Re: round-robin mx and nginx proxy
2012/6/22 Richard Hector rich...@walnut.gen.nz: Wait - is this https or SMTP? MX records will only affect SMTP, and the question seemed to relate to https. I got the impression that the fact that the servers also ran MTAs was incidental. Still, the issue will relate to what IP address comes back from a query, and how long it's cached by the client (and intervening name servers). it seemed that i had asked a wrong question this concerns more on the reverse-proxy by provided by nginx that supposed to load-balance between 2 reverse-proxe servers which coinidentally MTA servers -- Regards, Umarzuki Mochlis http://debmal.my -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cahw9mbxtrhdgp4vmbyjcavroubpokr+mnn08hbzqlrpetg_...@mail.gmail.com
Re: round-robin mx and nginx proxy
2012/6/25 Umarzuki Mochlis umarz...@gmail.com: 2012/6/22 Richard Hector rich...@walnut.gen.nz: Wait - is this https or SMTP? MX records will only affect SMTP, and the question seemed to relate to https. I got the impression that the fact that the servers also ran MTAs was incidental. Still, the issue will relate to what IP address comes back from a query, and how long it's cached by the client (and intervening name servers). it seemed that i had asked a wrong question this concerns more on the reverse-proxy by provided by nginx that supposed to load-balance between 2 reverse-proxe servers which coinidentally MTA servers my bad, that supposed to go like this: this concerns more on the reverse-proxy by provided by nginx that supposed to be load-balanced between 2 reverse-proxy servers which coincidentally are MTA servers. -- Regards, Umarzuki Mochlis http://debmal.my -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAHW9mbx3o8j1Jj=tVDHy7e_usZUy6VBATuUj33AFfhoedjm=r...@mail.gmail.com
round-robin mx and nginx proxy
I need general help on a multi-server setup with 2 MTAs (each also a nginx reverse-proxy) 2 mailbox servers (round-robin) when i check nginx.log on both MTA, only the second MTA got https connection (zimbra support also confirmed this) and it seems that this might caused by DNS setup or related network configuration how do I pinpoint as to where the root cause might be? -- Regards, Umarzuki Mochlis http://debmal.my -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAHW9mbwvrCYnO2hk1_WPjnPKnHL3qeyG5=aoe1a6f1s8epm...@mail.gmail.com
Re: round-robin mx and nginx proxy
On Thu, Jun 21, 2012 at 03:54:28PM +0800, Umarzuki Mochlis wrote: I need general help on a multi-server setup with 2 MTAs (each also a nginx reverse-proxy) 2 mailbox servers (round-robin) when i check nginx.log on both MTA, only the second MTA got https connection (zimbra support also confirmed this) and it seems that this might caused by DNS setup or related network configuration how do I pinpoint as to where the root cause might be? I think I would first start by checking the output of repeated calls to dig +short mx yourdomain.example.org. This should vary, with your servers swapping positions each time. If you only get the same output each time, then it's down to the sending MTA to pick an appropriate MX from the list. I assume both your MXs have the same priority; in that case the sending SMTP should pick one at random and, if that fails, try the other. Note here, that if you're using round-robin AND same-priority MXs, both are picking the order at random. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120621103035.ga15...@darac.org.uk
Re: round-robin mx and nginx proxy
2012/6/21 Darac Marjal mailingl...@darac.org.uk: On Thu, Jun 21, 2012 at 03:54:28PM +0800, Umarzuki Mochlis wrote: I think I would first start by checking the output of repeated calls to dig +short mx yourdomain.example.org. This should vary, with your servers swapping positions each time. If you only get the same output each time, then it's down to the sending MTA to pick an appropriate MX from the list. I assume both your MXs have the same priority; in that case the sending SMTP should pick one at random and, if that fails, try the other. Note here, that if you're using round-robin AND same-priority MXs, both are picking the order at random. thanks, i also need to know how I would be able to investigate the flow of emails. What I had tried so far: dig +short mx reveals that from outside, users would hit barracuda MTA first then barracuda would forward (or so i thought) to a MailScanner (barracuda's outbound smtp host setting) but how do I check that MailScanner (installed on top of centos 5) forwards emails to those 2 MTA+proxy servers? email system is working at the moment, fortunately. mail flow that i assumed from outside: user - barracuda - mailscanner - second zimbra MTA+proxy server - one of two mailbox servers (via its public name) thanks -- Regards, Umarzuki Mochlis http://debmal.my -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAHW9mbz2eSNmVwa=-hwx_d52ee-splb7xad7unrxru8v+jb...@mail.gmail.com
Re: round-robin mx and nginx proxy
On 21/06/12 22:30, Darac Marjal wrote: On Thu, Jun 21, 2012 at 03:54:28PM +0800, Umarzuki Mochlis wrote: I need general help on a multi-server setup with 2 MTAs (each also a nginx reverse-proxy) 2 mailbox servers (round-robin) when i check nginx.log on both MTA, only the second MTA got https connection (zimbra support also confirmed this) and it seems that this might caused by DNS setup or related network configuration how do I pinpoint as to where the root cause might be? I think I would first start by checking the output of repeated calls to dig +short mx yourdomain.example.org. This should vary, with your servers swapping positions each time. If you only get the same output each time, then it's down to the sending MTA to pick an appropriate MX from the list. I assume both your MXs have the same priority; in that case the sending SMTP should pick one at random and, if that fails, try the other. Note here, that if you're using round-robin AND same-priority MXs, both are picking the order at random. Wait - is this https or SMTP? MX records will only affect SMTP, and the question seemed to relate to https. I got the impression that the fact that the servers also ran MTAs was incidental. Still, the issue will relate to what IP address comes back from a query, and how long it's cached by the client (and intervening name servers). Richard -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fe3e9d7.20...@walnut.gen.nz
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Brian wrote: Stan Hoeppner wrote: They're not properly setup if they have a dynamic IP address, and most xDSL customers get a dynamic IP. Given that 95% of all email is spam, What is improper (technically incorrect) in the setup when sending email from a dynamic IP address? It is one of practicality. If you can identify a spammer then you can block them. Therefore to prevent blocks spammers try their best to move around as much as possible. Basically static IPs have a reputation associated with them. I can learn to trust or not to trust any particular IP address. But dynamic addresses are effectively anonymous. They are faceless zombies and endless in number. A botnet army exists on virus infected machines almost singularly for the purpose of sending spam. They can attack you from literally a thousand different IP addresses. It isn't possible to blacklist them because they get one IP address today and a different IP address tomorrow. All they need to do to defeat the blacklist is to obtain a new address and move to it. And there is a very large number of them. But guess what? All of those IP addresses exist in dynamic IP blocks! By blocking mail from dynamic IP blocks I can block almost all of the spam that attacks me. Therefore it is one of practicality. If you are going to send email then you need a static IP address. It is one of reputation and in this case the reputation is attached to the IP address. It is the only thing we have to grip upon. Bob signature.asc Description: Digital signature
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Stan Hoeppner s...@hardwarefreak.com writes: On 7/12/2011 3:33 PM, lee wrote: Spamhouse blocks you even when you haven't done anything wrong and then refuses to remove you. Please share your correspondence with Spamhaus that proves what you state. After a loaded statement like this you really need to show evidence. There isn't anything loaded about it, it's merely my experience. I probably don't have the correspondence anymore because it was long ago, and IIRC it involved having to use a web form they had because I couldn't send them mail, so at least that part of the conversation won't have been preserved anyway. And as I said, I don't want others to decide about what mail I can receive and what not. How would you like it if the postman supposed to deliver your snail mail would decide by his very own rules which of the mail addressed to you he delivers? Email is the same, I don't want you or anyone else decide what mail I can receive and what not. Huh? What is it you don't understand about this? It is much different. The difference is that it is my decision how to use these tools and how to configure them. When I decide to use a blacklist like Spamhouse has, others decide who's blacklisted and who's not, and that's a decision I have no saying in. I can either use their list or not and don't have any control over the list itself --- but I do have control over how I configure spamasassin. If you're using SpamAssassin then you're already using 5 dndbls, including Spamhaus Zen. It's the default configuration. You didn't mention manually disabling them, so apparently you use them. You probably didn't even realize it. My point remains. It doesn't matter whether I mentioned to have changed the configuration of Spamassassin or not. IIRC, I haven't even mentioned whether I use it or not. That doesn't say much without knowing how much mail is running through. It's nice that you don't need graylisting and Spamassassin since graylisting introduces delays and Spamasassin can be troublesome on resources. And mail flow won't tell you anything without knowing the hardware specs and line speed. That's a bit deep for this discussion. You're the one who brought it up. Only bot infected PCs do that. This table targets residential type rDNS strings, which identify the PC as being residential, or less commonly, SOHO. In either case, they should be relaying email through their ISP's mail relay, which we state in the reject messages in the table. That's a decision you made, and it's an example for a case in which the decision of what mail I want to (or, rather, can) receive would be made by someone else. Have you even looked at the file? You've made your decision about what people should do and what mail to accept. Apparently you created and use the table to efficiently have your decision applied by software. That is your decision, not mine. If I was using your mail server, you would be the one to decide what mail I can receive and what not. If I was using your table with my MTA to block mail, you would be the one to decide what mail I want to receive and what not. They are merely examples for cases in which the decision of what mail I want or can receive would be made by someone else. There's no need to look at the file for that. You can replace every action with a PREPEND if you so choose and use this table strictly for scoring. You could also do selective greylisting with it, or any number of actions. The actions that ship in the default file work extremely well. As the file states, you are totally free to modify it and use it in any way you choose. That's nice :) It's becoming pretty clear you don't currently, and probably never have, managed an MTA. You speak strictly from an end user POV. Which makes me wonder why you've jumped into this drifted corner of this thread in the first place. You claimed to be a Spamassassin user, yet you didn't know it uses multiple dnsbls by default. You claim to want to make a personal choice whether to accept or reject each and every email that arrives, which