Large Prod Env Mail Host Was [Re: ClamAV Feedback]

Ow Mun Heng Ow.Mun.Heng at wdc.com
Wed Oct 27 08:40:19 UTC 2004 

On Tue, 2004-10-26 at 02:42, Rick Stevens wrote:
> Ow Mun Heng wrote:
> > On Sat, 2004-10-23 at 08:20, Rick Stevens wrote:
> > 

> > Sendmail scales well?? I was reading that sendmail is slower compred to
> > postfix.
> 
> If you know how to tune sendmail and the kernel it works quite well.
> Postfix is inappropriate for our task as it's not configurable enough
> for our rather odd layout.  I need sendmail's check_mail and check_rcpt
> rulesets for authentication and rewriting headers for wildcard delivery

I couldn't locate a check_mail and check_rcpt in sendmail's Doc (in
/usr/share/doc) What I did find was just references to it. I did find
this though 
loose_relay_check
                Normally, if % addressing is used for a recipient, e.g.
                user%site at othersite, and othersite is in class {R}, the
                check_rcpt ruleset will strip @othersite and recheck
                user at site for relaying.  This feature changes that
                behavior.  It should not be needed for most installations.

But that is only useful if you're using a single email account to forward to multiple users
within your organisation. (but this would need intervention from your ISP to get them
to implement the % thingy)

> Well, in a nutshell, it's this:
> 
> We use sendmail 8.12.11 right now.  Fairly standard configuration
> (much like what Fedora ships with).  Milter and LDAP support must be
> enabled and the milter library installed in /usr/lib or wherever so
> ClamAV can find it when built.

I believe you're building sendmail yourself them. How does one check if
using rpm(?) Do you know? (I'm booted into gentoo and I know sendmail is
compiled with ldap support)

> For outgoing mail, the sender's domain and usernames are checked against
> LDAP via entries in the "check_mail" ruleset.  If not found, mail is
> rejected.  If accepted, they go through the normal TLS mechanism to
> authenticate and send mail. 

If I understand your explanation of check_mail and check_rcpt correctly,
it only adds a level of security/anti-relay check correct? You're
already using TLS, how about using SASL as well? Postfix can also query
against LDAP, so theoretically (anyway) check_mail and check_rcpt can
also be done. (also with a MySQL backend, much like LDAP, that could
also be a solution right?)

> Next, the username is checked against that domain in LDAP.  If the user
> isn't found, we look for a wildcard mailbox (called "catchall").  If
> that's found, the headers for the mail are rewritten and delivery is
> made to the catchall mailbox.  If neither the user nor the catchall is
> found, the mail is rejected.  

Again,  I've found references on how postfix could be used to do this.
(refer martin-list-perterson's ISP-Mailserver-Solution-Howto)


> This is also where Bogofilter is
> called if we do spam filtering.  

Stupid Question. Is Spamassassin via spamass-milter (the mitler side)
slower or more resource intensive compared to bogofilter? 

>  Webmail is based on Horde/IMP and is also tweaked to allow
> users to change their passwords and other things on the LDAP servers.

Nowl, this is interesting. But since I've yet to implement mine, I'll
just read about it. (Ps. you mentioned the code is Open-Sourced. Is it
released?)

> The upshot of this is that the users are not in any passwd file, nor do
> they really have accounts on any of the servers.  They are figments of
> LDAP's imagination and sendmail, procmail, POP and IMAP all play along.
> The dynamic UID/GID daemon allows us to reuse UIDs and GIDs, and is
> our tests indicate the whole system is scalable to over ten billion
> individual accounts.  Sure, you'll need more servers to handle that many
> accounts, but servers are cheap and they're all configured identically,
> based on their roles (outgoing mail, incoming mail, POP or IMAP).

10 Billion.. You don't say.
The thing about the UID/GID daemon is interesing.

All-in-all, I'm not saying that postfix is a better choice or that
sendmail is not. I just like to understand more in-depth on which is the
best path to take. (Given the circumstances, I doubt I'll ever need to
host 10Billion, less 100 users for this mailserver, but I'll like to
keep my options open)

Thanks for your time

More information about the users mailing list