On 2015-2-17 18:19 , John Von Essen wrote: > I have two filtering gateways, on a public WAN, they receive the raw > email, filter it, then relay it to my main mail server - which also > sits on the same WAN. All three machines are publicly accessible and > running no firewall. For performance reasons, I’d like to not run a > software firewall on the mail server.
Erm... what sort of "performance reason" is that? Sendmail happily forks for every incoming connection, thinking "oh joy it's another email, that's probably important so I'd better fork". Anything you do afterwards to reject the connection is going to be very costly because of the fork, no matter how you solve it. Doing the same with iptables is practically a no-brainer for the kernel. Simply drop the SYN packet. Software firewalls do not put a big load on servers, unless you're doing something silly (eg: do not use connection tracking. You wouldn't need to in this case). Or as others have suggested, use rfc1918 non-routable IP space on a separate vlan interface to shield your internal mail server. -- Jan-Pieter Cornet <joh...@xs4all.nl> "Any sufficiently advanced incompetence is indistinguishable from malice." - Grey's Law
signature.asc
Description: OpenPGP digital signature
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang