Re: slightly OT - my freebsd email topology
Jonathan Horne wrote: currently, my email server is just a single box, accepting and sending emails from and to the internet. spamassassin and sendmail, and so far, it works satisfactory. i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? does anyone have any setups that are similar to this, and could advise me or point me in the right direction? thanks, jonathan Jonathan, I do just this, a pair of FreeBSD boxes running Sendmail, SpamAssassin and ClamAV protecting a single internal box. I use MIMEDefang to do a lot of the heavy lifting. MIMEDefang provides a facility to check the to: email address against the server that is the ultimate mail destination before accepting it for delivery, preventing the border servers from accepting all email to the domain and then having to try to deliver bounces to faked/invalid from addresses. I think this is what you were looking for. The function I am using to do this in mimedefang-filter is sub filter_recipient { my($answer, $explanation) = md_check_against_smtp_server($sender, $recip, mx.adomain.co.uk, mailhomes.adomain.co.uk); # Convert TEMPFAIL to CONTINUE $answer = 'CONTINUE' if ($answer eq 'TEMPFAIL'); return ($answer, $explanation); } MIMEDefang can be found here http://www.mimedefang.org/ HTH, Charlie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: slightly OT - my freebsd email topology
On Thu, 5 Apr 2007, Derek Ragona wrote: At 12:36 PM 4/5/2007, Jonathan Horne wrote: currently, my email server is just a single box, accepting and sending emails from and to the internet. spamassassin and sendmail, and so far, it works satisfactory. i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? does anyone have any setups that are similar to this, and could advise me or point me in the right direction? thanks, jonathan Generally you want to filter and bounce mail at the point of origin, so your mail server that first accepts the mail. As long as you have the bandwidth on that server you would spam check, virus check there, bouncing any bad ones. Then forward to your internal server only clean mail for delivery. However unless you have terribly underpowered servers, or a lot of email (like 50,000 messages a day) running on two servers should not be necessary. -Derek Our expedience suggests the number is at least 100,000 before you would see any problems and perhaps, if you have limited bandwidth as we do, that would be your first constraint. We run three mail servers with all customer emails coming to one server. Over the last several months we average about 30,000 messages/day. We have had 4 unusual pikes getting as many as 310,000 messages. This was a DoS attack from several hundred sources. The main problem this caused was slowing down the delivery of valid mail. We had one 90,000 message day in our current configuration that went unnoticed. We now use spamcop and greylisting on the customers server, offering bogofilter backed with spamassassin for users who want content filtering. On our internal server we use spamcop and bogofilter under duress adding duls.dnsbl.sorbs.net when a similar attack filled /var. We forward email for about half of our customers which would sorta be similar to having a mail gateway for these clients. Content filtering for this set has caused more problems than it solves. I hope my experience gives you some guidance. Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: slightly OT - my freebsd email topology
Derek Ragona wrote: At 12:36 PM 4/5/2007, Jonathan Horne wrote: currently, my email server is just a single box, accepting and sending emails from and to the internet. spamassassin and sendmail, and so far, it works satisfactory. i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? does anyone have any setups that are similar to this, and could advise me or point me in the right direction? thanks, jonathan Generally you want to filter and bounce mail at the point of origin, so your mail server that first accepts the mail. As long as you have the bandwidth on that server you would spam check, virus check there, bouncing any bad ones. Then forward to your internal server only clean mail for delivery. Bounces generate backscatters. The idea is to filter and *reject* (instead of bouncing) at the point of origin. Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
slightly OT - my freebsd email topology
currently, my email server is just a single box, accepting and sending emails from and to the internet. spamassassin and sendmail, and so far, it works satisfactory. i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? does anyone have any setups that are similar to this, and could advise me or point me in the right direction? thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [freebsd-questions] slightly OT - my freebsd email topology
Jonathan Horne wrote: currently, my email server is just a single box, accepting and sending emails from and to the internet. spamassassin and sendmail, and so far, it works satisfactory. i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? I did this for our backup MX using qpsmtpd and a plugin I wrote to check against an automatically updated file. qpsmtpd can deliver onwards to any SMTP server after running whatever filtering/fussiness you specify. I believe there is a milter plugin that can do onward queries before accepting mail, too, although I don't use sendmail, so I couldn't tell you the name of it... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: slightly OT - my freebsd email topology
Jonathan Horne wrote: [snip] i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? does anyone have any setups that are similar to this, and could advise me or point me in the right direction? The simplest way I've found is to assemble your own access file (either from /etc/passwd or LDAP) and distribute that to your MX hosts. Graham ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: slightly OT - my freebsd email topology
At 12:36 PM 4/5/2007, Jonathan Horne wrote: currently, my email server is just a single box, accepting and sending emails from and to the internet. spamassassin and sendmail, and so far, it works satisfactory. i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? does anyone have any setups that are similar to this, and could advise me or point me in the right direction? thanks, jonathan Generally you want to filter and bounce mail at the point of origin, so your mail server that first accepts the mail. As long as you have the bandwidth on that server you would spam check, virus check there, bouncing any bad ones. Then forward to your internal server only clean mail for delivery. However unless you have terribly underpowered servers, or a lot of email (like 50,000 messages a day) running on two servers should not be necessary. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: slightly OT - my freebsd email topology
Jonathan Horne wrote: currently, my email server is just a single box, accepting and sending emails from and to the internet. spamassassin and sendmail, and so far, it works satisfactory. i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? does anyone have any setups that are similar to this, and could advise me or point me in the right direction? thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] There's really too many variables in your question to provide a good answer. ideally, the 'internal' server should be configured as normal, but not exposed on a public interface; sendmail should not be listening for incoming connections from anything other than your two 'outside' boxes if it has a valid public IP address. If the previous sceenario is true, then all you've really gotta do on the 'outside' boxes, is add the domain names for which the 'inside' box is going to relay mail for, and set the two outside boxes as MX hosts in your public DNS records, while they receive internally the hostname/address of the internal MX host. You could go a step further, by using virtusertable within sendmail to redirect incoming mail for a domain to a specific host on the inside instead of just relaying, which could provide a more flexible filtering mechanism; something like: @whatever.com [EMAIL PROTECTED] Essentially instructing sendmail on the external machine to forward along '[EMAIL PROTECTED]' to '[EMAIL PROTECTED]' ... or you could go beyond that to only filter specific addresses and error out everything else. Well, you get the idea - there's more than one way to do this. You need to really specify your goals more clearly: Are you trying to simply offset the load? Are you trying to make a redundant setup for a failover setup? Are you trying to be more secure by filtering before handling email? Are you trying to avoid having all your eggs in one basket? Do you desire a single point of configuration, or are you expecting to configure each new account on all servers? These are all things you have to consider. Bottom line is, you need to really sit down and put to thought exactly what you're trying to accomplish. If the load created by spamassassin is your sole problem - then you can run just spamassassin's filtering daemon on another machine - it is capable of running spamd over a network (see: spamd/spamc: http://spamassassin.apache.org/full/3.0.x/dist/spamd/README for more info). My advice would be to decide exactly what you want to accomplish, then come back and ask for further suggestion from this list. There are many talented, experienced administrators here - who chances are, have come accross an almost exact case that could help you out - they all just need a little more to go on before they can tell you what they'd do in your case. Ultimately, it's up to you and RTFM'ing the heck out of it before you implement it in production is always a good choice. P.S. - sorry if this double-posts, realized I sent from the wrong account and tried to cancel - not sure if it did, so figure better two copies than none. -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: slightly OT - my freebsd email topology
Jonathan Horne wrote: currently, my email server is just a single box, accepting and sending emails from and to the internet. spamassassin and sendmail, and so far, it works satisfactory. i would like to change it up, so that i have a pair of servers doing MX from the internet, which then passes to an internal server for delivery. if i do that, i could remove spamassassin from the internal server, and run it on just the 2 external. all those configurations is really not my issue here... what im really pondering is how would external servers that are seperate from where the target mailboxes are, know which addressess are acceptable and which to return a 550? does anyone have any setups that are similar to this, and could advise me or point me in the right direction? thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] There's really too many variables in your question to provide a good answer. ideally, the 'internal' server should be configured as normal, but not exposed on a public interface; sendmail should not be listening for incoming connections from anything other than your two 'outside' boxes if it has a valid public IP address. If the previous sceenario is true, then all you've really gotta do on the 'outside' boxes, is add the domain names for which the 'inside' box is going to relay mail for, and set the two outside boxes as MX hosts in your public DNS records, while they receive internally the hostname/address of the internal MX host. You could go a step further, by using virtusertable within sendmail to redirect incoming mail for a domain to a specific host on the inside instead of just relaying, which could provide a more flexible filtering mechanism; something like: @whatever.com [EMAIL PROTECTED] Essentially instructing sendmail on the external machine to forward along '[EMAIL PROTECTED]' to '[EMAIL PROTECTED]' ... or you could go beyond that to only filter specific addresses and error out everything else. Well, you get the idea - there's more than one way to do this. You need to really specify your goals more clearly: Are you trying to simply offset the load? Are you trying to make a redundant setup for a failover setup? Are you trying to be more secure by filtering before handling email? Are you trying to avoid having all your eggs in one basket? Do you desire a single point of configuration, or are you expecting to configure each new account on all servers? These are all things you have to consider. Bottom line is, you need to really sit down and put to thought exactly what you're trying to accomplish. If the load created by spamassassin is your sole problem - then you can run just spamassassin's filtering daemon on another machine - it is capable of running spamd over a network (see: spamd/spamc: http://spamassassin.apache.org/full/3.0.x/dist/spamd/README for more info). My advice would be to decide exactly what you want to accomplish, then come back and ask for further suggestion from this list. There are many talented, experienced administrators here - who chances are, have come accross an almost exact case that could help you out - they all just need a little more to go on before they can tell you what they'd do in your case. Ultimately, it's up to you and RTFM'ing the heck out of it before you implement it in production is always a good choice. -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]