From owner-freebsd-questions@FreeBSD.ORG Thu Sep 17 16:48:13 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D95941065670 for ; Thu, 17 Sep 2009 16:48:13 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from smtp.ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 007958FC1F for ; Thu, 17 Sep 2009 16:48:11 +0000 (UTC) Received: (qmail 86521 invoked by uid 89); 17 Sep 2009 16:47:50 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 17 Sep 2009 16:47:50 -0000 Message-ID: <4AB2684E.1070704@ibctech.ca> Date: Thu, 17 Sep 2009 12:48:14 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: "Michael K. Smith - Adhost" References: <4AB0584D.3050206@eagle.ca><4AB0844B.5080804@infracaninophile.co.uk><4AB0E97B.4060606@ibctech.ca><4AB0ECE8.2080905@infracaninophile.co.uk> <4AB0F17B.1030400@ibctech.ca> <17838240D9A5544AAA5FF95F8D52031606AFCA07@ad-exh01.adhost.lan> <4AB2306D.1070009@ibctech.ca> <17838240D9A5544AAA5FF95F8D52031606AFCB5B@ad-exh01.adhost.lan> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031606AFCB5B@ad-exh01.adhost.lan> X-Enigmail-Version: 0.96.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms070604010504040002080908" Cc: questions@freebsd.org Subject: Re: New mail server setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2009 16:48:13 -0000 This is a cryptographically signed message in MIME format. --------------ms070604010504040002080908 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Michael K. Smith - Adhost wrote: >> - can your PF load balancers 'sense' when one of the Postfix/Dovecot >> units are down, or is this a manual change in config to prevent any >> time-out conditions? > > Not natively. When we initially implemented this setup, ifstated wasn't > up to snuff, so we wrote some PERL scripts that make connections to the > required ports and, if no connection is established, pull the server > from the table and send us an alarm. We also have scripts so that we > can pull servers out when we're doing maintenance. Ok. I've done the above in similar situations numerous times, so that works. >> I like this load balancer idea. In my environment, it would be trivial >> to set up a couple of them, throw Quagga on them, and integrate them >> directly into our iBGP setup. On the other side, I could use VRRP or >> the >> like to ensure redundancy from front to back. > We use two PF boxes and CARP with PFSync for failover, so no dynamic > protocols are needed. I'll have to review this further. I'm not overly familiar with CARP (ie I've never used it), nor PFSync. My mentality for infrastructure gear (the balancers, not the servers) is always "make each device connect to two different switches/routers, and try to make it dynamic in a way that it fits into our OSPF/iBGP design, so if necessary, we can move the entire thing to a different network segment, and not have to renumber". I'm getting a mental picture how I can have load balancing & failover with the two devices, and network resiliency by having each balancer connected to different network segments (between buildings over fibre if I want). >> - do the Postfix/Dovecot servers communicate with each other, or are >> they simply stand-alone units that don't know/care that they have > other >> peers helping with the workload? >> > They are standalone. All of the user authentication is handled from a > centralized database, so there are no local credentials stored on the > server. Perfect...do your auth/acct db's generally reside on the same storage mechanism that the data does, in order to keep 'email related stuff' altogether? >> - are your filter servers in front of, or behind the load balancers >> (iow, is all of your inbound email passed through the balancers, and >> then filtered/processed/delivered in behind them)? >> > They are behind the PF boxes. We have other hooks in PF that we use to > block SPAM in PF, including