On Aug 25, 2006, at 12:57 PM, Brett Glass wrote:
A company for whom I do consulting has a FreeBSD mail server.
Because they're being deluged with connections from spammers (who
have responded to the increasing use of "graylisting" by ordering
their armies of bots to try again and again even when spam is
rejected), they've subscribed to some DNS blacklists and set
Sendmail to limit the number of processes it can spawn at any one
time. This reduces the load on the system due to spamming, but also
prevents internal users from getting the mail server's attention
when they want to send legitimate outgoing mail.
What's the best way to set things up so that more trusted, internal
users can access their own instance of Sendmail (with less
restrictive process limits, no blacklist checks, etc.) while the
outside world sees an instance of Sendmail with blacklisting,
process limits, connection limits, load limits, etc.? Will there be
problems with file locking, queues, etc. if a third instance of
Sendmail is started on a standard FreeBSD install (which normally
You should consider configuring a firewall to limit the number of
incoming SMTP connections permitted to something less than the max
number of sendmail processes you want to run in parallel, so internal
users will always have some sendmail instances available to service
You could also configure an external and an internal mailservers,
have the internal mailserver be entirely firewalled from outside so
that internal users and internal email are handled there without
issues, and just worry about tuning the external mailserver which
will then only need to do SMTP relaying and anti-spam stuff for the
external mail traffic rather than serve dual-duty as a reader box.
There is no issue with setting up as many additional queue groups and
queue runners as you need to; there are some significant advantages
to switching to deferred delivery mode and using queue groups tuned
for legit internal mail and for mail that they exchange with well-
known places like MSN or AOL and with their main clients.
And where's the option that tells Sendmail to listen only on a
particular interface? (This should be on the man page, but isn't.)
The complete docs for sendmail don't really fit into even the 1044
page O'Reilly book; surely you jest if you expect to find complete
docs within the manpage. Wander by /usr/src/contrib/sendmail/cf/
README, and look for the DAEMON_OPTIONS() section or perhaps the
confDONT_PROBE_INTERFACES config options...
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"