is simply silly for anyone to do but an end user. You're making lots of assumptions and judgements without having the necessary facts, and you're seeing only what you want to see. Pretending that everyone who doesn't have the same opinion you have is a paranoid troll and doesn't have a clue what they're talking about isn't helping anything. -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87bowyi4py@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Hi, Stan Hoeppner wrote: On 7/11/2011 2:22 PM, Andrew McGlashan wrote: They're not properly setup if they have a dynamic IP address, and most xDSL customers get a dynamic IP. Given that 95% of all email is spam, and 90% of that is from bot infected PCs on consumer xDSL/cable lines, would you have the world stop summarily blocking the hundreds of millions of dynamic IP hosts simply to let the few thousand Linux weenie servers on dynamic IPs send mail without being molested? Are you kidding? I don't think anyone should be running a mail server on an actual dynamic IP address. If you IP address is statically assigned and you have the appropriate rDNS record, then you should be fine. The bigger problem is improperly licensed PCs and also those whom don't update their software adequately -- and the latter isn't a trivial task for many. This is magnified by those whom download all sorts of malware that comes as a bonus with other possibly useful software downloads. Illegal downloads via torrent also contributes to this problem. If everyone could understand how to practice safe computing and they also put it in good practice, then we would be a whole lot better off. Unfortunately, there are too many users whom really cannot deal with even some of the more basic things relating to computers, let alone make a reasonable call on something a little more complicated. There's been talk before about licensing users, but I won't get into that. Perhaps another minefield would be to license email accounts on a new replacement email system that has better mechanisms to stop spam by being better designed, but that would smack way too much of big brother -- every legitimate email address gets registered ... it would also be a great big nightmare in itself and take a very long time to implement, even if it was possible and/or reasonable to do so. -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1be96d.90...@affinityvision.com.au
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 12/07/11 07:36, Stan Hoeppner wrote: On 7/11/2011 2:22 PM, Andrew McGlashan wrote: But, the blocking of xDSL mail servers that are properly set up just because they aren't going through an ISP is a horrible abuse of the Internet. They're not properly setup if they have a dynamic IP address, and most xDSL customers get a dynamic IP. So that's not all DSL users, but only thise who have a dynamic address, so why use all xDSL ? : and do not limit yourself to the DSL market in your country, I know companies on DSL line, with fixed address and reverse. You speak of xDSL, what about SDSL, which is a company only solution, and I known of many SDSL providers which do not provide a smtp server... Given that 95% of all email is spam, and 90% of that is from bot infected PCs on consumer xDSL/cable lines, would you have the world stop summarily blocking the hundreds of millions of dynamic IP hosts simply to let the few thousand Linux weenie servers on dynamic IPs send mail without being molested? Are you kidding? Hay I've just a way to cut *all* spam : just cut email. You will cut all spam. Or just refuse email originating on a windows PC. The efficiency of antispam measures is not only the number of spam it blocks, but its also the number of non spam it does not blocks. Your solutions are awfully bad in this regard. If any of you 'combatants' in this thread had every run a non trivial sized mail operation, you'd change your tune on this subject in very short order, after trying to deal effectively with a few hundred thousand connections/day from bots attempting push spam into your users' mailboxen. I did tun email for the company I worked for before, and no problem with this provided I used other filtering method. The other companies for which I worked also accepted email from my server, including the one I work for today. And I can testify their antispam is very efficient : almost none received and I've yet to see one false positive -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1bf3a3.7090...@rail.eu.org
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 12/07/11 07:53, Stan Hoeppner wrote: On 7/11/2011 3:55 PM, Chris Davies wrote: Stan Hoeppner s...@hardwarefreak.com wrote: You're obviously new to the world of running an email server and spam fighting About 20 years experience in a professional environment, with about 5 or so running an MTA at home (may be longer; I can't remember). Does that count as new? I don't think so. If you don't grasp the concepts I've been speaking of, and you don't grasp the depth of the bot spam problem, then yes, from a spam fighting or mail operations standpoint, you are definitely new. To be fair, I have realised in re-reading my post that I had mistakenly edited out the I have a static IP address and proper rDNS statement I had originally written. If you're unable to differentiate your setup and that of the classic consumer/home broadband host, then there's no point continuing this conversation really. This situation seems something like this analogy: If you do not agree with me then you are not worth of discussing with ? I'm 6'4 and about 185. Someone calls me fat ass and I take offense. Doesn't make sense does it since I'm not remotely fat. You took offense to the term home user, but to a receiving MTA your host looks nothing like a home broadband host. looks like, it's just that your filter is not the good one. You already said the problem was only with a part of those installations. You happily have a bad filter because it blocks much too many legit emails. If this is not your concern, just shut down email, you'll get no spam at all. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1bf4fb.80...@rail.eu.org
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On Tue 12 Jul 2011 at 00:36:54 -0500, Stan Hoeppner wrote: On 7/11/2011 2:22 PM, Andrew McGlashan wrote: But, the blocking of xDSL mail servers that are properly set up just because they aren't going through an ISP is a horrible abuse of the Internet. They're not properly setup if they have a dynamic IP address, and most xDSL customers get a dynamic IP. Given that 95% of all email is spam, What is improper (technically incorrect) in the setup when sending email from a dynamic IP address? and 90% of that is from bot infected PCs on consumer xDSL/cable lines, would you have the world stop summarily blocking the hundreds of millions of dynamic IP hosts simply to let the few thousand Linux weenie servers on dynamic IPs send mail without being molested? Are you kidding? As an argument A is B implies B is A can be fraught. But we're in the spam fighting arena so logic may not be a prime consideration. If any of you 'combatants' in this thread had every run a non trivial sized mail operation, you'd change your tune on this subject in very short order, after trying to deal effectively with a few hundred thousand connections/day from bots attempting push spam into your users' mailboxen. The contention is that mail from residential (whatever that means) static and dynamic IPs must be eliminated. The users probably get the same choice in the implementation of this policy as they do in choosing whether to be sent spam. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110712200555.GL15615@desktop
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Stan Hoeppner s...@hardwarefreak.com writes: On 7/10/2011 8:31 PM, lee wrote: Stan Hoeppner s...@hardwarefreak.com writes: On 7/10/2011 7:26 AM, lee wrote: Stan Hoeppner s...@hardwarefreak.com writes: On 7/9/2011 12:00 PM, lee wrote: Yes, the HELO checks are first. It seems to make sense that way. Most MTAs lookup the hostname long before receiving EHLO. One can reject mail sooner if configured to not wait for SMTP logging info (HELO, MAIL FROM, etc). If you wait it doesn't really matter as you have no speed gain. when it doesn't involve DNS lookups anyway, it might make sense to run the rDNS check earlier than the other HELO checks. Trying it out and examining the logfile would tell. This 'trick' would only be applicable to extremely high volume MX hosts, i.e. 300 connects/second. Such systems likely have upstream firewalls killing most of this traffic beforehand though. Lots of different ways to kill spam. Yeah, when you know in advance from which IPs you don't want to receive mail, you can lock them out before they can contact the MTA. Isn't that something that could be done with your table? What do you consider low mail flow? Personally? Generally less than 50,000 connects/day. If you ask an admin at one of the universities with 30k+ students, he'd probably tell you anything less than 500k connects/day is low mail flow. This answer depends on who you ask. That's why I ask :) I haven't had the pleasure yet to run a mail server that got anywhere close to 50k connects. http://www.hardwarefreak.com/fqrdns.pcre I take it you are you really new to managing a mail server. dnsbls have been around forever, and every mail OP uses one or another, if not 5 or more. That they are around for a long time doesn't mean that I have to like them or to have others decide what mail to accept or not to accept. That they have been around a long time, and have a solid reputation for blocking spam and not ham, is the key. I don't know why you wouldn't 'like' them. I think you simply need more exposure to spam fighting and the excellent free tools available to you. Spamhouse blocks you even when you haven't done anything wrong and then refuses to remove you. I guess others aren't any better. And as I said, I don't want others to decide about what mail I can receive and what not. How would you like it if the postman supposed to deliver your snail mail would decide by his very own rules which of the mail addressed to you he delivers? Email is the same, I don't want you or anyone else decide what mail I can receive and what not. Have you heard of SpamAssassin? Both restrictions make reject/keep decisions for you. Using this PCRE table is no different in that regard. Spamassassin seems to be doing a good job; I don't know about your table. Both ways of filtering make decisions for me --- that's the idea. The same is true of configuring EXIM/Postfix/etc to reject based on lack of PTR, incorrect HELO, etc. It's called automation. You already allow your MTA to make block/accept decisions for you. Using external or other tools is no different in this regard. It is much different. The difference is that it is my decision how to use these tools and how to configure them. When I decide to use a blacklist like Spamhouse has, others decide who's blacklisted and who's not, and that's a decision I have no saying in. I can either use their list or not and don't have any control over the list itself --- but I do have control over how I configure spamasassin. Since when can anyone take a given delivery time of emails for granted? I can see people being stupid enough to do that, though. The delay with graylisting remains a disadvantage. For most SMTP mail systems that are properly configured, successful delivery occurs within a few seconds to a couple of minutes, depending on source and destination geographic location and the current load on each system. The misconfigured systems, including those with a poor greylisting implementation or other poorly implemented anti-spam countermeasures, are the ones that inject significant delay. So nobody can take delivery times for granted. we have 50% of all in/outbound messages delivered in less than 2.5 seconds and all messages delivered in 14 seconds or less. This is a well configured MTA. Keep in mind it does have significant anti-spam features, most of them custom. It does not make use of a content filter such as SpamAssassin, or any policy daemons, however, which helps keep delays relatively low. It does use a custom header_checks TCP server which does add a second or so of additional delay as it queries 3 RHSBL servers. And this is on 11 year old hardware. That doesn't say much without knowing how much mail is running through. It's nice that you don't need graylisting and Spamassassin since graylisting introduces delays and Spamasassin can be troublesome on resources. The
