Re: avoiding overload on port 587
- On Fri, 30 Nov 2012, lst_hoe02@... wrote:
>OK, so there is a chance for spammers to overload the server using
> Zitat von Tomas Macek <macek@...>:
>> I don't understand now, how Postfix behaves when listenting on submission
>> port 587.
>> Our mailserver is sometimes overloaded on port 25, so we want to use
>> postscreen. But I don't understand, how Postfix works when it's stressed on
>> port 587, when spammers connect to that opened port and want send their
>> "emails". In document http://www.postfix.org/STRESS_README.html there is:
>> NOTE: To avoid "overload" delays for end-user mail clients, enable the
>> "submission" service entry in master.cf (present since Postfix 2.1), and
>> tell users to connect to this instead of the public SMTP service.
>> Should this mean, that Postfix by default does not use counters like
>> smtpd_hard_error_limit, smtpd_junk_command_limit and maybe others on
>> sumission port? On this port I would prefer using some kind of smtp auth
>> and this port should be world accessible to allow the clients using other
>> networks to authenticate and send emails.
> Port 587 is by default nothing special for Postfix because it is mostly a
> clone of the Port 25 service. The *intended* difference is that Port 587
> should only accept mail by authenticated users, so no chance for spammers if
> they don't own valid credentials. To actually see the difference between Port
> 25 and Port 587 settings you have to compare the entries in master.cf.
submission port 587 (the server says then "service "smtp" (25) has
reached its process limit "200"") by exhausting number of available ports
and the MUA clients then can have also problems to send their
emails? I'm I right?
If I'm, then I don't understand, why to split the processes into
submission 587 and normal 25, because if the MUA client send the mail
through 25 (hope with postscreen), there is a chance that the 25 is not
overloaded (because it uses postscreen) and he will be rather
able to send his email compared to 587.
Or I don't still understand something ... :-)
Andreas: sorry for my direct answer to you, my mistake
- On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
> On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:Or better yet: replace it with postscreen.
> > I would still also set up port 587 on the mail.example.com
> > IP as submission as well and try to encourage your users (at
> > least the ones you can) to use port 587 from now on.
> What I would do, on Linux with IPv4 only, is create the submission
> port and use an iptables redirect for the alternate IP address:
> # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
> mail.example.com -j REDIRECT --to-port submission
> This saves the overhead (system and administrative) of running
> another smtpd on [mail.example.com]:25; he can leave his "smtp ...
> smtpd" service alone in master.cf.
> I should also add as a reply to Stan in the other subthread: lookTo clarify, I meant that if those Outlook Expresses are not yet
> above at the first quoted paragraph: "Outlook Expresses setup with
> ... default configuration."
> Yikes, bad news, very bad. If not doing content filtering nor
> policy limitation of submission now, he will be soon. And possibly
> losing his job in any case. Tomas is not in a good place right now.
compromised by malware, they will be, soon.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: