Am 17.09.2014 um 21:10 schrieb Jari Fredriksson: > What kind of simple load balancers are you using? I have been using just > DNS multiple address but that does not work any more. Something a *bit* > more intelligent is needed
have you considered how to reduce the amount making it to SA at all? 3 weeks production turns out that most can be rejected by the MTA and so reduce the need of load balancing greatly in my case Postfix/Postscreen with a bundle of RBL's with different weight to avoid false positives and a honeypot-mx answering in any case with 450 the honeypot-mx catchs a lot of botnet crap never connecting to the real MX and even if i saw enough not blocked by RBL's at the first connect but on the retry to the primary MX below some numbers from this week * per day around 3000 legit mail * SA blocked 949 messages * 67396 rejected by postscreen * 2791 rejected by postfix (making it through postscreen) * 66220 RBL rejects out of the 67396 postcreen ones * 1942 is crap talking too early (postscreen_greet_wait) in fact most connections are not making it to smtpd at all some of the DNSBL/DNSWL are internally ones or mirrored on a internal 'dnsrbld' to reduce WAN load, i would suggest looking at the postfix-docs for some options below _____________________________________________________________________ postscreen_cache_retention_time = 7d postscreen_bare_newline_ttl = 7d postscreen_greet_ttl = 7d postscreen_non_smtp_command_ttl = 7d postscreen_pipelining_ttl = 7d postscreen_dnsbl_ttl = 15m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = ${stress?2}${stress:10}s postscreen_whitelist_interfaces = !<honeypot-ip>, static:all postscreen_dnsbl_sites = dnsbl.thelounge.net*16 dnsbl.sorbs.net=127.0.0.10*8 zen.spamhaus.org=127.0.0.[10;11]*8 b.barracudacentral.org*7 dnsbl.inps.de*7 dnsbl.sorbs.net=127.0.0.5*6 zen.spamhaus.org=127.0.0.[4..7]*6 bl.mailspike.net*4 bl.spamcop.net*4 bl.spameatingmonkey.net*4 dnsbl-ix.thelounge.net*4 dnsrbl.swinog.ch*4 zen.spamhaus.org=127.0.0.3*4 dnsbl-surriel.thelounge.net*3 dnsbl-uce.thelounge.net*3 zen.spamhaus.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 dnsbl-backscatterer.thelounge.net*1 dnswl-whitelisted-org.thelounge.net*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl-aggregate.thelounge.net=127.0.0.5*-3 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 dnswl-aggregate.thelounge.net=127.0.0.4*-8 dnswl-aggregate.thelounge.net=127.0.0.3*-16 dnswl-aggregate.thelounge.net=127.0.0.2*-24 _____________________________________________________________________ spamfilter-general-stats.sh Connections: 84415 Delivered: 9637 Invalid User: 1427 Rejected-1: 67396 Rejected-2: 2791 Blacklist: 66220 Pregreet: 1942 Protocol Error: 809 Spamfilter: 949 Virus: 52 Helo: 152 Subject: 10 Attachment: 18 Sender Blocked: 111 Sender Invalid: 103 Sender Spoofed: 509 PTR Missing: 511 PTR Generic: 144 SPF: 1 _____________________________________________________________________ spamfilter-honeypot-stats.php Default-MX: 18535 Honeypot-MX: 8774 Honeypot-Only: 7321 _____________________________________________________________________ dnsblcount.sh spamhaus.org 40305 barracudacentral.org 12764 sorbs.net 7407 inps.de 5407 thelounge.net 185 manitu.net 63 mailspike.net 57 spamcop.net 21 psbl.org 7 swinog.ch 4 spameatingmonkey.net 2 uceprotect.net 1 ================================= Total DNSBL rejections: 66223
signature.asc
Description: OpenPGP digital signature