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Brian a...@cityscape.co.uk writes: The contention is that mail from residential (whatever that means) static and dynamic IPs must be eliminated. The users probably get the same choice in the implementation of this policy as they do in choosing whether to be sent spam. The contention has pretty much been decided already :( To decide whether to send and to receive mail is not up to the users. Only the postmasters can do that. It is not surprising that they are striving hard to keep and to extend their powers, or is it? Only at first glance, it's somewhat confusing that they admit that 90--95% of all email is SPAM. Instead of taking such a statement as evidence to support the assumption that their fight is rather futile, one might wonder what actually is on their agenda. Are they Borg? -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87pqlfrwwz@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On Tue, 12 Jul 2011 23:50:20 +0200 lee l...@yun.yagibdah.de wrote: Brian a...@cityscape.co.uk writes: The contention is that mail from residential (whatever that means) static and dynamic IPs must be eliminated. The users probably get the same choice in the implementation of this policy as they do in choosing whether to be sent spam. I run a mail server. I decide whose mail I accept. Who else should? To be honest, I wouldn't try to block email from consumers at source. It would be easy to do, so I think the ISPs must agree with me. If that were to happen, the spammers won't give up and get proper jobs, they'll put more effort into compromising networks which are still permitted to send mail. Since spam from consumers is so much easier to identify, I think we're better off as we are. The contention has pretty much been decided already :( To decide whether to send and to receive mail is not up to the users. Only the postmasters can do that. It is not surprising that they are striving hard to keep and to extend their powers, or is it? Only at first glance, it's somewhat confusing that they admit that 90--95% of all email is SPAM. Instead of taking such a statement as evidence to support the assumption that their fight is rather futile, one might wonder what actually is on their agenda. Are they Borg? There is a big advantage in blocking spam at the SMTP level. The body of the email never gets transmitted. So that 90-95% are spam sending *attempts*, many of which are denied after only a few packets are transferred. Allowing them to be sent and then identified and discarded from peoples' mailboxes would add a great deal of Internet traffic, and there will never be enough bandwidth... -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110712232416.23925...@jresid.jretrading.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Joe j...@jretrading.com writes: To be honest, I wouldn't try to block email from consumers at source. It would be easy to do, so I think the ISPs must agree with me. If that were to happen, the spammers won't give up and get proper jobs, they'll put more effort into compromising networks which are still permitted to send mail. Since spam from consumers is so much easier to identify, I think we're better off as we are. Hm. We might ... unless people would get an IP address assigned for their internet connection and be held liable for the damage they do with it. They do it with cars, phone numbers, social security numbers and other things as well, so why aren't they doing it with IP addresses? The contention has pretty much been decided already :( To decide whether to send and to receive mail is not up to the users. Only the postmasters can do that. It is not surprising that they are striving hard to keep and to extend their powers, or is it? Only at first glance, it's somewhat confusing that they admit that 90--95% of all email is SPAM. Instead of taking such a statement as evidence to support the assumption that their fight is rather futile, one might wonder what actually is on their agenda. Are they Borg? There is a big advantage in blocking spam at the SMTP level. The body of the email never gets transmitted. So that 90-95% are spam sending *attempts*, many of which are denied after only a few packets are transferred. Allowing them to be sent and then identified and discarded from peoples' mailboxes would add a great deal of Internet traffic, and there will never be enough bandwidth... At some point, your internet connection might be flooded with attempts to send SPAM, and the attempts themselves become a problem. You cannot easily somehow block them upstream /before/ they eat up all your bandwidth. Perhaps the concept of concentrating the receiving and sending of email to a relatively small number of mail servers that inevitably have a relatively large number of users and thus attract a great deal of attempts to send SPAM needs to be reconsidered. The irony is that the attempts of ISPs, postmasters and operators of blacklists, like Spamhouse, to make it more difficult for everyone to send and to receive mail are backfiring. If more people would run their own mail servers on their own internet connection, they would take more care not to send SPAM. It would be more difficult for senders of SPAM to get anyone to send their SPAM. There would also be a lot more targets for senders of SPAM, making it way more difficult for them to actually reach anyone. People seem to usually use routers with their residential internet connections, and the needed functionality could be built into these devices. It could already have become common practise that everyone who doesn't want to run an MTA on their computer uses their router to send and receive their email instead of entrusting others with it. It's even weird that they are entrusting others with their email, considering the total lack of security (unless they send encrypted mail exclusively, which isn't very feasible). What sense does it make at all to have large mail servers as there are now? I take it it's merely something that developed historically because a few years back, we didn't have the kind of permanent internet connection we do have now, and mail servers that had a permanent connection were actually advantageous. That has changed a lot, and a lot of people won't need to use someone elses mail server anymore. Who is actually /fighting/ SPAM? It seems that everyone is only concerned with /protecting/ their MTA from it by trying to filter it out. -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87fwmbrp6d@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 7/12/2011 3:33 PM, lee wrote: Yeah, when you know in advance from which IPs you don't want to receive mail, you can lock them out before they can contact the MTA. Isn't that something that could be done with your table? One could probably configure fail2ban to add IP addresses from which this table rejects mail into iptables rules. But you'll run into problems after a reboot when iptables is loading over, say, 1 million IP addresses, if it can even handle that many. I'm not an iptables guru. Given the efficiency of this table is both memory consumption and processor time, both of which are tiny, I don't see any benefit to doing the IP blocking at the kernel level. Spamhouse blocks you even when you haven't done anything wrong and then refuses to remove you. Please share your correspondence with Spamhaus that proves what you state. After a loaded statement like this you really need to show evidence. And as I said, I don't want others to decide about what mail I can receive and what not. How would you like it if the postman supposed to deliver your snail mail would decide by his very own rules which of the mail addressed to you he delivers? Email is the same, I don't want you or anyone else decide what mail I can receive and what not. Huh? It is much different. The difference is that it is my decision how to use these tools and how to configure them. When I decide to use a blacklist like Spamhouse has, others decide who's blacklisted and who's not, and that's a decision I have no saying in. I can either use their list or not and don't have any control over the list itself --- but I do have control over how I configure spamasassin. If you're using SpamAssassin then you're already using 5 dndbls, including Spamhaus Zen. It's the default configuration. You didn't mention manually disabling them, so apparently you use them. You probably didn't even realize it. That doesn't say much without knowing how much mail is running through. It's nice that you don't need graylisting and Spamassassin since graylisting introduces delays and Spamasassin can be troublesome on resources. And mail flow won't tell you anything without knowing the hardware specs and line speed. That's a bit deep for this discussion. Well, I see that very differently. BTW, is there an RFC yet that makes having a static IP a requirement for sending mail? RFC or not, the static IP for MTA train left the station many years ago. It's been BCP for many years now. I'm sure MAAWG and other such bodies have this covered in their docs. Only bot infected PCs do that. This table targets residential type rDNS strings, which identify the PC as being residential, or less commonly, SOHO. In either case, they should be relaying email through their ISP's mail relay, which we state in the reject messages in the table. That's a decision you made, and it's an example for a case in which the decision of what mail I want to (or, rather, can) receive would be made by someone else. Have you even looked at the file? You can replace every action with a PREPEND if you so choose and use this table strictly for scoring. You could also do selective greylisting with it, or any number of actions. The actions that ship in the default file work extremely well. As the file states, you are totally free to modify it and use it in any way you choose. It's becoming pretty clear you don't currently, and probably never have, managed an MTA. You speak strictly from an end user POV. Which makes me wonder why you've jumped into this drifted corner of this thread in the first place. You claimed to be a Spamassassin user, yet you didn't know it uses multiple dnsbls by default. You claim to want to make a personal choice whether to accept or reject each and every email that arrives, which is simply silly for anyone to do but an end user. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1d206d.4000...@hardwarefreak.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 7/12/2011 4:50 PM, lee wrote: The contention has pretty much been decided already :( To decide whether to send and to receive mail is not up to the users. Only the postmasters can do that. It is not surprising that they are striving hard to keep and to extend their powers, or is it? Only at first glance, it's somewhat confusing that they admit that 90--95% of all email is SPAM. Instead of taking such a statement as evidence to support the assumption that their fight is rather futile, one might wonder what actually is on their agenda. Are they Borg? Paranoid troll. *plonk* -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1d217b.6090...@hardwarefreak.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Stan Hoeppner s...@hardwarefreak.com wrote: Because no one should be receiving email directly from residential PCs, most which have dynamic IP addresses, some static addresses. Do you include people who run their own MTA on consumer xDSL in this sweeping statement? I'm genuinely curious about this one, as I fall in to that (probably small) group. FWIW the only objector to my email, that I know about, is hotmail, which insists on marking all my email as spam. I'm aware of no problems to another other SPs. Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/98sqe8x6f6@news.roaima.co.uk
