|
Thread Index [isp-dns] Re: Concerns about high Load
There's a quite highly used webmail interface on the mail storage server (Mirapoint). This uses the local smtpd to deliver.well, that's web-app-to-SMTP-to-LDA, resolved from system or virtual accounts, fast and easy. Although we have thought about setting the smarthost to be the gateway server. Also even though the external gateway will be doing most the work the smtpd on the storage server will still have to do local deliveries to mailboxes. of course, but that's not over SMTP, that's over the Local Delivery Agent. But I thought you wanted to migrate all that plumbing overhead from the mailbox server to the MX gateway? That's how to really free up and better protect your mailbox server.We have already got Mailscanner working with Sophos, spamassassin and RBL checking. But thanks for the tip I will have a look.Look at IMGate.MEIway.com for your anti-abuse SMTP proxy. pre-configured, proven, and free. Is it, do have a URL which shows statistics and benchmarks as a comparison between the 2.no, but I've seen numbers in the bind user's list where bind8 was 30% to 40% faster that BIND9. ask on the bind list. As I said, I'm certain you aren't serving 1000's of queries/second, so BIND9 is fine.Besides we are using views from Bind9. an anti-abuse MX, at least as IMGate does it, is a voracious consumer of DNS, so having a c-o DNS on the MX gateway is advisable.We have 3 authoritative nameservers on our network which do most external query responses, this would only be a fall back for root server delegation. No machines have this box set as their resolver (apart from the gateway itself.)Put BIND on the MX gateway as caching only NS. What a good guess =] That's exactly what it is using. 2x ATA100 40gb IBMs in a software mirrored RAID config.well, find some pennies for a Promise TX2 or TX2000. If you're worried about throughput, softare RAID, any OS, is a good way to validate your worries. Also in answer to the next question (see next thread) the gateway IS the firewall.hmm, not very advisable. The firewall, for simplicity/security, ought to the firewall, routing, PAT/NATting, but not SMTP proxy, not DNS, not AV, not HTTP. The mailstore is on a NAT'd private address range and this box port forwards the non-local services (e.g. pop3, imap, webmail, etc)... and SMTP So to round up this box will be... a MTA for 5000 users the MX? Virus scanning/Spam filtering for those 5000 users, Firewall/masq server for internal mailstore... iow, the latter is the the mailbox server with SMTP, pop, and webmail services. I'd go withauthoritative NS as well as resolver for demanding sendmail config. Sorry about lack of clarity the first time around. 1. edge firewall with only public ip routing and packet filtering, not NAT/PAT. 2. behind which is a DMZ on a public subnet containing a. the MX machine with anti-mail abuse stuff, and a c-o DNS. This DNS would also act as resolver for the private network. the DNS should allow-query only for the DMZ and outside ip of the inner firewall. b. public web server c. a delegated-only DNS, ie, no recursion. 3. inner firewall doing PAT/NAT, and packet filtering. the private net would contain a. mailbox server, with port 25 access blocked by the outer firewall, and which relays all outbound the MX box in the DMZ. b. perhaps a caching-only DNS to support the private net, and which forwards to the DNS in the DMZ. But the workstations could use the DMZ DNS as their nameserver. The above "DNS forwarding architecture" avoids the complexity of split DNS, forward and reverse. And it certainly makes hardening the classic double-walled firewalling simpler because the inner and outer filtering boxes are running no apps or services beyond the minimum. Len
Thread Index |
|
