At 09:32 AM 7/2/2005, you wrote:
Mysql has no problem with the above scenario, as it is designed for heavy accesses and changes to its tables.

yup. my mysql server (which is on the vpopmail server, of course, so also handling httpd, imap, pop3 as well), which handles vpopmail, horde/IMP, twig, squirrel calendaring, and cacti, averages - long term - about 20qps. during peak parts of the day, the average is 40qps, with spikes to 150qps or more. never breaks a sweat, and this is on hardware that's pathetic by current standards (dual ultrasparc II 300Mhz).

By the way, a way to solve the original problem sound to me the JOB FOR a FIREWALL and ROUTER! I am not sure if the server in question has one or two Ethernet interfaces, but if it doesn't, they often cost about $10 to $30 (unless they both need global IP's).

If you route inbound mail from your upstream MXs to one interface (say, fxp0) and that is the only source of port 25 traffic from the global internet, you could have qmail listen to that interface. Firewall setup is simple -- only allow the MX servers to talk to that port 25.

My MX servers only accept connections on port 25, and port 32 (otherwise known as port 22 - but i got sick of the stupid script-kiddies hammering my port 22 all day long, so i moved it to 32). I do also run a restricted FTP server on the MX servers for remote probing and statistics.

Meanwhile, the internal port 25 traffic (which as another topic should be port 587) can come into the other interface, say fxp1. The firewall would need no restriction for this interface.

there is no 'internal' port 25 traffic. My service provides email service for businesses. I'm not an ISP. all traffic to my servers is inbound from the global internet.

note also that there is *no* reason for anyone to use port 587. more below.

As my other clue, your customer and others should get used to using port 587 as their SMTP relay port, rather than port 25. That way, some of your customer's users could be on the global Internet, and still send mail to their firewalled-port-25-is-illegal mail server all day on the submission port 587. It would work internally, too.

We provide alternate access to our SMTP server for those customer's whose ISP's block port 25. We use port 2525. what, you say? 2525 is registered to "MS V Worlds". my response is, so freaking what? *there are no restrictions on the use of registered ports for any service one desires*. true, i haven't spent a lot of time checking the RFC's. but i'm pretty sure that IANA's 'rules' are only 'recommendations'. 587 is dandy, but it's also another random string of digits for customers to try to remember. 2525 is easy for customers to remember. if it should ever conflict with someone's use of "MS V Worlds", well by gosh we'll just start another server on another port just for them. I'm not holding my breath.

So here is a summary:
fxp0 - global internet -- inbound port 25 only allowed from 3 IP addresses. port 587 is allowed for SMTP AUTH.

fxp1 - internal net like -- inbound port 25 and port 587 is allowed for SMTP or SMTP AUTH.

it's a nice design, but not applicable to my setup. i suppose i could require *all* of my customers to start using port 2525. what a headache. ask hundreds of business to have their thousands of employees change their email client settings. oy vey.

Paul Theodoropoulos

Reply via email to