[Greylist-users] recommendations for dual MX system?

[Graham Toal]

spamd is working great in front of a small subdomain we have, which
has about a dozen users.  At some point I will need to move it in
front of our entire campus mail, which is handled currently by two
fairly beefy servers which both have an equal MX value - the servers
are large enough that one server could handle all the mail, but if
it did it would be loaded close to capacity and wouldn't have much
slack to handle unexpected events - the equal-valued MX's are
primarily there to load-balance the incoming mail.  [I understand
that the greylsting itself may reduce the load quite a bit and give
us back the capacity we need, but that's a short-term benefit - 
eventually the load would grow until we needed 2 servers again]

So given that scenario for the MTAs, what would be a good configuration
for an OpenBSD+spamd system?  I'ld prefer to keep the two input
paths and not introduce a single point of failure - we've already
pushing our luck in the reliability department by having mail go
through three systems - openbsd+spamd -> linux+spamfilter -> final
delivery MTA (which happens to be a VMS and if you're really
unlucky, there's another step where the VMS forwards to either
an Exchange server or an Oracle mailer! - *all* of which has
redundant servers at each stage so we're talking something like
10 machines and two network paths here! :-/ )

spamd itself does not have any direct support for sharing greylist
information between MX hosts.  It can be made to share whitelist
information relatively easily (eg by sniffing the port 25 connections
coming out of the other server), but that's not the problem - it is
that we can have senders using half a dozen different addresses to
send, and if they send to each of our MX hosts, we might have a
dozen relay delays until one of them hits twice.  And a couple
more until the third pass-through connection.  So it's the
initial grey connection information we need to share.

Ideally each spamd would send fire & forget packets as hints to
its brethren (has to be a weak connection in case one of the MX
hosts is down) but since we don't currently have that mechanism,
what are the workarounds?  Is anyone else here using > 1 MX
host?

My understanding is that if the hosts *don't* have the same MX
value it's not such a big deal, but I'ld prefer to avoid that
if possible for load reasons.  Also my experience when I ran
the two filtering spamservers that way for a time was that quite
a few legit sites *did* end up sending to the backup MX - more
than common wisdom would have you believe. (Although in our
case that could have been because the primary MX frequently
had to tempfail due to the load average going above the
configured threshhold)


Thanks, everyone.


Graham