[Mimedefang] SMTP error return after DATA?

Michael Sims michaels at crye-leike.com
Fri May 9 08:56:01 EDT 2003


The only problem with that is my server goes to it's knees about once a day
when it gets flooded with a large number of connections at once.  For
example, say a spammer decides to deliver to 500 different users on my
server, and rather than sending one message to 500 recipients, or 5 messages
to 100 recipients each, he sends one message each to one recipient (my logs
show that this happens all the time).  Let us further assume that each
message is a 45k HTML message, which is below my size threshold for spam
scanning.  Let's also assume that he's opening ~50-100 concurrent
connections at a time (which I've also seen).  When this happens I quickly
reach my upper limit of MIMEDefang child processes because they all tend to
get hung during the SpamAssassin scan.  My load average shoots up to about
50, Sendmail starts rejecting new connections, and our help desk starts
getting tons of calls saying "the email server is down".

We're a not a huge company (about 5000 accounts) and we only have one public
mail exchanger.  This happens to be the same server that internal users use
to relay.  It's not really an option for me to have sendmail tempfail
connections on this machine.  To our users, "Please try again later" is the
same thing as "email isn't working".

The server is a dual PIII-500 with 1024 MB of RAM, and SCSI drives (no RAID
though).  Unfortunately I can't afford to beef it up any more.  CPU
utilization on both processors goes to 100% during these floods and it
effectively kills all of the services on the machine since they can't get
processor time.

The only solution that I can think of is to have this exchanger relay to an
internal dedicated MIMEDefang machine.  This way if the dedicated machine's
load average goes up and it's start rejecting connections, my end users will
not know about it and the primary exchanger will simply queue the message
and retry in a few minutes.  Worst case scenario during a mail flood is that
mail delivery is delayed by a few minutes.  I don't plan to run MIMEDefang
at all on the public exchanger, so I should be able to handle plenty of
concurrent SMTP connections without sending CPU utilization through the
roof.

I had this notion a while back, and it was actually confirmed by a message
that you posted to the list:

http://lists.roaringpenguin.com/pipermail/mimedefang/2003-April/005182.html

I guess my problem is that all of my internal users use the primary
exchanger as their SMTP relay, but that's the way it's been for years, and
changing this means reconfiguring 1000+ desktops.

If anyone has any other suggestions other than hardware upgrades I'd love to
hear them...

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of David F.
Skoll
Sent: Friday, May 09, 2003 7:11 AM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] SMTP error return after DATA?


On Thu, 8 May 2003, Michael Sims wrote:

> The only reason I say that is because I'm about to do something like this
> myself.  I'm moving my MD/SA content filtering to a dedicated server, and
> having my primary exchanger relay everything to it as a smart host.

It is much better to have the MIMEDefang host or hosts as your Internet
MX records.  This eliminates most double-bounce problems.

--
David.
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang




More information about the MIMEDefang mailing list