"Hostile" vs. "Friendly" instances of Sendmail

David Robillard david.robillard at gmail.com
Mon Aug 28 15:37:48 UTC 2006 

>On Aug 25, 2006, at 12:57 PM, Brett Glass wrote:
>> A company for whom I do consulting has a FreeBSD mail server.
>> Because they're being deluged with connections from spammers (who
>> have responded to the increasing use of "graylisting" by ordering
>> their armies of bots to try again and again even when spam is
>> rejected), they've subscribed to some DNS blacklists and set
>> Sendmail to limit the number of processes it can spawn at any one
>> time. This reduces the load on the system due to spamming, but also
>> prevents internal users from getting the mail server's attention
>> when they want to send legitimate outgoing mail.
>
>> What's the best way to set things up so that more trusted, internal
>> users can access their own instance of Sendmail (with less
>> restrictive process limits, no blacklist checks, etc.) while the
>> outside world sees an instance of Sendmail with blacklisting,
>> process limits, connection limits, load limits, etc.? Will there be
>> problems with file locking, queues, etc. if a third instance of
>> Sendmail is started on a standard FreeBSD install (which normally
>> runs two)?

I totally agree with what Chuck Swiger has suggested here:

> You could also configure an external and an internal mailservers,
> have the internal mailserver be entirely firewalled from outside so
> that internal users and internal email are handled there without
> issues, and just worry about tuning the external mailserver which
> will then only need to do SMTP relaying and anti-spam stuff for the
> external mail traffic rather than serve dual-duty as a reader box.

To help you with sendmail architecture, take a look at page 547 of the
"UNIX system administration handbook, 3rd edition" by Nemeth, Snyder,
Seebass and Hein. Don't be fooled by the funny images on this book,
it's very clear and quite possibly the best UNIX administration book
around with real world examples. You can find it at
http://www.admin.com/Pages/USAH.html.

Aside from the huge bat book, O'Reilly also publishes "sendmail
Cookbook" which is great when it comes to configure sendmail. Check it
out at http://www.oreilly.com/catalog/sendmailckbk/.

Have fun,

David
-- 
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122

More information about the freebsd-questions mailing list