slightly OT - my freebsd email topology

doug doug at fledge.watson.org
Fri Apr 6 20:50:18 UTC 2007 


On Thu, 5 Apr 2007, Derek Ragona wrote:

> At 12:36 PM 4/5/2007, Jonathan Horne wrote:
>> currently, my email server is just a single box, accepting and sending emails 
>> from and to the internet.  spamassassin and sendmail, and so far, it works 
>> satisfactory.
>> 
>> i would like to change it up, so that i have a pair of servers doing MX from 
>> the internet, which then passes to an internal server for delivery.  if i do 
>> that, i could remove spamassassin from the internal server, and run it on 
>> just the 2 external.  all those configurations is really not my issue here... 
>> what im really pondering is how would external servers that are seperate from 
>> where the target mailboxes are, know which addressess are acceptable and 
>> which to return a 550?
>> 
>> does anyone have any setups that are similar to this, and could advise me or 
>> point me in the right direction?
>> 
>> thanks,
>> jonathan
>
>
> Generally you want to filter and bounce mail at the point of origin, so your 
> mail server that first accepts the mail.  As long as you have the bandwidth on 
> that server you would spam check, virus check there, bouncing any bad ones. 
> Then forward to your internal server only clean mail for delivery.
>
> However unless you have terribly underpowered servers, or a lot of email (like 
> >50,000 messages a day) running on two servers should not be necessary.
>
>        -Derek

Our expedience suggests the number is at least 100,000 before you would see any 
problems and perhaps, if you have limited bandwidth as we do, that would be your 
first constraint. We run three mail servers with all customer emails coming to 
one server. Over the last several months we average about 30,000 messages/day. 
We have had 4 unusual pikes getting as many as 310,000 messages. This was a DoS 
attack from several hundred sources. The main problem this caused was slowing 
down the delivery of valid mail. We had one 90,000 message day in our current 
configuration that went unnoticed. We now use spamcop and greylisting on the 
customers server, offering bogofilter backed with spamassassin for users who 
want content filtering. On our internal server we use spamcop and bogofilter 
under duress adding duls.dnsbl.sorbs.net when a similar attack filled /var.

We forward email for about half of our customers which would sorta be similar to 
having a mail gateway for these clients. Content filtering for this set has 
caused more problems than it solves.

I hope my experience gives you some guidance.

Doug

More information about the freebsd-questions mailing list