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 7/11/2011 4:27 AM, Chris Davies wrote: Stan Hoeppner s...@hardwarefreak.com wrote: Because no one should be receiving email directly from residential PCs, most which have dynamic IP addresses, some static addresses. Do you include people who run their own MTA on consumer xDSL in this sweeping statement? I'm genuinely curious about this one, as I fall in to that (probably small) group. You're obviously new to the world of running an email server and spam fighting, or you wouldn't ask such a silly question. For starters, see: http://lists.debian.org/debian-isp/2001/06/msg00096.html and note the age of the post and to what mailing list. Now see: http://www.spamhaus.org/pbl/ The intent of fqrdns.pcre is identical to the PBL, simply using a different method, which is more thorough. FWIW the only objector to my email, that I know about, is hotmail, which insists on marking all my email as spam. I'm aware of no problems to another other SPs. That's because you're sending mail to a very limited set of domains. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1af4f0.4030...@hardwarefreak.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On Mon 11 Jul 2011 at 08:04:48 -0500, Stan Hoeppner wrote: On 7/11/2011 4:27 AM, Chris Davies wrote: Do you include people who run their own MTA on consumer xDSL in this sweeping statement? I'm genuinely curious about this one, as I fall in to that (probably small) group. You're obviously new to the world of running an email server and spam fighting, or you wouldn't ask such a silly question. For starters, see: http://lists.debian.org/debian-isp/2001/06/msg00096.html and note the age of the post and to what mailing list. Now see: http://www.spamhaus.org/pbl/ Both essentially say - 'You may want to take responsibility for delivering your own mail but are categorised as second-class, so we will stop you'. Whatever the faults of the postal system it does not force you to put all your deliveries in their post boxes or make a special journey to one of their offices. The spammers use the network to send (usually) unwanted mail. The spam fighters deny legitimate use of the network. The two groups make using email harder. The intent of fqrdns.pcre is identical to the PBL, simply using a different method, which is more thorough. It might very well be. If my ISP were to interfere with my mail in such a way I'd be off. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110711145117.GH15615@desktop
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Hi, Brian wrote: The spammers use the network to send (usually) unwanted mail. The spam fighters deny legitimate use of the network. The two groups make using email harder. Exactly. I successfully ran a mail server for a number of years without rDNS, but then was forced to get it. No drama, I have rDNS now. But, the blocking of xDSL mail servers that are properly set up just because they aren't going through an ISP is a horrible abuse of the Internet. So is using block lists that stop legitimate mails from getting through so often. Respect rDNS, respect SPF, those two alone would make a huge difference. Greylisting is very effective, on the whole, and you need not necessarily delay mail for too long a period. The main reason I run my OWN mail server is that it is far more reliable than most if not all ISP mail servers that I've had to deal with over the years and I use SSL as much as I can to reduce the risks of plain old POP mail systems that sent everything in clear text -- not many ISPs will go to that level to protect user security and VALIDNESS of mail services. -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1b4d6d.5070...@affinityvision.com.au
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Stan Hoeppner s...@hardwarefreak.com wrote: You're obviously new to the world of running an email server and spam fighting About 20 years experience in a professional environment, with about 5 or so running an MTA at home (may be longer; I can't remember). Does that count as new? I don't think so. To be fair, I have realised in re-reading my post that I had mistakenly edited out the I have a static IP address and proper rDNS statement I had originally written. On the basis of that new information I'd still appreciate knowing whether you still stand by your sweeping statement about disallowing all home users, or whether you'd modify it at all. Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/gi4se8xfug@news.roaima.co.uk
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 7/11/2011 2:22 PM, Andrew McGlashan wrote: But, the blocking of xDSL mail servers that are properly set up just because they aren't going through an ISP is a horrible abuse of the Internet. They're not properly setup if they have a dynamic IP address, and most xDSL customers get a dynamic IP. Given that 95% of all email is spam, and 90% of that is from bot infected PCs on consumer xDSL/cable lines, would you have the world stop summarily blocking the hundreds of millions of dynamic IP hosts simply to let the few thousand Linux weenie servers on dynamic IPs send mail without being molested? Are you kidding? If any of you 'combatants' in this thread had every run a non trivial sized mail operation, you'd change your tune on this subject in very short order, after trying to deal effectively with a few hundred thousand connections/day from bots attempting push spam into your users' mailboxen. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1bdd76.90...@hardwarefreak.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 7/11/2011 3:55 PM, Chris Davies wrote: Stan Hoeppner s...@hardwarefreak.com wrote: You're obviously new to the world of running an email server and spam fighting About 20 years experience in a professional environment, with about 5 or so running an MTA at home (may be longer; I can't remember). Does that count as new? I don't think so. If you don't grasp the concepts I've been speaking of, and you don't grasp the depth of the bot spam problem, then yes, from a spam fighting or mail operations standpoint, you are definitely new. To be fair, I have realised in re-reading my post that I had mistakenly edited out the I have a static IP address and proper rDNS statement I had originally written. If you're unable to differentiate your setup and that of the classic consumer/home broadband host, then there's no point continuing this conversation really. This situation seems something like this analogy: I'm 6'4 and about 185. Someone calls me fat ass and I take offense. Doesn't make sense does it since I'm not remotely fat. You took offense to the term home user, but to a receiving MTA your host looks nothing like a home broadband host. On the basis of that new information I'd still appreciate knowing whether you still stand by your sweeping statement about disallowing all home users, or whether you'd modify it at all. Please re-read my posts. This isn't about 'class warfare'. It's about blocking bot spam. Home user broadband connected PCs just happen to make up the vast bulk of bot infected machines. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1be13f.9050...@hardwarefreak.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Stan Hoeppner s...@hardwarefreak.com writes: On 7/9/2011 12:00 PM, lee wrote: The rDNS check is very useful because it keeps out tons of SPAM without occupying too many resources. It also seems to be common practise. Do you have a better suggestion? Just checking for the existence of rDNS is no longer sufficiently effective against bot spam from infected residential hosts. This is because many/most? ISPs have rDNS for most of their IP addresses, whether dynamic or static. Well, most rejects are because the HELO checks fail. There are only a very few that fail because of the rDNS check. There isn't much SPAM getting through; I'm getting less than one message per day. If you really want to put the hammer on residential bot spam, especially IPs that send to you before Spamhaus ZEN (CBL) lists them, and that are not listed in the various DNS dynamic block lists, then you need something like this: Why would you use such lists and thereby have others decide what mail you accept and what not? http://www.hardwarefreak.com/fqrdns.pcre This Postfix PCRE table consists of 1600+ rDNS patterns of residential broadband/SOHO ISPs around the world, and is extremely effective at killing bot spam, while putting very little load on your server. Sounds like it must have taken quite some work to put the list together, and it would need to be maintained. Won't graylisting work as well? -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87d3hib9th@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On Sun, 10 Jul 2011 01:47:19 +0200
lee l...@yun.yagibdah.de wrote:
So there isn't any check on what's given in the [E]HELO statement with
this. Now I've spent about tow hours trying to figure out how to
check if the $sender_helo_name is resolveable and didn't get anywhere
other than finding out that it could be done easily with something
like ${lookup dnsdb{a=${sender_helo_name}}{$value}fail}. The exim
syntax is horrible with things like that :( I need to look into that
some more ...
There's no need for the HELO to match the PTR,
Thank you for the clarification; I was obviously wrong.
Yes and no, see later. I've run with unmatched HELO and PTR for at least
seven years, and never had a rejection on that basis. I don't send to a
huge range of ISPs, but it does include AOL, which is notoriously picky.
What I do have is the HELO resolving to my IP address, even though the
PTR is something else.
From the exim4 specification:
The RFCs specifically state that mail should not be refused on the
basis of the content of the HELO or EHLO commands. However, there are
installations that do want to be strict in this area, and to support
them, Exim has the helo_verify option.
When helo_verify is set, a HELO or EHLO command must precede any MAIL
commands in an incoming SMTP connection. If there wasn't one, all MAIL
commands are rejected with a permanent error code. In addition, the
argument supplied by HELO or EHLO is verified. If it is in the form of
a literal IP address in square brackets, it must match the actual IP
address of the sending host. If it is a domain name, the sending host's
name is looked up from its IP address (whether or not it matches
host_lookup) and compared against it. If the comparison fails, the IP
addresses associated with the HELO or EHLO name are looked up using
gethostbyname() and compared against the sending host's IP address. If
none of them match, the HELO or EHLO command is rejected with a
permanent error code, and an entry is written in the main and reject
logs.
Clearly I fail the first test but pass the second.
They could supply www.yahoo.de, for example, and it would pass
your test, wouldn't it?
Indeed so, and I mentioned I use somebody else's HELO when using telnet
to a mail server. Obviously a lot of people don't go further than an
existence check. To be honest, I hadn't realised exim's HELO tests went
that far, and it's possible they didn't when I first configured it all
those years ago.
The sender_verify check is a useful one. I also ask for an ident
reply with a 30-second timeout, drop about twenty countries by code in
sender or HELO, make some attempt to spot DHCP-based PTRs and drop a
couple of thousand CIDR blocks, including most of APNIC. Oh, and a
couple of particularly 'difficult' foreign ISPs by name. Every little
helps, and of typically 1000-5000 bogus connections a day, about two get
through to the inbox, and that's with no content filtering at all. If
I'm using Thunderbird, then it will normally spot those two.
