Setting up a gateway server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sep 26, 2007, at 6:50 PM, craig carriere wrote:

> I presently have MM 1.0.2 running on two mail gateway
servers that  
> relay mail back to our main mail server.  The gateways
are set up  
> to provide redundancy in case of failure.  Both query
the MM  
> database which resides on one of our background
servers.  Recently  
> I have seen a number of set-up discussions which use
gateway  
> servers for smtp restrictions and relay to the main
mail server  
> which runs Amavis/SA.  I have always thought spam
rejection was  
> best done at a gateway; does anyone have insight as to
why one  
> would move virus and spam scanning one step back from
the gateway  
> and what advantages it yields.
>

It really just depends on your load and redundancy
requirements.    
Maia is capable of running everything on one system;  SMTP,
POP, web,  
mysql, maia, amavisd, etc.   You can also split it out to a
database  
server, N web servers, M amavisd-maia servers, and O SMTP
gateways,  
for any numbers M,N,and O.

The gateways *must* have a list of recipients for which is
accepts  
mail, and reject all else, no matter what else we do.  The
gateway  
SMTP area is also a great place to do greylisting.

As for the debate of whether spam should be rejected at the
gateway  
or later...   running all the tests that SA has to offer
takes a lot  
of time, and if you held open the connection long enough to
run the  
test, you would run the risk of flooding all your available 

connections.    In addition, to scan the body of the email
for spam  
means the message has already consumed your most precious
resource -  
bandwidth.  So once the message has been transmitted,  a
gateway  
should just dump it on and be done.  Some may think the
gateway needs  
to be tuned to handle this simple cycle quickly to handle
bursts well.

Maia then scans the message, and either passes it through,
or  
quarantines it in the database.   Maia's  performance
considerations  
involve heavy CPU and memory requirements for the
spamassassin  
scanning, and the IO and memory requirements for the
database.   The  
exact balance of all this depends greatly on your own load
and  
message rate.   If you have little load, there's no reason
to split  
the scanning away from the gateways, but if the gateways get
loaded  
down, it makes sense to offload the scanning to another
system.    
However, this could also be accomplished just by adding more
gateway/ 
filter systems in parallel.    It comes down to personal
preference  
and experience.


David Morton
Maia Mailguard http://www.maiamailguard
.com
mortondadgrmm.net



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFG+yw3Uy30ODPkzl0RAkMkAJsHhALcZjhYb2ec2v7DLibXPYqxUQCg
nJW0
bKkUQPqXNU0Rlg5a80D+EIE=
=ZVod
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

David Morton wrote:

> As for the debate of whether spam should be rejected at
the gateway  
> or later...   running all the tests that SA has to
offer takes a lot  
> of time, and if you held open the connection long
enough to run the  
> test, you would run the risk of flooding all your
available  
> connections.    In addition, to scan the body of the
email for spam  
> means the message has already consumed your most
precious resource -  
> bandwidth.  So once the message has been transmitted, 
a gateway  
> should just dump it on and be done.  Some may think the
gateway needs  
> to be tuned to handle this simple cycle quickly to
handle bursts well.
> 
> Maia then scans the message, and either passes it
through, or  
> quarantines it in the database.   Maia's  performance
considerations  
> involve heavy CPU and memory requirements for the
spamassassin  
> scanning, and the IO and memory requirements for the
database.   The  
> exact balance of all this depends greatly on your own
load and  
> message rate.   If you have little load, there's no
reason to split  
> the scanning away from the gateways, but if the
gateways get loaded  
> down, it makes sense to offload the scanning to another
system.    
> However, this could also be accomplished just by adding
more gateway/ 
> filter systems in parallel.    It comes down to
personal preference  
> and experience.

I'll second this - we run maia for 15,000 users, and our
mail gateways get
about 20-30 million messages per month. It is absolutely
imperative that the
outer gateway do fast sanity checks e.g. recipient exists,
handshake is sane,
sending domain exists, ip address checks out, as well as
greylisting, to keep
the mailguard servers from melting down in a flood of
messages. We reject at
least half the messages right at the gateway for failing
sanity checks, before
passing on the possibly legitimate mail to mailguard for
spam/virus checking.

Joel
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users