From owner-freebsd-questions@FreeBSD.ORG Sat Aug 26 03:17:31 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5DEF16A4E0 for ; Sat, 26 Aug 2006 03:17:31 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4190A43D53 for ; Sat, 26 Aug 2006 03:17:30 +0000 (GMT) (envelope-from brett@lariat.net) Received: from Anne (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id VAA12687; Fri, 25 Aug 2006 21:17:16 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <7.0.1.0.2.20060825205926.0a331dd0@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Fri, 25 Aug 2006 21:17:11 -0600 To: Chuck Swiger From: Brett Glass In-Reply-To: References: <7.0.1.0.2.20060825134436.0a366aa0@lariat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: questions@freebsd.org Subject: Re: "Hostile" vs. "Friendly" instances of Sendmail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2006 03:17:31 -0000 At 02:32 PM 8/25/2006, Chuck Swiger wrote: >You should consider configuring a firewall to limit the number of >incoming SMTP connections permitted to something less than the max >number of sendmail processes you want to run in parallel, so internal >users will always have some sendmail instances available to service >their requests. I've been looking at an IPFW "limit" rule to do this. The only issue here is that turning on "statefulness" in IPFW introduces extra overhead, and the last time I tried a "limit" rule (admittedly, it was in FreeBSD 4.x or 5.x), it didn't seem to work correctly. Besides, I want to do more than set a connection limit. >You could also configure an external and an internal mailservers, That's sort of the idea. But I'd do it on one machine. And the advantage would be that I could have very different Sendmail options (not just connection limits) on the internal and external server processes. For example, the external one could have REALLY heavy safeguards against spam. >There is no issue with setting up as many additional queue groups and >queue runners as you need to; I don't want to set up many queue groups and queue runners, necessarily. I really just want two SMTP servers: inward-facing, for outgoing mail, and outward-facing, for incoming mail. If the messages dropped into a single queue for delivery, that would be OK; I just want the SMTP server that faces internal clients to have different settings than the one that faces the slime pit known as the Internet. ;-) >>And where's the option that tells Sendmail to listen only on a >>particular interface? (This should be on the man page, but isn't.) > >The complete docs for sendmail don't really fit into even the 1044 >page O'Reilly book; surely you jest if you expect to find complete >docs within the manpage. I don't. But the man page for ANY daemon should always include certain basic things, such as a list of the command line arguments and options; information on how to get it to listen on a specific address, port, or interface; and how it responds to signals. Other things can be in other documentation, but these are essential in the man page for a daemon, IMHO. --Brett Glass