Date: Sun, 25 Feb 2001 12:10:56 +0100 From: Len Conrad <LConrad@Go2France.com> To: freebsd-isp@freebsd.org Subject: Re: Dedicated smtp relay box Message-ID: <5.0.0.25.0.20010225114033.027eca50@mail.Go2France.com> In-Reply-To: <20010220133048.A91585@corey.datafast.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>I run a freebsd 4.2 qmail mail server, serving 20k or so mailboxes >across 300 domains, and relaying for anywhere up to 1500 modem lines, >plus microwave clients. > >Since installing antivirus software on our qmail server, the load has >increased dramatically. So you have learned what you mistake was? :)) >It has on average 200 qmail-smtpd processes >running, and available memory fluctuates from 195MB to about 50MB out of >1.7GB. Amazing!! 1.5 gb consumed by just 200 processes ? For comparison, I've seen postfix load up nearly 300 SMTP and 100 SMTPD processes in a 512 mb machine. Sounds like Wietse V has outcoded Daniel J there :))) The FreeBSD.org mailhub(s) run postfix. >I suspect that this is due to the increased time taken to >process each message. I am concerned that if I open up the smtpd limit >that it will run out of RAM. > >So, I am looking for a way to shift some of the load. My theory so far >is to set up a seperate smtp server for the relaying This is the concept behind IMGate in my sig. postfix is beautiful in the role of relay-only mail hub, off-loading all anti-abuse and significant anti-virus defense (eg, stops all ILOVE and AnnaK type viruses at the hub, offloading them from evern the AV box) on the inbound, while also doing all outbound deliveries. I would expect those 200 SMTPd processes drop dramatically on the mailbox server and migrate to the postfix hub. postfix is fast and easy to set up. I can send you my config files and the sysctl params you need to open up FreeBSD to handle 200+ SMPT/D processes. Wietse has also updated the postfix FAQ with my sysctl tuning info. >scanning for outgoing messages is not an issue, we only really want it >for incoming anyway. You can off load a ton of work from the mailbox server by letting the hub do deliveries (DNS lookups), deferring, and retrying. >Or should I just set up another qmail box? Or is there a simple way >that I am missing? yes, postfix. I've setup over 30 ISP's with IMGate, and all are extremely pleased with the results. For some, adding a mail has transformed their ISP's mail environment and their users' love the 90% reduction in SPAM. They learned the tremendous advantages of not putting all your baby 'roos in one pouch. :)) But you aren't going far enough with sharing the load asymmetrically among single function boxes. Have another postfix relay pouch doing the virus scanning, greatly extending the useable life of your mailbox hardware. I like Amavis and Kaspersky in that role. By having so much mail routing flexibility available, you can offer AV scanning per-domain as a payable option. 1. border mail hub, or two for MX redundancy. Try to export/duplicate your list of known mail users to this box so it can stop harvesting and other crap without DoS-sing the mailbox server to query for valid mail accounts. 2. AV scanner (block internet access to this box's port 25) 3. mailbox server (no longer in DNS MX records, and in some cases you can block access from Internet to its port 25) Try to block port 25 access from Internet to all you boxes so the border relay hub becomes the SMTP choke point(s) where you concentrate your defenses. Len http://BIND8NT.MEIway.com : Binary for ISC BIND 8.2.3 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-spam mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.0.25.0.20010225114033.027eca50>