"Hostile" vs. "Friendly" instances of Sendmail
cswiger at mac.com
Fri Aug 25 20:32:27 UTC 2006
On Aug 25, 2006, at 12:57 PM, Brett Glass wrote:
> A company for whom I do consulting has a FreeBSD mail server.
> Because they're being deluged with connections from spammers (who
> have responded to the increasing use of "graylisting" by ordering
> their armies of bots to try again and again even when spam is
> rejected), they've subscribed to some DNS blacklists and set
> Sendmail to limit the number of processes it can spawn at any one
> time. This reduces the load on the system due to spamming, but also
> prevents internal users from getting the mail server's attention
> when they want to send legitimate outgoing mail.
> What's the best way to set things up so that more trusted, internal
> users can access their own instance of Sendmail (with less
> restrictive process limits, no blacklist checks, etc.) while the
> outside world sees an instance of Sendmail with blacklisting,
> process limits, connection limits, load limits, etc.? Will there be
> problems with file locking, queues, etc. if a third instance of
> Sendmail is started on a standard FreeBSD install (which normally
> runs two)?
You should consider configuring a firewall to limit the number of
incoming SMTP connections permitted to something less than the max
number of sendmail processes you want to run in parallel, so internal
users will always have some sendmail instances available to service
You could also configure an external and an internal mailservers,
have the internal mailserver be entirely firewalled from outside so
that internal users and internal email are handled there without
issues, and just worry about tuning the external mailserver which
will then only need to do SMTP relaying and anti-spam stuff for the
external mail traffic rather than serve dual-duty as a reader box.
There is no issue with setting up as many additional queue groups and
queue runners as you need to; there are some significant advantages
to switching to deferred delivery mode and using queue groups tuned
for legit internal mail and for mail that they exchange with well-
known places like MSN or AOL and with their main clients.
> And where's the option that tells Sendmail to listen only on a
> particular interface? (This should be on the man page, but isn't.)
The complete docs for sendmail don't really fit into even the 1044
page O'Reilly book; surely you jest if you expect to find complete
docs within the manpage. Wander by /usr/src/contrib/sendmail/cf/
README, and look for the DAEMON_OPTIONS() section or perhaps the
confDONT_PROBE_INTERFACES config options...
More information about the freebsd-questions