At 09:32 AM 7/2/2005, you wrote:
Mysql has no problem with the above scenario, as it is designed for
heavy accesses and changes to its tables.
yup. my mysql server (which is on the vpopmail server, of course, so
also handling httpd, imap, pop3 as well), which handles vpopmail,
horde/IMP, twig, squirrel calendaring, and cacti, averages - long
term - about 20qps. during peak parts of the day, the average is
40qps, with spikes to 150qps or more. never breaks a sweat, and this
is on hardware that's pathetic by current standards (dual ultrasparc
II 300Mhz).
By the way, a way to solve the original problem sound to me the JOB
FOR a FIREWALL and ROUTER! I am not sure if the server in question
has one or two Ethernet interfaces, but if it doesn't, they often
cost about $10 to $30 (unless they both need global IP's).
If you route inbound mail from your upstream MXs to one interface
(say, fxp0) and that is the only source of port 25 traffic from the
global internet, you could have qmail listen to that
interface. Firewall setup is simple -- only allow the MX servers to
talk to that port 25.
My MX servers only accept connections on port 25, and port 32
(otherwise known as port 22 - but i got sick of the stupid
script-kiddies hammering my port 22 all day long, so i moved it to
32). I do also run a restricted FTP server on the MX servers for
remote probing and statistics.
Meanwhile, the internal port 25 traffic (which as another topic
should be port 587) can come into the other interface, say
fxp1. The firewall would need no restriction for this interface.
there is no 'internal' port 25 traffic. My service provides email
service for businesses. I'm not an ISP. all traffic to my servers is
inbound from the global internet.
note also that there is *no* reason for anyone to use port 587. more below.
As my other clue, your customer and others should get used to using
port 587 as their SMTP relay port, rather than port 25. That way,
some of your customer's users could be on the global Internet, and
still send mail to their firewalled-port-25-is-illegal mail server
all day on the submission port 587. It would work internally, too.
We provide alternate access to our SMTP server for those customer's
whose ISP's block port 25. We use port 2525. what, you say? 2525 is
registered to "MS V Worlds". my response is, so freaking what? *there
are no restrictions on the use of registered ports for any service
one desires*. true, i haven't spent a lot of time checking the RFC's.
but i'm pretty sure that IANA's 'rules' are only 'recommendations'.
587 is dandy, but it's also another random string of digits for
customers to try to remember. 2525 is easy for customers to remember.
if it should ever conflict with someone's use of "MS V Worlds", well
by gosh we'll just start another server on another port just for
them. I'm not holding my breath.
So here is a summary:
fxp0 - global internet -- inbound port 25 only allowed from 3 IP
addresses. port 587 is allowed for SMTP AUTH.
fxp1 - internal net like 10.0.0.21 -- inbound port 25 and port 587
is allowed for SMTP or SMTP AUTH.
it's a nice design, but not applicable to my setup. i suppose i could
require *all* of my customers to start using port 2525. what a
headache. ask hundreds of business to have their thousands of
employees change their email client settings. oy vey.
Paul Theodoropoulos
http://www.anastrophe.com
http://www.smileglobal.com
