Loading ...
Sorry, an error occurred while loading the content.

269517Re: Postscreen update

Expand Messages
  • Kris Deugau
    Sep 29, 2010
    • 0 Attachment
      Stan Hoeppner wrote:
      > For example: http://www.spamhaus.org/datafeed/
      > "The Spamhaus DNSBL Datafeed is a service for users with professional
      > DNSBL query requirements, such as corporate networks and ISPs. It offers
      > both a Query service and an Rsync service (you can choose)."
      > The paid "Query" service mentioned above requires the Postfix feature
      > you are asking about. It's an authentication mechanism.
      > The Rsync service allows downloading the entire Spamhaus databases
      > multiple times a day and hosting them on a local dns server or via an
      > rbldnsd daemon on each MX. The latter is suitable for those such as big
      > ISPs with massive mail flows, who cannot afford the latency of over the
      > wire network based dnsbl queries.

      It's also a reasonable option due to cost; the paid query service is
      more expensive (at least at the level we were looking at here) compared
      to the rsync service.

      > A remote dnsbl query can take anywhere from 20-200 milliseconds (or
      > more) depending on number of hops and network conditions. A query to a
      > local network dns server can take less than 1ms. A query to an rbldnsd
      > daemon residing on the MX MTA host itself can occur in a few
      > microseconds, as it is an interprocess communication occurring at the
      > speed of system memory. This is the preferred method for some of the
      > worlds busiest MTAs. All this performance comes at a cost: the rbldnsd
      > method requires multiple gigabytes of system memory for the Spamhaus
      > zone files alone.

      Hmm, no, less than 100M:

      28776 rbldns 20 0 81740 65m 700 S 0 3.3 118:49.42 rbldnsd

      And this with a modest local blacklist loaded in as well. The on-disk
      files for all of the lists total just over 100M. We just run the
      Spamhaus data on a non-public zone on our general resolvers (running
      dnscache) and we have yet to see any latency problems.

      The biggest sysadmin/network costs for the rsync service are in
      configuration (may need extra scripting to distribute the data to
      multiple rbldnsd instances, depending on how you want to arrange your
      DNS services - otherwise, it's "set up once, let it run") and update
      bandwidth - currently they provide a script intended to be called once a
      minute to update the zone data source files.

    • Show all 14 messages in this topic