Here's the statistics for 24 hours to 07:30 today:
2011-07-10
count: 1791 [total]
Completed: 194 [genuine plus about 2]
rejected: 1342
timed: 948 [no reply to ident request]
country locally refused: 259[in my blacklist]
syntactically: 2[bad SMTP commands]
unwelcome ISP: 0[none today]
locally blacklisted: 22 [IP address blacklist]
sender verify fail: 128 [invalid sender]
Generic: 78 [DHCP-derived PTR]
X-Host-Lookup-Failed: 806 [PTR or PTR-A verify fails]
synchronization error: 16 [more SMTP trouble]
Unrouteable: 12 [unknown recipient]
The numbers don't add up accurately because there are a few minor
categories I don't count, and the ones which give up during the ident
timeout don't get counted as rejected. A large number don't run ident
servers, but that's true of many legitimate mail servers. The good guys
will wait thirty seconds, however, and unfortunately, some of the
spammers also will.
Virtually all the spam is sent to unknown recipients, the last category
are the few which didn't fail other tests. Possibly the occasional one
is a mistyped name, but sadly I can't afford to send NDRs because
almost all will be NDR spam. I do actually check the reject file every
day for messages to the few legitimate recipients, but it's rare that I
see even one, and extremely rare when it's someone who should have
been allowed through. Maybe one of those a year, which is why I don't
like content filtering, which has a much poorer false positive rate.
There's no way of knowing how many of my emails go to exim4
installations, nor how they are configured. I do get the impression
from mail sending problems on a Microsoft forum I also use, that many
mail servers have similar configurations to mine. I'm not sure how far
the last two Exchange versions can go in terms of spam rejection, but
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 7/10/2011 7:26 AM, lee wrote: Stan Hoeppner s...@hardwarefreak.com writes: On 7/9/2011 12:00 PM, lee wrote: The rDNS check is very useful because it keeps out tons of SPAM without occupying too many resources. It also seems to be common practise. Do you have a better suggestion? Just checking for the existence of rDNS is no longer sufficiently effective against bot spam from infected residential hosts. This is because many/most? ISPs have rDNS for most of their IP addresses, whether dynamic or static. Well, most rejects are because the HELO checks fail. There are only a very few that fail because of the rDNS check. There isn't much SPAM getting through; I'm getting less than one message per day. If your EHLO check is first it would make sense that it will reject more than the rDNS check. Reverse the order and you may see that metric reversed. It's good to hear you're not seeing much with your setup. I'd guess you have low mail flow on that host. If you really want to put the hammer on residential bot spam, especially IPs that send to you before Spamhaus ZEN (CBL) lists them, and that are not listed in the various DNS dynamic block lists, then you need something like this: Why would you use such lists and thereby have others decide what mail you accept and what not? http://www.hardwarefreak.com/fqrdns.pcre I take it you are you really new to managing a mail server. dnsbls have been around forever, and every mail OP uses one or another, if not 5 or more. Have you heard of SpamAssassin? Both restrictions make reject/keep decisions for you. Using this PCRE table is no different in that regard. This Postfix PCRE table consists of 1600+ rDNS patterns of residential broadband/SOHO ISPs around the world, and is extremely effective at killing bot spam, while putting very little load on your server. Sounds like it must have taken quite some work to put the list together, and it would need to be maintained. The table was built over a relatively long period of time, and does take a small amount of time to maintain. ISPs don't add new residential rDNS patterns very often. When we spot a new one a regex is created to match it. Changes average about one add every 1 to 2 months. Won't graylisting work as well? I see than indeed you are new. Greylisting will usually defeat bot spam as bots never retry. The problem is the delivery delay introduced (minutes to hours). This doesn't work for those ordering last minute air fare and need to print their boarding pass. With greylisting that boarding pass email may arrive an hour later. Greylisting also sucks system resources due to the triplet database. The fqrdns.pcre table gives most of the catch performance of greylisting without the downsides. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1a3e3c.20...@hardwarefreak.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Stan Hoeppner s...@hardwarefreak.com writes: On 7/10/2011 7:26 AM, lee wrote: Stan Hoeppner s...@hardwarefreak.com writes: On 7/9/2011 12:00 PM, lee wrote: Just checking for the existence of rDNS is no longer sufficiently effective against bot spam from infected residential hosts. This is because many/most? ISPs have rDNS for most of their IP addresses, whether dynamic or static. Well, most rejects are because the HELO checks fail. There are only a very few that fail because of the rDNS check. There isn't much SPAM getting through; I'm getting less than one message per day. If your EHLO check is first it would make sense that it will reject more than the rDNS check. Reverse the order and you may see that metric reversed. It's good to hear you're not seeing much with your setup. I'd guess you have low mail flow on that host. Yes, the HELO checks are first. It seems to make sense that way. What do you consider low mail flow? http://www.hardwarefreak.com/fqrdns.pcre I take it you are you really new to managing a mail server. dnsbls have been around forever, and every mail OP uses one or another, if not 5 or more. That they are around for a long time doesn't mean that I have to like them or to have others decide what mail to accept or not to accept. Have you heard of SpamAssassin? Both restrictions make reject/keep decisions for you. Using this PCRE table is no different in that regard. Spamassassin seems to be doing a good job; I don't know about your table. Both ways of filtering make decisions for me --- that's the idea. This Postfix PCRE table consists of 1600+ rDNS patterns of residential broadband/SOHO ISPs around the world, and is extremely effective at killing bot spam, while putting very little load on your server. Sounds like it must have taken quite some work to put the list together, and it would need to be maintained. The table was built over a relatively long period of time, and does take a small amount of time to maintain. ISPs don't add new residential rDNS patterns very often. When we spot a new one a regex is created to match it. Changes average about one add every 1 to 2 months. Hm, that's a pretty low rate. Won't graylisting work as well? I see than indeed you are new. Greylisting will usually defeat bot spam as bots never retry. The problem is the delivery delay introduced (minutes to hours). This doesn't work for those ordering last minute air fare and need to print their boarding pass. With greylisting that boarding pass email may arrive an hour later. Greylisting also sucks system resources due to the triplet database. Since when can anyone take a given delivery time of emails for granted? I can see people being stupid enough to do that, though. The delay with graylisting remains a disadvantage. The fqrdns.pcre table gives most of the catch performance of greylisting without the downsides. I can see why you like it. How do you make sure that mail you want to receive isn't rejected when using the table? -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87sjqd8uxx@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 7/10/2011 8:31 PM, lee wrote: Stan Hoeppner s...@hardwarefreak.com writes: On 7/10/2011 7:26 AM, lee wrote: Stan Hoeppner s...@hardwarefreak.com writes: On 7/9/2011 12:00 PM, lee wrote: Just checking for the existence of rDNS is no longer sufficiently effective against bot spam from infected residential hosts. This is because many/most? ISPs have rDNS for most of their IP addresses, whether dynamic or static. Well, most rejects are because the HELO checks fail. There are only a very few that fail because of the rDNS check. There isn't much SPAM getting through; I'm getting less than one message per day. If your EHLO check is first it would make sense that it will reject more than the rDNS check. Reverse the order and you may see that metric reversed. It's good to hear you're not seeing much with your setup. I'd guess you have low mail flow on that host. Yes, the HELO checks are first. It seems to make sense that way. Most MTAs lookup the hostname long before receiving EHLO. One can reject mail sooner if configured to not wait for SMTP logging info (HELO, MAIL FROM, etc). If you wait it doesn't really matter as you have no speed gain. This 'trick' would only be applicable to extremely high volume MX hosts, i.e. 300 connects/second. Such systems likely have upstream firewalls killing most of this traffic beforehand though. Lots of different ways to kill spam. What do you consider low mail flow? Personally? Generally less than 50,000 connects/day. If you ask an admin at one of the universities with 30k+ students, he'd probably tell you anything less than 500k connects/day is low mail flow. This answer depends on who you ask. http://www.hardwarefreak.com/fqrdns.pcre I take it you are you really new to managing a mail server. dnsbls have been around forever, and every mail OP uses one or another, if not 5 or more. That they are around for a long time doesn't mean that I have to like them or to have others decide what mail to accept or not to accept. That they have been around a long time, and have a solid reputation for blocking spam and not ham, is the key. I don't know why you wouldn't 'like' them. I think you simply need more exposure to spam fighting and the excellent free tools available to you. Notice I didn't mention SORBS or FiveTen, et al--horrible reputation for blocking ham. Start with Spamhaus' dnsbls and branch out from there, if needed. Have you heard of SpamAssassin? Both restrictions make reject/keep decisions for you. Using this PCRE table is no different in that regard. Spamassassin seems to be doing a good job; I don't know about your table. Both ways of filtering make decisions for me --- that's the idea. The same is true of configuring EXIM/Postfix/etc to reject based on lack of PTR, incorrect HELO, etc. It's called automation. You already allow your MTA to make block/accept decisions for you. Using external or other tools is no different in this regard. Snowshoe spammers obey all the SMTP and DNS rules--correct rDNS, HELO, etc. Good luck fighting snowshoe spam without automation such as ZEN, DBL, local lists, etc. This Postfix PCRE table consists of 1600+ rDNS patterns of residential broadband/SOHO ISPs around the world, and is extremely effective at killing bot spam, while putting very little load on your server. Sounds like it must have taken quite some work to put the list together, and it would need to be maintained. The table was built over a relatively long period of time, and does take a small amount of time to maintain. ISPs don't add new residential rDNS patterns very often. When we spot a new one a regex is created to match it. Changes average about one add every 1 to 2 months. Hm, that's a pretty low rate. Changes occur at approximately the same rate as changes in the target set of worldwide ISP rDNS patterns. They simply don't change often once you have the initial table built. About once a month an ISP somewhere in the world will start using a different rDNS pattern than before, or, more often, they simply introduce a new pattern. When one of the fqrdns.pcre users identifies it, I add a regex to the table to match it, and only it, which keeps FPs low or nonexistent. Won't graylisting work as well? I see than indeed you are new. Greylisting will usually defeat bot spam as bots never retry. The problem is the delivery delay introduced (minutes to hours). This doesn't work for those ordering last minute air fare and need to print their boarding pass. With greylisting that boarding pass email may arrive an hour later. Greylisting also sucks system resources due to the triplet database. Since when can anyone take a given delivery time of emails for granted? I can see people being stupid enough to do that, though. The delay with graylisting remains a disadvantage. For most SMTP mail systems that are properly configured, successful delivery occurs within a few
