"Hostile" vs. "Friendly" instances of Sendmail

Fri Aug 25 20:32:27 UTC 2006

On Aug 25, 2006, at 12:57 PM, Brett Glass wrote:
> A company for whom I do consulting has a FreeBSD mail server.  
> Because they're being deluged with connections from spammers (who  
> have responded to the increasing use of "graylisting" by ordering  
> their armies of bots to try again and again even when spam is  
> rejected), they've subscribed to some DNS blacklists and set  
> Sendmail to limit the number of processes it can spawn at any one  
> time. This reduces the load on the system due to spamming, but also  
> prevents internal users from getting the mail server's attention  
> when they want to send legitimate outgoing mail.

> What's the best way to set things up so that more trusted, internal  
> users can access their own instance of Sendmail (with less  
> restrictive process limits, no blacklist checks, etc.) while the  
> outside world sees an instance of Sendmail with blacklisting,  
> process limits, connection limits, load limits, etc.? Will there be  
> problems with file locking, queues, etc. if a third instance of  
> Sendmail is started on a standard FreeBSD install (which normally  
> runs two)?

You should consider configuring a firewall to limit the number of  
incoming SMTP connections permitted to something less than the max  
number of sendmail processes you want to run in parallel, so internal  
users will always have some sendmail instances available to service  
their requests.

You could also configure an external and an internal mailservers,  
have the internal mailserver be entirely firewalled from outside so  
that internal users and internal email are handled there without  
issues, and just worry about tuning the external mailserver which  
will then only need to do SMTP relaying and anti-spam stuff for the  
external mail traffic rather than serve dual-duty as a reader box.

There is no issue with setting up as many additional queue groups and  
queue runners as you need to; there are some significant advantages  
to switching to deferred delivery mode and using queue groups tuned  
for legit internal mail and for mail that they exchange with well- 
known places like MSN or AOL and with their main clients.

> And where's the option that tells Sendmail to listen only on a  
> particular interface? (This should be on the man page, but isn't.)

The complete docs for sendmail don't really fit into even the 1044  
page O'Reilly book; surely you jest if you expect to find complete  
docs within the manpage.  Wander by /usr/src/contrib/sendmail/cf/ 
README, and look for the DAEMON_OPTIONS() section or perhaps the  
confDONT_PROBE_INTERFACES config options...

-- 
-Chuck