Loading ...
Sorry, an error occurred while loading the content.

avoiding overload on port 587

Expand Messages
  • Tomas Macek
    I don t understand now, how Postfix behaves when listenting on submission port 587. Our mailserver is sometimes overloaded on port 25, so we want to use
    Message 1 of 54 , Nov 29, 2012
    • 0 Attachment
      I don't understand now, how Postfix behaves when listenting on
      submission port 587.
      Our mailserver is sometimes overloaded on port 25, so we want to use
      postscreen. But I don't understand, how Postfix works when it's stressed
      on port 587, when spammers connect to that opened port and want send their
      "emails". In document http://www.postfix.org/STRESS_README.html there
      is:

      NOTE: To avoid "overload" delays for end-user mail clients, enable the
      "submission" service entry in master.cf (present since Postfix 2.1), and
      tell users to connect to this instead of the public SMTP service.

      Should this mean, that Postfix by default does not use counters like
      smtpd_hard_error_limit, smtpd_junk_command_limit and maybe others on
      sumission port? On
      this port I would prefer using some kind of smtp auth and this port should
      be world accessible to allow the clients using other networks to
      authenticate and send emails.

      Regards, Tomas
    • /dev/rob0
      ... Or better yet: replace it with postscreen. ... To clarify, I meant that if those Outlook Expresses are not yet compromised by malware, they will be, soon.
      Message 54 of 54 , Dec 4, 2012
      • 0 Attachment
        On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
        > On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:
        > > I would still also set up port 587 on the mail.example.com
        > > IP as submission as well and try to encourage your users (at
        > > least the ones you can) to use port 587 from now on.
        >
        > What I would do, on Linux with IPv4 only, is create the submission
        > port and use an iptables redirect for the alternate IP address:
        >
        > # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
        > mail.example.com -j REDIRECT --to-port submission
        >
        > This saves the overhead (system and administrative) of running
        > another smtpd on [mail.example.com]:25; he can leave his "smtp ...
        > smtpd" service alone in master.cf.

        Or better yet: replace it with postscreen.

        > I should also add as a reply to Stan in the other subthread: look
        > above at the first quoted paragraph: "Outlook Expresses setup with
        > ... default configuration."
        >
        > Yikes, bad news, very bad. If not doing content filtering nor
        > policy limitation of submission now, he will be soon. And possibly
        > losing his job in any case. Tomas is not in a good place right now.

        To clarify, I meant that if those Outlook Expresses are not yet
        compromised by malware, they will be, soon.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.