Looks like a good plan. On the two "relay" servers I would setup postfix to do a verify on the incoming mail addr. using reject_unverified_recipient and also set out-going e-mail to go trough the relay's as well..
Milton On Fri, 2005-07-22 at 09:21 -1000, Clifton Royston wrote: > On Fri, Jul 22, 2005 at 12:35:04AM -0400, Matt Juszczak wrote: > > OK, I think I've made a final decision on what I'd like to do. > > > > I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz > > machines with IDE drives). I'm going to call one "relay1" and one "relay2". > > > > I'm going to setup MX records for the 500+ domains we have. Half of them > > will have relay1 as their primary and half of them will have relay2 as > > their primary. The remaining server will be set as secondary MX. > > > > These two 1U boxes will be IDENTICAL and have support for ALL domains. > > Upon processing of spam and antivirus, each box will then relay the mail > > directly to the mail server. All the mail server will do is receive the > > processed emails and deliver them. > > Excellent plan; this is pretty much optimal. If I'd realized you had > two machines to spare, I would have recommended this. > > > The reason I decided this is for a few reasons: > ... > > All good reasons. > > > Please let me know what all of you think about this final idea. In the > > end it leaves me with a three server setup but at least things will be a > > bit more spread out, and I'll have nice backup processing servers. > > The one catch in this suggestion is that the more sophisticated > variety of both viruses and spammers will try to go around your spam > filter servers to hit your mailserver directly. This can mean getting > totally hammered during a major virus outbreak. Several strong > suggestions: > > 1) Don't list your end mailserver as an MX record; use Postfix > transports to route directly it from your antispam filter to your > mailserver. > > 2) Once everything is working right, firewall inbound SMTP connections > from outside your IP space or restrict them via an access list. > > 3) Optionally, name your mailserver something other than "mail", "mta", > "mx", etc. because those names are part of what they will look for in > DNS. > -- Clifton > ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