Cloudmark and some custom stuff that looks > for multiple mails to non-existent addresses. We also use the overload > tables for abusive connections. Ok. We have a Barracuda cluster hanging off of one of our Internet facing edge routers, that filters then passes what it allows back into the network, and to the servers. The only reason I don't aggregate all of the mail systems together, is so that I can filter the spam as soon as possible upon ingress to our network, instead of having it traverse the core. >> - how do all of the pieces communicate with the NAS...NFS? > > Yes. Originally we used TCP but we found performance to be much better > with UDP. NFSv3 by the way. Ok. [ snip ] > If you have a particular scenario you're thinking about I could help you > with the rules to make it work. I do, and that would be fantastic! I'll draw up a diagram this afternoon of what I envision. Where I'll need a bit of advice will likely be in the details, as opposed to the design, especially if I migrate completely away from our existing mail platform(s). Cheers! Steve --------------ms070604010504040002080908 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII/zCC AtowggJDoAMCAQICEEs5xg/J3t77QWJ4SatV1HcwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDUwNzIzMTYxMFoX DTEwMDUwNzIzMTYxMFowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEfMB0G CSqGSIb3DQEJARYQc3RldmVAaWJjdGVjaC5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAJSTRAjP1RVa87/mnZn+PBTbENgyhhBJ4rWApmaNcthzRdk2DB/49KrXx3EQP60w Lj4KU0DFkiGNVj9BnVxRAx/WDXKxGC3uGGEG6gjyWv8KFMWMsH9mL7y7uNow1HueT6pZUf9o yY8Ewd+01QpGi7FfXOae7lGHhbEwnEJGwz08ytRfLmH0KtEzlZanZZhwDGX5s1kIHnyxdACh 3byXY6Z2bOrx0rcrQHCnHJppxddR60F7igjaMuBFstE51h9XTgXDNKJbglqTug5ghGihNuP6 VsBN7ue62y96UGIE22TvKEcAQ665vQGjHqZeSzZYy+hWNOa27pWFmhlqFjx0x8MCAwEAAaMt MCswGwYDVR0RBBQwEoEQc3RldmVAaWJjdGVjaC5jYTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 DQEBBQUAA4GBAMOmjxjp2Xzk6ZHLwTgFDzVhm98RjRT3UXotKjNIR7SgwfWF5wkJrx4I+dXu ui5ztMEq4bTTRgJ344MqE6uZiZlg+tBIFHZGCJfKdzsX4QuV2jmw0sR5dMaYxG6tlDB0YUMv gTqzV7ZDpiusTMOZe9pP1PdxFhOcIJXtMQDj5LhuMIIC2jCCAkOgAwIBAgIQSznGD8ne3vtB YnhJq1XUdzANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwHhcNMDkwNTA3MjMxNjEwWhcNMTAwNTA3MjMxNjEwWjBCMR8wHQYD VQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR8wHQYJKoZIhvcNAQkBFhBzdGV2ZUBpYmN0 ZWNoLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlJNECM/VFVrzv+admf48 FNsQ2DKGEEnitYCmZo1y2HNF2TYMH/j0qtfHcRA/rTAuPgpTQMWSIY1WP0GdXFEDH9YNcrEY Le4YYQbqCPJa/woUxYywf2YvvLu42jDUe55PqllR/2jJjwTB37TVCkaLsV9c5p7uUYeFsTCc QkbDPTzK1F8uYfQq0TOVlqdlmHAMZfmzWQgefLF0AKHdvJdjpnZs6vHStytAcKccmmnF11Hr QXuKCNoy4EWy0TnWH1dOBcM0oluCWpO6DmCEaKE24/pWwE3u57rbL3pQYgTbZO8oRwBDrrm9 AaMepl5LNljL6FY05rbulYWaGWoWPHTHwwIDAQABoy0wKzAbBgNVHREEFDASgRBzdGV2ZUBp YmN0ZWNoLmNhMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAw6aPGOnZfOTpkcvB OAUPNWGb3xGNFPdRei0qM0hHtKDB9YXnCQmvHgj51e66LnO0wSrhtNNGAnfjgyoTq5mJmWD6 0EgUdkYIl8p3OxfhC5XaObDSxHl0xpjEbq2UMHRhQy+BOrNXtkOmK6xMw5l72k/U93EWE5wg le0xAOPkuG4wggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7 AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEEs5xg/J3t77QWJ4SatV 1HcwCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDkwOTE3MTY0ODE0WjAjBgkqhkiG9w0BCQQxFgQUvkj7w/TsyCGO+Ewn1E0bS5J3 DrgwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBLOcYPyd7e+0Fi eEmrVdR3MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBJc3N1aW5nIENBAhBLOcYPyd7e+0FieEmrVdR3MA0GCSqGSIb3DQEBAQUABIIB AEyArbiK5rReg+H775cTHbYCDfVRFkkJA8rDnION9vfie2k15aJjcnKNlhHZASY1YDmRjLmb 6QPtICb811JS9ARuXqgT8p65pvdlyM+ndUJEHOW78Dfn2nZLxatImt16S8as9NmHjYzGA4H9 qh1kzjEbH2XxlNhBO+rfHjOISbga2jDJdkcE/340Sk18DlOWcbCGacpaMyCQ+YTr+oeOvJHN ZPjIxScPstoe1LCO3TZeQjZqrzMRPtQ3LMtHkQ4PZYG3ZwpZICH2b02t3vl+fVHwUBXgq1tU d4jMSekglhPy2d01s+zhiDfzKGYheFFILKLfcYrjH/zvJS6CpCGZ674AAAAAAAA= --------------ms070604010504040002080908--