[Greylist-users] recommendations for dual MX system?

Eric Brunson brunson at brunson.com
Mon May 2 06:57:23 PDT 2005

Why not have both MTAs talk to a database on another machine?  SQLGrey
running on a 1.2MHz athlon currently handles about 5000 messages a day
for me, but that's also running on the same box as the MTA, database and
Spamassassin.  If you were to put the database on a separate machine and
have the MTAs talk to it remotely you'd have syncronized greylisting and
offload the greylisting overhead.

Graham Toal wrote:

>spamd is working great in front of a small subdomain we have, which
>has about a dozen users.  At some point I will need to move it in
>front of our entire campus mail, which is handled currently by two
>fairly beefy servers which both have an equal MX value - the servers
>are large enough that one server could handle all the mail, but if
>it did it would be loaded close to capacity and wouldn't have much
>slack to handle unexpected events - the equal-valued MX's are
>primarily there to load-balance the incoming mail.  [I understand
>that the greylsting itself may reduce the load quite a bit and give
>us back the capacity we need, but that's a short-term benefit - 
>eventually the load would grow until we needed 2 servers again]
>So given that scenario for the MTAs, what would be a good configuration
>for an OpenBSD+spamd system?  I'ld prefer to keep the two input
>paths and not introduce a single point of failure - we've already
>pushing our luck in the reliability department by having mail go
>through three systems - openbsd+spamd -> linux+spamfilter -> final
>delivery MTA (which happens to be a VMS and if you're really
>unlucky, there's another step where the VMS forwards to either
>an Exchange server or an Oracle mailer! - *all* of which has
>redundant servers at each stage so we're talking something like
>10 machines and two network paths here! :-/ )
>spamd itself does not have any direct support for sharing greylist
>information between MX hosts.  It can be made to share whitelist
>information relatively easily (eg by sniffing the port 25 connections
>coming out of the other server), but that's not the problem - it is
>that we can have senders using half a dozen different addresses to
>send, and if they send to each of our MX hosts, we might have a
>dozen relay delays until one of them hits twice.  And a couple
>more until the third pass-through connection.  So it's the
>initial grey connection information we need to share.
>Ideally each spamd would send fire & forget packets as hints to
>its brethren (has to be a weak connection in case one of the MX
>hosts is down) but since we don't currently have that mechanism,
>what are the workarounds?  Is anyone else here using > 1 MX
>My understanding is that if the hosts *don't* have the same MX
>value it's not such a big deal, but I'ld prefer to avoid that
>if possible for load reasons.  Also my experience when I ran
>the two filtering spamservers that way for a time was that quite
>a few legit sites *did* end up sending to the backup MX - more
>than common wisdom would have you believe. (Although in our
>case that could have been because the primary MX frequently
>had to tempfail due to the load average going above the
>configured threshhold)
>Thanks, everyone.
>Greylist-users mailing list
>Greylist-users at lists.puremagic.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.puremagic.com/pipermail/greylist-users/attachments/20050502/a4eb6e9d/attachment.html

More information about the Greylist-users mailing list