I think will be the fastest method, so I'll check
> out the virtusertable approach.
I recommend MimeDefang in any case because it uses a very efficient
multiplexing technique to let sendmail interleave fast/slow operations
with a minimum of long-running perl processes doing the milter
operations - and since spamassassin is perl it runs it internally. See
page 31 of this pdf:
http://www.mimedefang.org/static/mimedefang-lisa04.pdf. And, it lets you
control most things in a small chunk of perl instead of fighting with
sendmail. There are RPMs for it and clamav at rpmforge.
But, even with MimeDefang it will help to reject everything you can up
front. To use virtusertable you have to add the domains you accept for
to the local_host_names - which may then require some tweaking to
arrange actual delivery, perhaps through mailertable if you aren't
already mapping to some other internal host's A record name. Then you
can do things like:
# make domain2.com equivalent to domain1.com
@domain2.com %1%3 at domain1.com
# reject domain3.com (might be a CNAME that inherits the MX)
@domain3.com error:nouser No such user here
# accept known addresses for domain1.com and set internal target
realuser1 at domain1.com realuser1 at deliveryhost.com
realuser2 at domain1.com realuser2 at deliveryhost.com
# reject anything else for domain1.com
@domain3.com error:nouser No such user here
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list