[CentOS] sendmail mail relay backscatter issue.

Thu Feb 4 16:19:45 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 2/4/2010 9:09 AM, Simon Billis wrote:
> Hi,
>>> I would question how "real time" that would be for every email for
>> 6k+
>>> domains. If a few have a large client base, or are expecting
>> responses
>>> from a mass emailing, it might start to take a *while*, unless you've
>> got
>>> pretty heavy duty equipment and networking.
>>
>> It's the same thing the downstream server is going to have to repeat in
>> just a
>> moment anyway, but this time it doesn't have to do the other steps.  If
>> you are
>> close to capacity already it might push you over the edge - and be
>> worth
>> scripting a way to maintain that frontend virtuser table that makes it
>> a
>> near-instant hash lookup for the relay sendmail.  But for the relay it
>> will be a
>> win either way to avoid the much heavier load of spam-scanning stuff to
>> invalid
>> recipients and making the downstream servers construct bounces.
>
> I hadn't looked at it like that, you may be right, the reduction in scanning
> may provide enough capacity to handle the additional workload from perl. I
> think that I would prefer to have sendmail do the "rcpt to:" rejection
> utilising a map as this I think will be the fastest method, so I'll check
> out the virtusertable approach.

I recommend MimeDefang in any case because it uses a very efficient 
multiplexing technique to let sendmail interleave fast/slow operations 
with a minimum of long-running perl processes doing the milter 
operations - and since spamassassin is perl it runs it internally. See 
page 31 of this pdf:
http://www.mimedefang.org/static/mimedefang-lisa04.pdf. And, it lets you 
control most things in a small chunk of perl instead of fighting with 
sendmail.  There are RPMs for it and clamav at rpmforge.

But, even with MimeDefang it will help to reject everything you can up 
front.  To use virtusertable you have to add the domains you accept for 
to the local_host_names - which may then require some tweaking to 
arrange actual delivery, perhaps through mailertable if you aren't 
already mapping to some other internal host's A record name.  Then you 
can do things like:

# make domain2.com equivalent to domain1.com
@domain2.com %1%3 at domain1.com
# reject domain3.com (might be a CNAME that inherits the MX)
@domain3.com error:nouser  No such user here

# accept known addresses for domain1.com and set internal target
realuser1 at domain1.com realuser1 at deliveryhost.com
realuser2 at domain1.com realuser2 at deliveryhost.com
# reject anything else for domain1.com
@domain3.com error:nouser  No such user here

-- 
   Les Mikesell
    lesmikesell at gmail.com