From owner-freebsd-questions@FreeBSD.ORG Fri Aug 25 20:32:27 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 921F816A4DA for ; Fri, 25 Aug 2006 20:32:27 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B0CB43D5A for ; Fri, 25 Aug 2006 20:32:26 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin02-en2 [10.13.10.147]) by smtpout.mac.com (Xserve/8.12.11/smtpout01/MantshX 4.0) with ESMTP id k7PKWQu2005889; Fri, 25 Aug 2006 13:32:26 -0700 (PDT) Received: from [17.214.14.142] (a17-214-14-142.apple.com [17.214.14.142]) (authenticated bits=0) by mac.com (Xserve/smtpin02/MantshX 4.0) with ESMTP id k7PKWOxi005274; Fri, 25 Aug 2006 13:32:25 -0700 (PDT) In-Reply-To: <7.0.1.0.2.20060825134436.0a366aa0@lariat.net> References: <7.0.1.0.2.20060825134436.0a366aa0@lariat.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Fri, 25 Aug 2006 13:32:23 -0700 To: Brett Glass X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAQAAA+k= X-Language-Identified: TRUE Cc: questions@freebsd.org Subject: Re: "Hostile" vs. "Friendly" instances of Sendmail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 20:32:27 -0000 On Aug 25, 2006, at 12:57 PM, Brett Glass wrote: > A company for whom I do consulting has a FreeBSD mail server. > Because they're being deluged with connections from spammers (who > have responded to the increasing use of "graylisting" by ordering > their armies of bots to try again and again even when spam is > rejected), they've subscribed to some DNS blacklists and set > Sendmail to limit the number of processes it can spawn at any one > time. This reduces the load on the system due to spamming, but also > prevents internal users from getting the mail server's attention > when they want to send legitimate outgoing mail. > What's the best way to set things up so that more trusted, internal > users can access their own instance of Sendmail (with less > restrictive process limits, no blacklist checks, etc.) while the > outside world sees an instance of Sendmail with blacklisting, > process limits, connection limits, load limits, etc.? Will there be > problems with file locking, queues, etc. if a third instance of > Sendmail is started on a standard FreeBSD install (which normally > runs two)? You should consider configuring a firewall to limit the number of incoming SMTP connections permitted to something less than the max number of sendmail processes you want to run in parallel, so internal users will always have some sendmail instances available to service their requests. You could also configure an external and an internal mailservers, have the internal mailserver be entirely firewalled from outside so that internal users and internal email are handled there without issues, and just worry about tuning the external mailserver which will then only need to do SMTP relaying and anti-spam stuff for the external mail traffic rather than serve dual-duty as a reader box. There is no issue with setting up as many additional queue groups and queue runners as you need to; there are some significant advantages to switching to deferred delivery mode and using queue groups tuned for legit internal mail and for mail that they exchange with well- known places like MSN or AOL and with their main clients. > And where's the option that tells Sendmail to listen only on a > particular interface? (This should be on the man page, but isn't.) The complete docs for sendmail don't really fit into even the 1044 page O'Reilly book; surely you jest if you expect to find complete docs within the manpage. Wander by /usr/src/contrib/sendmail/cf/ README, and look for the DAEMON_OPTIONS() section or perhaps the confDONT_PROBE_INTERFACES config options... -- -Chuck