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On Sat, 09 Jul 2011 08:33:23 +1000, Andrew McGlashan wrote: (...) What I am thinking of doing is making the two MX records both at the same level number, 10, and having that do round robin as well (again, just the one mail server, accessible via both connections). Does anyone see any issues with this idea? Both public IPs in use will have rDNS setup. My theory is that half the email will come in via one connection and half via the other one. Outgoing email will just use one of the connections. Any ideas / comments / other things to consider? Here you have some approaches for round robin and balacing MX records: http://www.zytrax.com/books/dns/ch9/rr.html Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.07.09.10.41...@gmail.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Hi, Camaleón wrote: On Sat, 09 Jul 2011 08:33:23 +1000, Andrew McGlashan wrote: (...) What I am thinking of doing is making the two MX records both at the same level number, 10, and having that do round robin as well (again, just the one mail server, accessible via both connections). Does anyone see any issues with this idea? Both public IPs in use will have rDNS setup. My theory is that half the email will come in via one connection and half via the other one. Outgoing email will just use one of the connections. Any ideas / comments / other things to consider? Here you have some approaches for round robin and balacing MX records: http://www.zytrax.com/books/dns/ch9/rr.html Thanks, that was along the lines I was thinking. Although I am looking at the same ONE server being accessible via multiple public routes. Not having 2 or 3 different servers managing the load via some form of co-operation. Now a DNS related question. Can rDNS lookups for different IPs return the same result such as mail.example.com or must each IP have it's own unique PTR record name? -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e185d17.5000...@affinityvision.com.au
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Andrew McGlashan andrew.mcglas...@affinityvision.com.au writes: Can rDNS lookups for different IPs return the same result such as mail.example.com or must each IP have it's own unique PTR record name? Apparently they can, though I don't like the idea. For outgoing email, you need to make sure that the hostname given in [E]HLO statements and the IP address of the host connecting to a remote MTA always match when the remote MTA resolves either. You may send me some test mails to check. -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/874o2vfn0t@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 09/07/11 18:15, lee wrote: Andrew McGlashan andrew.mcglas...@affinityvision.com.au writes: Can rDNS lookups for different IPs return the same result such as mail.example.com or must each IP have it's own unique PTR record name? Apparently they can, though I don't like the idea. For outgoing email, you need to make sure that the hostname given in [E]HLO statements and the IP address of the host connecting to a remote MTA always match when the remote MTA resolves either. You may send me some test mails to check. My mail server is behind a NAT gateway in IPv4, and directly connects in IPv6. What shoud I configure it for HELO : the name of the NAT gateway (for IPv4) or its own name (IPv6 only from outside) ? This kind of check is useless and makes loose too many legit emails. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e188052.2030...@rail.eu.org
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Erwan David er...@rail.eu.org writes: On 09/07/11 18:15, lee wrote: Andrew McGlashan andrew.mcglas...@affinityvision.com.au writes: Can rDNS lookups for different IPs return the same result such as mail.example.com or must each IP have it's own unique PTR record name? Apparently they can, though I don't like the idea. For outgoing email, you need to make sure that the hostname given in [E]HLO statements and the IP address of the host connecting to a remote MTA always match when the remote MTA resolves either. You may send me some test mails to check. My mail server is behind a NAT gateway in IPv4, and directly connects in IPv6. What shoud I configure it for HELO : the name of the NAT gateway (for IPv4) or its own name (IPv6 only from outside) ? Hm. Can you send me an email through IPV6? My guess is that you can not, and that you would need to configure the [E]HLO depending on which version of the protocol you use to send outgoing messages. But then, I'd have to look up how exactly exim4 is doing the rDNS checking to be sure. This kind of check is useless and makes loose too many legit emails. The rDNS check is very useful because it keeps out tons of SPAM without occupying too many resources. It also seems to be common practise. Do you have a better suggestion? -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zkkne6dh@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Erwan David writes: My mail server is behind a NAT gateway in IPv4, and directly connects in IPv6. What shoud I configure it for HELO : the name of the NAT gateway (for IPv4) or its own name (IPv6 only from outside) ? When your IPv6 SMTP server connects to another IPv6 SMTP server over IPv6 and attempts to deliver a message the other server knows nothing about your NAT or your gateway or your IPv4. It has an IPv6 address and it wants to see if that address matches up to the name in the HELO. -- John Hasler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87hb6vcoqy@thumper.dhh.gt.org
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 09/07/11 19:00, lee wrote: Erwan David er...@rail.eu.org writes: On 09/07/11 18:15, lee wrote: Andrew McGlashan andrew.mcglas...@affinityvision.com.au writes: Can rDNS lookups for different IPs return the same result such as mail.example.com or must each IP have it's own unique PTR record name? Apparently they can, though I don't like the idea. For outgoing email, you need to make sure that the hostname given in [E]HLO statements and the IP address of the host connecting to a remote MTA always match when the remote MTA resolves either. You may send me some test mails to check. My mail server is behind a NAT gateway in IPv4, and directly connects in IPv6. What shoud I configure it for HELO : the name of the NAT gateway (for IPv4) or its own name (IPv6 only from outside) ? Hm. Can you send me an email through IPV6? My guess is that you can not, and that you would need to configure the [E]HLO depending on which version of the protocol you use to send outgoing messages. But then, I'd have to look up how exactly exim4 is doing the rDNS checking to be sure. Depends on your MX But all my emails to debian ML go through IPv6 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e18b5d2.5090...@rail.eu.org
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On Sat, 09 Jul 2011 19:00:42 +0200 lee l...@yun.yagibdah.de wrote: Erwan David er...@rail.eu.org writes: On 09/07/11 18:15, lee wrote: Apparently they can, though I don't like the idea. For outgoing email, you need to make sure that the hostname given in [E]HLO statements and the IP address of the host connecting to a remote MTA always match when the remote MTA resolves either. You may send me some test mails to check. My mail server is behind a NAT gateway in IPv4, and directly connects in IPv6. What shoud I configure it for HELO : the name of the NAT gateway (for IPv4) or its own name (IPv6 only from outside) ? Hm. Can you send me an email through IPV6? My guess is that you can not, and that you would need to configure the [E]HLO depending on which version of the protocol you use to send outgoing messages. But then, I'd have to look up how exactly exim4 is doing the rDNS checking to be sure. This kind of check is useless and makes loose too many legit emails. The rDNS check is very useful because it keeps out tons of SPAM without occupying too many resources. It also seems to be common practise. Do you have a better suggestion? Yes. -Check that sender IP address has a PTR. -Check that the PTR string exists as an A record in public DNS and the A record returns the same IP address -Check that HELO resolves in public DNS either to a domain or an A record, though not necessarily the same one as the sender PTR Exim4 will do this easily. I can no longer recall whether these are default settings, but they are certainly only a matter of enabling existing programmed checks. They do indeed eliminate nearly all spam, as my email address as shown is valid and has been used freely on Usenet for more than twelve years, so I need all the help I can get. There's no need for the HELO to match the PTR, mine have almost no relationship as I lease an Internet connection from one company and a number of domain names elsewhere, which are all hosted on my mail server. My ISP provides complementary PTR and A records, but I do not use the PTR hostname for anything, as it is long and rambling, though at least it doesn't look like a DHCP-issued one. I don't even bother varying the HELO for different sending domains, which exim4 will do if necessary. I don't find it so, anything resolvable in public DNS seems OK. I've even seen email from BT servers carrying what is obviously a Microsoft private domain name as HELO, one which ends in .local, which is not a valid top-level domain. OK, it wouldn't get into my server, but there are obviously some which don't check. I occasionally use telnet to connect to a mail server to verify something. I use a six-character HELO which is quick to type, and which is valid, but which I have no entitlement to use at all. It is never a problem. There's also no need for the MX to match either HELO or PTR, as some people suggest. Many large companies use separate send and receive servers, many small ones receive via a spam-removing service that has nothing to do with their own mail server. Andrew McGlashan andrew.mcglas...@affinityvision.com.au writes: Can rDNS lookups for different IPs return the same result such as mail.example.com or must each IP have it's own unique PTR record name? Not if many mail servers are configured as mine is, and I think many are. The complementary PTR-A record pair would not work, as your hostname A record would only point to one IP address. But there's no problem with multiple MX records, and as I say they don't have to match a PTR anywhere, so there's no problem with using two different hostnames for your two IP addresses. Just ensure the PTRs for the addresses match the hostnames. By the way, many MTAs will accept an MX record containing an IP address, but some won't. The SMTP RFC specifically requires an MX record to contain a hostname, which will have a corresponding A record which points to the IP address. Even if your ISP will not configure the PTR to suit you, if it is configured at all, the ISP will probably have a matching A record pointing back to it. If the PTR isn't configured at all, and the ISP won't do it, forget about sending mail, you have to use a smarthost. Even mail servers which don't look for a complementary pair will still look for the existence of a PTR. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110709214156.740f0...@jresid.jretrading.com
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Erwan David er...@rail.eu.org writes: On 09/07/11 19:00, lee wrote: My mail server is behind a NAT gateway in IPv4, and directly connects in IPv6. What shoud I configure it for HELO : the name of the NAT gateway (for IPv4) or its own name (IPv6 only from outside) ? Hm. Can you send me an email through IPV6? My guess is that you can not, and that you would need to configure the [E]HLO depending on which version of the protocol you use to send outgoing messages. But then, I'd have to look up how exactly exim4 is doing the rDNS checking to be sure. Depends on your MX But all my emails to debian ML go through IPv6 Well, try, or look up the MX record ... -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vcvbdu3a@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Joe j...@jretrading.com writes:
On Sat, 09 Jul 2011 19:00:42 +0200
lee l...@yun.yagibdah.de wrote:
Erwan David er...@rail.eu.org writes:
On 09/07/11 18:15, lee wrote:
This kind of check is useless and makes loose too many legit emails.
