"Hostile" vs. "Friendly" instances of Sendmail

Brett Glass brett at lariat.net
Sat Aug 26 03:17:31 UTC 2006 

At 02:32 PM 8/25/2006, Chuck Swiger wrote:
 
>You should consider configuring a firewall to limit the number of  
>incoming SMTP connections permitted to something less than the max  
>number of sendmail processes you want to run in parallel, so internal  
>users will always have some sendmail instances available to service  
>their requests.

I've been looking at an IPFW "limit" rule to do this. The only issue
here is that turning on "statefulness" in IPFW introduces extra
overhead, and the last time I tried a "limit" rule (admittedly, it
was in FreeBSD 4.x or 5.x), it didn't seem to work correctly.
Besides, I want to do more than set a connection limit.

>You could also configure an external and an internal mailservers,  

That's sort of the idea. But I'd do it on one machine. And the
advantage would be that I could have very different Sendmail 
options (not just connection limits) on the internal and external
server processes. For example, the external one could have REALLY 
heavy safeguards against spam. 

>There is no issue with setting up as many additional queue groups and  
>queue runners as you need to; 

I don't want to set up many queue groups and queue runners,
necessarily. I really just want two SMTP servers: inward-facing,
for outgoing mail, and outward-facing, for incoming mail. If
the messages dropped into a single queue for delivery, that 
would be OK; I just want the SMTP server that faces internal
clients to have different settings than the one that faces the
slime pit known as the Internet. ;-)

>>And where's the option that tells Sendmail to listen only on a  
>>particular interface? (This should be on the man page, but isn't.)
>
>The complete docs for sendmail don't really fit into even the 1044  
>page O'Reilly book; surely you jest if you expect to find complete  
>docs within the manpage.

I don't. But the man page for ANY daemon should always include certain
basic things, such as a list of the command line arguments and options; 
information on how to get it to listen on a specific address, port, or
interface; and how it responds to signals. Other things can be in
other documentation, but these are essential in the man page for a
daemon, IMHO.

--Brett Glass

More information about the freebsd-questions mailing list