Loading ...
Sorry, an error occurred while loading the content.

Re: Possible to dedicate a number of smtpd processes for OUTBOUND mail only ??

Expand Messages
  • Fernando Maior
    Hi, Let me see: 1. You have a gateway that receive the incoming connection and relays it to your 3 mail servers 2. The 3 mail servers are behind the firewall,
    Message 1 of 5 , Feb 25, 2013
    • 0 Attachment
      Hi,

      Let me see:
      1. You have a gateway that receive the incoming connection and relays it to your 3 mail servers
      2. The 3 mail servers are behind the firewall, and answers to the same domain
      If you are just like that, may be you need not to take care of the attacks when they arrive to the 3 mail servers, instead you may have another mail server in the firewall that is responsible only for recognizing the attacking connections and disconnect then without relay to the mail servers. It is very probable that you can make your anti-attacking mail server doing much more connections than the 3 mail servers because it will not serve the connections, only filters the bad ones.

      Or may be I did not understand your situation. :-)

      Best regards,
      ---
      Fernando Maciel Souto Maior

      On Mon, Feb 25, 2013 at 2:12 PM, Viktor Dukhovni <postfix-users@...> wrote:
      On Mon, Feb 25, 2013 at 10:30:41AM +0000, Peter S?rensen wrote:

      > Currently we have a lot of attacks on Our gateway system serving
      > up to 200 smtpd On each server. We have 3 servers which add up to
      > max 600 concurrent smtpd processes.
      >
      > I would like to reserve let's say 50 smtpd on each server to just
      > handle outgoing mail.
      >
      > Is that possible ?

      No, this is not a Postfix limitation, it is a logical impossibility,
      the SMTP server does not know which mail is "outgoing" and which
      is "incoming" until it has accepted the connection and started the
      SMTP transaction with the client, by which point it is no longer
      "reserved".

      This said you are free to implement separate TCP (ip:port) endpoints
      for different service levels, and if necessary even restrict access
      to some of them via firewall rules or and/or network prefixes that are
      only routable internally to your organization.

      Consider http://www.postfix.org/MULTI_INSTANCE_README.html as a
      best practice approach for supporting separate mail flows on a
      single Postfix server.

      --
              Viktor.

    • Peter Sørensen
      Thank you - I only hoped but as you write this is a logical problem. I will take a look on the multi-instance. Best regards Peter Sørensen Univ Of Southern
      Message 2 of 5 , Feb 25, 2013
      • 0 Attachment
        Thank you - I only hoped but as you write this is a logical problem.
        I will take a look on the multi-instance.

        Best regards

        Peter Sørensen
        Univ Of Southern Denmark


        -----Oprindelig meddelelse-----
        Fra: owner-postfix-users@... [mailto:owner-postfix-users@...] På vegne af Viktor Dukhovni
        Sendt: 25. februar 2013 18:13
        Til: postfix-users@...
        Emne: Re: Possible to dedicate a number of smtpd processes for OUTBOUND mail only ??

        On Mon, Feb 25, 2013 at 10:30:41AM +0000, Peter S?rensen wrote:

        > Currently we have a lot of attacks on Our gateway system serving up to
        > 200 smtpd On each server. We have 3 servers which add up to max 600
        > concurrent smtpd processes.
        >
        > I would like to reserve let's say 50 smtpd on each server to just
        > handle outgoing mail.
        >
        > Is that possible ?

        No, this is not a Postfix limitation, it is a logical impossibility, the SMTP server does not know which mail is "outgoing" and which is "incoming" until it has accepted the connection and started the SMTP transaction with the client, by which point it is no longer "reserved".

        This said you are free to implement separate TCP (ip:port) endpoints for different service levels, and if necessary even restrict access to some of them via firewall rules or and/or network prefixes that are only routable internally to your organization.

        Consider http://www.postfix.org/MULTI_INSTANCE_README.html as a best practice approach for supporting separate mail flows on a single Postfix server.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.