The rDNS check is very useful because it keeps out tons of SPAM
without occupying too many resources. It also seems to be common
practise. Do you have a better suggestion?
Yes.
-Check that sender IP address has a PTR.
-Check that the PTR string exists as an A record in public DNS and the
A record returns the same IP address
-Check that HELO resolves in public DNS either to a domain or an A
record, though not necessarily the same one as the sender PTR
This sounds good to me.
Exim4 will do this easily. I can no longer recall whether these are
default settings, but they are certainly only a matter of enabling
existing programmed checks.
It seems that there aren't exactly default settings for exim4. When you
think of Debian, they have come up with their own way of configuring
exim, and when you use it, you don't know anymore how exim is
configured. Then there's the example configuration in the
documentation, and it doesn't have an rDNS check in it at all.
What I have is:
,
| deny !verify = reverse_host_lookup
| message = no reverse DNS record for ${sender_host_address} found
| log_message = No reverse DNS record for ${sender_host_address} \
|(claimed to be ${sender_helo_name}).
`
The exim specification says:
,
| *verify = reverse_host_lookup*
|
| This condition ensures that a verified host name has been looked up
| from the IP address of the client host. [...] Verification ensures
| that the host name obtained from a reverse DNS lookup, or one of
| its aliases, does, when it is itself looked up in the DNS, yield
| the original IP address.
| [...]
`
So there isn't any check on what's given in the [E]HELO statement with
this. Now I've spent about tow hours trying to figure out how to check
if the $sender_helo_name is resolveable and didn't get anywhere other
than finding out that it could be done easily with something like
${lookup dnsdb{a=${sender_helo_name}}{$value}fail}. The exim syntax
is horrible with things like that :( I need to look into that some more
...
There's no need for the HELO to match the PTR,
Thank you for the clarification; I was obviously wrong.
--
html messages are obsolete
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87wrfrauew@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Joe j...@jretrading.com writes: -Check that HELO resolves in public DNS either to a domain or an A record, though not necessarily the same one as the sender PTR Oh well, it just occurred to me that this check seems pointless because people can configure their MTAs to supply anything they like as [E]HELO name. They could supply www.yahoo.de, for example, and it would pass your test, wouldn't it? -- html messages are obsolete -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87iprbaskd@yun.yagibdah.de
Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
On 7/9/2011 12:00 PM, lee wrote: The rDNS check is very useful because it keeps out tons of SPAM without occupying too many resources. It also seems to be common practise. Do you have a better suggestion? Just checking for the existence of rDNS is no longer sufficiently effective against bot spam from infected residential hosts. This is because many/most? ISPs have rDNS for most of their IP addresses, whether dynamic or static. If you really want to put the hammer on residential bot spam, especially IPs that send to you before Spamhaus ZEN (CBL) lists them, and that are not listed in the various DNS dynamic block lists, then you need something like this: http://www.hardwarefreak.com/fqrdns.pcre This Postfix PCRE table consists of 1600+ rDNS patterns of residential broadband/SOHO ISPs around the world, and is extremely effective at killing bot spam, while putting very little load on your server. The table and the instructions I've written are geared toward Postfix, but the table should be usable with any MTA, with appropriate modifications, that handles PCRE tables. Simply have your MTA query the table for the rDNS string. The table is currently setup to outright reject most matches, but for some that are more in SOHO land it does a header prepend so SA etc can score it. If someone wishes to modify it for use with Exim and rehost it that would be great. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e18f888.9070...@hardwarefreak.com
Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Hi, I have a client server, it is accessible via two separate Internet connections. I've managed to get it set up so that the single server can be accessed fully via either Internet connection with some interesting routing configuration. Now I know that the website can be serviced via either connection with a couple of DNS entries (one for each public IP) and I'm pretty sure that won't cause any problems. What I am thinking of doing is making the two MX records both at the same level number, 10, and having that do round robin as well (again, just the one mail server, accessible via both connections). Does anyone see any issues with this idea? Both public IPs in use will have rDNS setup. My theory is that half the email will come in via one connection and half via the other one. Outgoing email will just use one of the connections. Any ideas / comments / other things to consider? -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e1785b3.6080...@affinityvision.com.au
DNS round robin with NFS
I have 3 NFS servers which are serving the same exact data - ISO images. I have close to 50 clients who access this data so I manually mount up 1/3 clients to serverA, 1/3 clients to serverB, and the remainder to serverC. I was wondering if I can place the 3 NFS server in a pool and have all the clients access the pool. Any thoughts? TIA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DNS round robin with NFS
On Fri, Jan 01, 2010 at 05:32:01PM -0500, Mag Gam wrote: I have 3 NFS servers which are serving the same exact data - ISO images. I have close to 50 clients who access this data so I manually mount up 1/3 clients to serverA, 1/3 clients to serverB, and the remainder to serverC. I was wondering if I can place the 3 NFS server in a pool and have all the clients access the pool. I an guessing it shouldn't be a problem if they are mounted ro and it might help to mount via udp Any thoughts? TIA -- Goto, n.: A programming tool that exists to allow structured programmers to complain about unstructured programmers. -- Ray Simard signature.asc Description: Digital signature
RE: DNS round robin with NFS
I've never tried this but I assume it should be possible to use DNS to do basic round-robining. All you need to do is have 3 A records for the same hostname. James -Original Message- From: Mag Gam [mailto:magaw...@gmail.com] Sent: Fri 1/1/2010 5:32 PM To: debian-user Subject: DNS round robin with NFS I have 3 NFS servers which are serving the same exact data - ISO images. I have close to 50 clients who access this data so I manually mount up 1/3 clients to serverA, 1/3 clients to serverB, and the remainder to serverC. I was wondering if I can place the 3 NFS server in a pool and have all the clients access the pool. Any thoughts? TIA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DNS round robin with NFS
On Fri, Jan 01, 2010 at 05:32:01PM -0500, Mag Gam wrote: I have 3 NFS servers which are serving the same exact data - ISO images. I have close to 50 clients who access this data so I manually mount up 1/3 clients to serverA, 1/3 clients to serverB, and the remainder to serverC. I was wondering if I can place the 3 NFS server in a pool and have all the clients access the pool. Hiya Use udp, will help re establish connections quickly. Why not look into LVS thats a good loadbalancing tool. HTH Brent Clark -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
ROUND-ROBIN DNS
Boa noite. Gostaria de saber se vocês sabem de algum script, módulo, etc. onde eu possa registrar o domínio de meus clientes no CPANEL, e ao invés de ele registrar no bind como um ip estático, ele adicionaria no formato de ROUND-ROBIN como no exemplo: *host www.akadia.com* *www.akadia.com has address 217.193.130.251* *www.akadia.com has address 193.247.121.197* *Alguém fez isso? * -- Att. Israel Lehnen Silva
Re: Round robin DNS type of service
Roberto C. Sanchez wrote: I want to purchase ANOTHER dedicated server and make it so that if on someone types in the browser www.eccotours.biz, obviously it will resolve to one of the IPs. BUT how will I handle if one of the machines is down. How can I get around this. Or will the client first try one IP, if on failure, try the next one. What you want to do requires a front-end machine for load balancing, not an additional IP/DNS setup. You would tell it to proxy traffic to one of two (or more) machines that are up and running. Well - it can actually be done with a little bit of clever DNS setup too and to the best of my knowledge completely acceptable from a DNS point of view. Imagine we want to configure 3 identical web servers and do a reasonable load balancing between them - AND make sure one of two of them can be down without too many users being annoyed. Let's use company.com as an example domain. We want to play with some NS records instead of A or CNAME records, so in the basic company.com zone we do two things - redelecate a sub domain AND do an alias - something along this line: web IN NS server1 web IN NS server2 web IN NS server3 server1 IN A xxx.xxx.xxx.xxx server2 IN A xxx.xxx.xxx.xxx server3 IN A xxx.xxx.xxx.xxx www IN CNAME www.web Ok - by now we have appointed our three servers as authoritative for the web.company.com domain and we point www to a server called www.web.company.com. Normally when configuring 3 name servers for a domain you would make a master and then slave the other two. In this case we do NOT do that - we make all three authoritative AND we make sure it's got a VERY short time to live (say 5 minutes). These zones will follow something like this: Server 1: - www IN CNAME server1.company.com. Server 2: - www IN CNAME server2.company.com. Server 3: - www IN CNAME server3.company.com. In other words what server we resolve to depends on which name server we asked and if one of the name servers disappear - nobody will ever point to that particular server. GRANTED - this is not bulllet proof. It does NOT protect against for example apache dying while bind is still running (but honestly - how often does that happen compared to an internet line being down?). Also - when a server or connection dies there WILL be a short period where users are pointed to the dead server. It does however provide a reasonable load balancing AND contrary to having a proper proxy it can be distributed across multiple internet or hosting providers. -- Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Round robin DNS type of service
Brent Clark wrote: [EMAIL PROTECTED]:~$ dig www.google.com +short www.l.google.com. 216.239.37.104 This is First 216.239.37.99 [EMAIL PROTECTED]:~$ dig www.google.com +short www.l.google.com. 216.239.37.99 216.239.37.104 Now its second [EMAIL PROTECTED]:~$ btw try 10 times getent hosts www.google.com I guess you will be surprised... seems that libc sorts IPs numerically :( This my question, I want to do the same OR What I really want is: I want to purchase ANOTHER dedicated server and make it so that if on someone types in the browser www.eccotours.biz, obviously it will resolve to one of the IPs. BUT how will I handle if one of the machines is down. How can I get around this. Or will the client first try one IP, if on failure, try the next one. On 08.06.06 09:52, Roberto C. Sanchez wrote: What you want to do requires a front-end machine for load balancing, not an additional IP/DNS setup. You would tell it to proxy traffic to one of two (or more) machines that are up and running. in such case you will move the SPOF from www server to the balancing comp :) however that should be a bit more stable than www servers, and there are Level3 switches that can do such thing. Also, linux virtual servers provides such functionality in linux kernel. Another possibility is to run heartbeat on balancers or servers. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Round robin DNS type of service
Hey all If you look @ google [EMAIL PROTECTED]:~$ dig www.google.com +short www.l.google.com. 216.239.37.104 This is First 216.239.37.99 [EMAIL PROTECTED]:~$ dig www.google.com +short www.l.google.com. 216.239.37.99 216.239.37.104 Now its second [EMAIL PROTECTED]:~$ This my question, I want to do the same OR What I really want is: I want to purchase ANOTHER dedicated server and make it so that if on someone types in the browser www.eccotours.biz, obviously it will resolve to one of the IPs. BUT how will I handle if one of the machines is down. How can I get around this. Or will the client first try one IP, if on failure, try the next one. Brent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Round robin DNS type of service
Brent Clark wrote: Hey all If you look @ google [EMAIL PROTECTED]:~$ dig www.google.com +short www.l.google.com. 216.239.37.104 This is First 216.239.37.99 [EMAIL PROTECTED]:~$ dig www.google.com +short www.l.google.com. 216.239.37.99 216.239.37.104 Now its second [EMAIL PROTECTED]:~$ This my question, I want to do the same OR What I really want is: I want to purchase ANOTHER dedicated server and make it so that if on someone types in the browser www.eccotours.biz, obviously it will resolve to one of the IPs. BUT how will I handle if one of the machines is down. How can I get around this. Or will the client first try one IP, if on failure, try the next one. Brent What you want to do requires a front-end machine for load balancing, not an additional IP/DNS setup. You would tell it to proxy traffic to one of two (or more) machines that are up and running. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto signature.asc Description: OpenPGP digital signature
Re: DNS - round robin
Para um subdominio, voce soh precisa fazer 2 entradas do tipo NS no seu DNS e informar quem são os 2 servidores de DNS para o subdominio, mas caso vc queira fazer o mesmo soh que para HOST, basta fazer duas entradas de HOST no seu dominio, com o mesmo nome, mas com IPS diferentes e esta feito. Atenciosamente,Fabricio Feijo2006/5/11, Tiago Meireles [EMAIL PROTECTED]: Olá pessoal, tenho uma dúvida sobre DNS, e principalmente sobre o funcionamento do round robin.É praticamente o seguinte:Tenho um servidor DNS e gostaria de criar um sub-domínio onde esse nome responda para 2 IPs. É possível fazer isso apenas para um sub-domínio? Alguém tem alguma dica de como fazê-lo?Atenciosamente,Tiago Meireles -- Fabrício Fernandes Feijó...do it for yourself...
Re: DNS - round robin
Criei duas entradas para o mesmo host com IPs diferentes e pronto, automaticamente ele já revesa a resolução entre esses IPs. Fantástico!!!Abraços e obrigadoOn 5/12/06, Fabrício Feijo [EMAIL PROTECTED] wrote: Para um subdominio, voce soh precisa fazer 2 entradas do tipo NS no seu DNS e informar quem são os 2 servidores de DNS para o subdominio, mas caso vc queira fazer o mesmo soh que para HOST, basta fazer duas entradas de HOST no seu dominio, com o mesmo nome, mas com IPS diferentes e esta feito. Atenciosamente,Fabricio Feijo2006/5/11, Tiago Meireles [EMAIL PROTECTED]: Olá pessoal, tenho uma dúvida sobre DNS, e principalmente sobre o funcionamento do round robin.É praticamente o seguinte:Tenho um servidor DNS e gostaria de criar um sub-domínio onde esse nome responda para 2 IPs. É possível fazer isso apenas para um sub-domínio? Alguém tem alguma dica de como fazê-lo?Atenciosamente,Tiago Meireles -- Fabrício Fernandes Feijó...do it for yourself...
DNS - round robin
Olá pessoal, tenho uma dúvida sobre DNS, e principalmente sobre o funcionamento do round robin.É praticamente o seguinte:Tenho um servidor DNS e gostaria de criar um sub-domínio onde esse nome responda para 2 IPs. É possível fazer isso apenas para um sub-domínio? Alguém tem alguma dica de como fazê-lo?Atenciosamente,Tiago Meireles
Re: Round Robin
On Wed, Apr 05, 2000 at 10:29:30PM +0200, Robert Waldner wrote On Wed, 05 Apr 2000 17:38:18 +0200, Neil D. Roberts writes: www.domain.com is 192.168.1.1 or 192.168.1.2 or 192.168.1.3 in order to have all 100 people get different responses I have no idea, to create three A records for this domain, or if I need to do something else, any ideas ? Just 3 A-records will do fine bash-2.03$ host smtp.austria.eu.net smtp.austria.eu.net A 193.81.13.2 smtp.austria.eu.net A 193.154.160.146 smtp.austria.eu.net A 193.81.83.3 smtp.austria.eu.net A 193.154.160.103 Don´t forget the appropriate PTR-records. More interesting (at least for me) would be trying it with CNAMEs, would that be valid? No, becasue a CNAME links a name to an A record; if there's only one A record, all the CNAMEs will point to the same address. John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.mdt.net.au/~john Debian Linux admin support:technical services
Round Robin
Hi List, Lets say that 100 people ask for www.domain.com, and I have three servers, running the same service. How can I configure in a dns server (named) to round robin this ? I mean can I do something like this? : www.domain.com is 192.168.1.1 or 192.168.1.2 or 192.168.1.3 in order to have all 100 people get different responses I have no idea, to create three A records for this domain, or if I need to do something else, any ideas ? Thanks a bunch Neil
Re: Round Robin
On Wed, 05 Apr 2000 17:38:18 +0200, Neil D. Roberts writes: www.domain.com is 192.168.1.1 or 192.168.1.2 or 192.168.1.3 in order to have all 100 people get different responses I have no idea, to create three A records for this domain, or if I need to do something else, any ideas ? Just 3 A-records will do fine bash-2.03$ host smtp.austria.eu.net smtp.austria.eu.net A 193.81.13.2 smtp.austria.eu.net A 193.154.160.146 smtp.austria.eu.net A 193.81.83.3 smtp.austria.eu.net A 193.154.160.103 Don´t forget the appropriate PTR-records. More interesting (at least for me) would be trying it with CNAMEs, would that be valid? hth, rw -- / Robert Waldner [EMAIL PROTECTED] | Phone: +43 1 89933 0 Fax x533 \ \KPNQwest/AT tech staff| Diefenbachg. 35 A-1150 Wien /
Microsoft's round robin DNS?
Has anybody seen how Microsoft implements their DNS? I'm a little confused because they return a connect refused and then expect to roll over to their next host. I'm guessing this is something that explorer knows about. Something that netscape did earlier with their browsers. But Netscape catches the connect refused and doesn't proceed to the next host. Anybody? robert:/export/home/roberttelnet www.microsoft.com 8019:16 Trying 207.68.137.62... telnet: connect to address 207.68.137.62: Connection refused Connected to www.microsoft.com. Escape character is '^]'. ^Cquit Connection closed by foreign host. robert:/export/home/roberttelnet www.microsoft.com 8019:16 Trying 207.68.137.62... telnet: connect to address 207.68.137.62: Connection refused Connected to www.microsoft.com. Escape character is '^]'. Connection closed by foreign host. robert:/export/home/robert -- This message was distributed manually by [EMAIL PROTECTED] after the list initially failed to distribute it.
