[TriLUG] mailing list server filtering setup questions

Michael Hrivnak mhrivnak at hrivnak.org
Thu Dec 20 13:41:09 EST 2007


As others have said, spammers often relay through the lower priority mail 
handlers in hopes that there is less filtering.

My primary concern with your plan is the need to failover into no filtering.  
If you don't trust your filter relay to be a reliable machine, you really 
shouldn't be using it.

Ideally, this is how your MX records should look:

lists.example.org	IN	MX	10	filter.example.org
lists.example.org	IN	MX	20	relay1.example.org
lists.example.org	IN	MX	20	relay2.example.org

The machine filter.example.org has "mydestination" 
include "lists.example.org", with an entry in the transport table 
of "lists.example.org		smtp:[lists.example.org]"

In this scenario, all incoming mail goes through the filter, which then relays 
mail directly to the lists box.  If the filter ever goes down, you have two 
backup relays that will queue the mail until filter comes back up.  If the 
filter machine is horribly broken, you can quickly add transports to the two 
relays to send the mail directly to the list box until the filter can be 
restored.  The key part of this is that the outside world has no direct 
access to the list server.

As for hardware, I'm handling 10-12k messages per day on an Athlon XP 2500+ 
with spamassassin and clamav.  For performance, it helps to use spamd and 
clamd.  The machine you describe is major overkill for 860 messages/day.

I have a postfix gateway in production very similar to the one I suggest for 
your situation, and I am happy to offer more specific help on how to get 
yours going.

As for testing, just setup the filter box and relays as described.  It is 
likely that your "example.org" domain already has backup email relays that 
could easily be set to serve as relays for lists.example.org.  Start sending 
test messages through your new relays and filter box, and see what happens.  
When you are satisfied that they work, then you can change your DNS records 
to put them in production.

Michael


On Thursday 20 December 2007 11:33:12 am Cristóbal Palmer wrote:
> Greetings LUGers. I seek your collective wisdom.
>
> I have a mailing list server with 588 lists on it that handled 860
> incoming posts yesterday. Spamassassin is NOT running on this machine,
> and we do not plan to add it. We need some filtering, though. To that
> end, I'm trying to spec out a spam filtering server to go in front of
> it. Current thinking is to have the filtering box running Fedora and
> performing the following functions:
>
> postfix + greylisting
> spamassassin
> virus scanning (?)
>
> The plan also has us changing this:
>
> lists.example.org.       IN       MX       10 lists.example.org.
>
> to:
>
> lists.example.org.       IN       MX       5 list-filtering.example.org.
> lists.example.org.       IN       MX       10 lists.example.org.
>
> I'm wanting feedback in three major areas:
>
> (1) Is the overarching plan sound? Is there a better way to go about
> this? Is there a major element I've left out?
> (2) What are reasonable hardware specs for the filtering box? I've got
> a 1.4GHz pIII 1U server with 2GB of RAM at my disposal. If that won't
> do, suggestions on how to revamp my plan to be able to use the 1U just
> mentioned are most welcome.
> (3) How do I build a good test system for the filtering box? Any other
> deployment tips? Anybody on the list *done* something like this
> before?
>
> Before you ask: No, we don't have money to buy anything. My labor is
> essentially all I can add to this project. Viable alternatives to
> Fedora include... maybe CentOS, and that's about it. Any system that
> goes in place MUST fail back to the original state of just having the
> working list server with no filtering.
>
> Cheers,
> --
> Cristóbal M. Palmer
> celebrating 15 years of sunsite/metalab/ibiblio:
> http://tinyurl.com/2o8hj4



More information about the TriLUG mailing list