Date: Fri, 25 Aug 2006 13:32:23 -0700 From: Chuck Swiger <cswiger@mac.com> To: Brett Glass <brett@lariat.net> Cc: questions@freebsd.org Subject: Re: "Hostile" vs. "Friendly" instances of Sendmail Message-ID: <DFF467A7-B108-48E4-A4E5-4CF2D150C33A@mac.com> In-Reply-To: <7.0.1.0.2.20060825134436.0a366aa0@lariat.net> References: <7.0.1.0.2.20060825134436.0a366aa0@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 25, 2006, at 12:57 PM, Brett Glass wrote: > A company for whom I do consulting has a FreeBSD mail server. > Because they're being deluged with connections from spammers (who > have responded to the increasing use of "graylisting" by ordering > their armies of bots to try again and again even when spam is > rejected), they've subscribed to some DNS blacklists and set > Sendmail to limit the number of processes it can spawn at any one > time. This reduces the load on the system due to spamming, but also > prevents internal users from getting the mail server's attention > when they want to send legitimate outgoing mail. > What's the best way to set things up so that more trusted, internal > users can access their own instance of Sendmail (with less > restrictive process limits, no blacklist checks, etc.) while the > outside world sees an instance of Sendmail with blacklisting, > process limits, connection limits, load limits, etc.? Will there be > problems with file locking, queues, etc. if a third instance of > Sendmail is started on a standard FreeBSD install (which normally > runs two)? You should consider configuring a firewall to limit the number of incoming SMTP connections permitted to something less than the max number of sendmail processes you want to run in parallel, so internal users will always have some sendmail instances available to service their requests. You could also configure an external and an internal mailservers, have the internal mailserver be entirely firewalled from outside so that internal users and internal email are handled there without issues, and just worry about tuning the external mailserver which will then only need to do SMTP relaying and anti-spam stuff for the external mail traffic rather than serve dual-duty as a reader box. There is no issue with setting up as many additional queue groups and queue runners as you need to; there are some significant advantages to switching to deferred delivery mode and using queue groups tuned for legit internal mail and for mail that they exchange with well- known places like MSN or AOL and with their main clients. > And where's the option that tells Sendmail to listen only on a > particular interface? (This should be on the man page, but isn't.) The complete docs for sendmail don't really fit into even the 1044 page O'Reilly book; surely you jest if you expect to find complete docs within the manpage. Wander by /usr/src/contrib/sendmail/cf/ README, and look for the DAEMON_OPTIONS() section or perhaps the confDONT_PROBE_INTERFACES config options... -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DFF467A7-B108-48E4-A4E5-4CF2D150C33A>