AW: [Mimedefang] Configuring when MD runs

Martin Bene martin.bene at icomedias.com
Sun Nov 24 12:11:00 EST 2002


Hi Justin,

> I noticed this morning that the direct4optin.com had 30 or so 
> connections open to one of my servers like they usually do.  

Make sure you're using the multiplexor; you should still see one mimedefang
process for each sendmail connection in the data phase, but that's just the
(fairly lightweight) milter acceptor. Only when there actually is data to
check should the more resource-hungry perl processess be used.

I know that this doesn't really answer you question, but still some
information on a related problem:

one of the servers I'm using mimedefang on has > 550 related domains. This
means that it happens quite often that one sender has mail for many (several
hundreds) of these domains - needn't even be spam, quite often it's
legitimate mails/announcements.

If the remote servers were configured correctly, they should see all the
destinations sharing the same MX entry and stream the mails in a single
connection; with servers running exim/sendmail/postfix that's what actually
happens.

Enter MS Exchange (and probably others): Domain part of the destination
address is different, therefore it sends the mails in parallel. Result: One
remote server trying to open > 100 concurrent connections; load average +
sendmail child processess skyrocket and sendmail has to start rejecting
connections.

To avoid this mess I recently put iptables with iplimit module from iptables
patch-o-matic on the (linux 2.4.18) box. this allows me to define a limit:
max 10 concurrent smtp connections from any single client. Result: just the
conections from idiot servers get blocked, sendmail stays reachable for
regular users. Also, server load is kept in a much more sensible range.

If anyone else wants to try this: there's a bug in curent iplimit netfilter
code; I've sent a patch to the maintainers but it isn't in CVS yet, so either
mail me or wait for a fix to turn up in  the official release (limit doesn't
work if consecutive tries are sent with the same source port).

Bye, Martin




More information about the MIMEDefang mailing list