Loading ...
Sorry, an error occurred while loading the content.

Re: avoiding overload on port 587

Expand Messages
  • Stan Hoeppner
    ... Tomas, there is a really easy solution to this problem of yours, and it doesn t take in depth technical understanding of the inner workings of Postfix to
    Message 1 of 54 , Nov 30, 2012
    • 0 Attachment
      On 11/30/2012 7:27 AM, Tomas Macek wrote:
      > On Fri, 30 Nov 2012, Wietse Venema wrote:

      >> Strange, do you really expect Postfix to flip status immediately
      >> when load drops under the limit, or do you expect it to behave in
      >> a more rational manner and announce that "peace has come" when the
      >> load has stayed under the limit for some minimal amount of time?
      >
      > And what is the minimal amount of time? I'm still unable to find it, how
      > much time that means.

      Tomas, there is a really easy solution to this problem of yours, and it
      doesn't take in depth technical understanding of the inner workings of
      Postfix to achieve it.

      Simply physically separate your inbound public SMTP traffic from your
      user submission relay traffic. I.e. setup a separate dedicated box that
      ONLY performs submission on TCP 587 with auth and outbound relay. I.e.
      disable the smtpd server on TCP 25. And implement Postscreen on the
      current public SMTP server.

      Inform your clients that the change will be complete in 14 days, or
      whatever time frame you choose, and that they must switch submission to
      the new IP+port with username and password before that deadline. After
      the deadline, disable submission/relaying on the public SMTP server,
      forcing stragglers to convert to using the new submission server.

      Separating these functions doesn't require a second physical server, but
      it has a number of advantages for you and your users. First is that it
      fixes the problem of high public SMTP traffic causing problems for
      submissions. Second, if you have to take one server down for hardware
      maintenance only one function goes down, not both. Third, if desired,
      you can locate the two servers in different locations, on different
      networks. Etc, etc.

      Many orgs with high traffic loads separate the public SMTP and user
      submission functions onto separate boxes. Some have entire farms of
      servers dedicated to each function.


      --
      Stan
    • /dev/rob0
      ... Or better yet: replace it with postscreen. ... To clarify, I meant that if those Outlook Expresses are not yet compromised by malware, they will be, soon.
      Message 54 of 54 , Dec 4, 2012
      • 0 Attachment
        On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
        > On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:
        > > I would still also set up port 587 on the mail.example.com
        > > IP as submission as well and try to encourage your users (at
        > > least the ones you can) to use port 587 from now on.
        >
        > What I would do, on Linux with IPv4 only, is create the submission
        > port and use an iptables redirect for the alternate IP address:
        >
        > # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
        > mail.example.com -j REDIRECT --to-port submission
        >
        > This saves the overhead (system and administrative) of running
        > another smtpd on [mail.example.com]:25; he can leave his "smtp ...
        > smtpd" service alone in master.cf.

        Or better yet: replace it with postscreen.

        > I should also add as a reply to Stan in the other subthread: look
        > above at the first quoted paragraph: "Outlook Expresses setup with
        > ... default configuration."
        >
        > Yikes, bad news, very bad. If not doing content filtering nor
        > policy limitation of submission now, he will be soon. And possibly
        > losing his job in any case. Tomas is not in a good place right now.

        To clarify, I meant that if those Outlook Expresses are not yet
        compromised by malware, they will be, soon.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.