From jhockin at newcapradio.com Wed Apr 20 07:57:57 2011 From: jhockin at newcapradio.com (Jeremy Hockin) Date: Wed, 20 Apr 2011 11:57:57 -0300 Subject: [SA-exim] synchronizing tuplets between multiple mtas Message-ID: <2EEB37F71F42394E82F37D5EBE8FDEC103035BD1@NCCEXCHANGE.ncc.loc> I'm looking to deploy SA-exim with intelligent greylisting to one of my mail environments that runs with 2 exim mtas screening and relaying mail to a windows mail server on the same LAN. They are using round robin dns to "load balance" incoming and outgoing mail but this generates a problem when using greylisting. I am using sa-exim with greylisting in another environment with a single mta and really quite pleased with it, but the round robin dns makes this dangerous for the 2 box setup. My thought was using something like unison to keep the tuplet directories synchronized in real time between the two exim boxes. Does this sound like a recipe for disaster or a proper method to accomplish this. The two exim boxes are on the same LAN and run identical exim configs. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc at merlins.org Wed Apr 20 08:43:10 2011 From: marc at merlins.org (Marc MERLIN) Date: Wed, 20 Apr 2011 08:43:10 -0700 Subject: [SA-exim] synchronizing tuplets between multiple mtas In-Reply-To: <2EEB37F71F42394E82F37D5EBE8FDEC103035BD1@NCCEXCHANGE.ncc.loc> References: <2EEB37F71F42394E82F37D5EBE8FDEC103035BD1@NCCEXCHANGE.ncc.loc> Message-ID: <20110420154310.GA14797@merlins.org> On Wed, Apr 20, 2011 at 11:57:57AM -0300, Jeremy Hockin wrote: > I'm looking to deploy SA-exim with intelligent greylisting to one of my > mail environments that runs with 2 exim mtas screening and relaying mail > to a windows mail server on the same LAN. They are using round robin > dns to "load balance" incoming and outgoing mail but this generates a > problem when using greylisting. I am using sa-exim with greylisting in > another environment with a single mta and really quite pleased with it, > but the round robin dns makes this dangerous for the 2 box setup. My > thought was using something like unison to keep the tuplet directories > synchronized in real time between the two exim boxes. Does this sound > like a recipe for disaster or a proper method to accomplish this. The > two exim boxes are on the same LAN and run identical exim configs. I would indeed use something like rsync or unison: - you don't have to propagate deletes, so it's easy, each new file is copied on the other side. - it's not a big deal if you overwrite one file with another one of the same name but slightly different data in case the same tuple was created independently on both sides. - replication does not have to be instant: greylisting is supposed to tell sender to go away for a while, so you have up to one hour to replicate the missing tuples. In other words, I haven't done this myself due to lack of need, but I don't see this being a problem. Also, if you only have 2 servers, you don't actually need to replicate: you can just let the sending server try both your MXes and on the 3rd time, if at least one hour has passed, it'll go through. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ From kk at verfaction.de Thu Apr 21 06:12:12 2011 From: kk at verfaction.de (Kilian Krause) Date: Thu, 21 Apr 2011 15:12:12 +0200 Subject: [SA-exim] synchronizing tuplets between multiple mtas In-Reply-To: <2EEB37F71F42394E82F37D5EBE8FDEC103035BD1@NCCEXCHANGE.ncc.loc> References: <2EEB37F71F42394E82F37D5EBE8FDEC103035BD1@NCCEXCHANGE.ncc.loc> Message-ID: <1303391532.5433.4.camel@rusty.rus.uni-stuttgart.de> Hi Jeremy, On Wed, 2011-04-20 at 11:57 -0300, Jeremy Hockin wrote: > I'm looking to deploy SA-exim with intelligent greylisting to one of > my mail environments that runs with 2 exim mtas screening and relaying > mail to a windows mail server on the same LAN. They are using round > robin dns to "load balance" incoming and outgoing mail but this > generates a problem when using greylisting. I am using sa-exim with > greylisting in another environment with a single mta and really quite > pleased with it, but the round robin dns makes this dangerous for the > 2 box setup. My thought was using something like unison to keep the > tuplet directories synchronized in real time between the two exim > boxes. Does this sound like a recipe for disaster or a proper method > to accomplish this. The two exim boxes are on the same LAN and run > identical exim configs. if you have an NFS available in your LAN, why not use that as shared storage? -- Best regards, Kilian From marc at merlins.org Thu Apr 21 07:20:50 2011 From: marc at merlins.org (Marc MERLIN) Date: Thu, 21 Apr 2011 07:20:50 -0700 Subject: [SA-exim] synchronizing tuplets between multiple mtas In-Reply-To: <1303391532.5433.4.camel@rusty.rus.uni-stuttgart.de> References: <2EEB37F71F42394E82F37D5EBE8FDEC103035BD1@NCCEXCHANGE.ncc.loc> <1303391532.5433.4.camel@rusty.rus.uni-stuttgart.de> Message-ID: <20110421142050.GA29891@merlins.org> On Thu, Apr 21, 2011 at 03:12:12PM +0200, Kilian Krause wrote: > if you have an NFS available in your LAN, why not use that as shared > storage? I think most folks don't like to have NFS on their DMZ, or on internet facing servers :) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ From kk at verfaction.de Thu Apr 21 07:35:03 2011 From: kk at verfaction.de (Kilian Krause) Date: Thu, 21 Apr 2011 16:35:03 +0200 Subject: [SA-exim] synchronizing tuplets between multiple mtas In-Reply-To: <20110421142050.GA29891@merlins.org> References: <2EEB37F71F42394E82F37D5EBE8FDEC103035BD1@NCCEXCHANGE.ncc.loc> <1303391532.5433.4.camel@rusty.rus.uni-stuttgart.de> <20110421142050.GA29891@merlins.org> Message-ID: <1303396503.5433.10.camel@rusty.rus.uni-stuttgart.de> Marc, On Thu, 2011-04-21 at 07:20 -0700, Marc MERLIN wrote: > On Thu, Apr 21, 2011 at 03:12:12PM +0200, Kilian Krause wrote: > > if you have an NFS available in your LAN, why not use that as shared > > storage? > > I think most folks don't like to have NFS on their DMZ, or on internet > facing servers :) I was just making the point you *could* use a shared storage in case you would be having one. There was no mentioning of having it face the internet (or even having it routed beyond the LAN in any way). My idea was just to contrast the idea of actively syncing the files with something that would be doing this by design already (like an FC LUN using a cluster filesystem or NFS). Moreover you would of course want proper firewalling in place anyway. IMHO pulling out the storage to another (implicitly linked) layer will reduce the likelyness of introducing more problems than you're trying to solve - given that you would already be having one readily available. If you're just talking an empty DMZ with these two servers then *only for the greylisting* rsync may be a good idea. -- Best regards, Kilian From jhockin at newcapradio.com Thu Apr 21 07:43:57 2011 From: jhockin at newcapradio.com (Jeremy Hockin) Date: Thu, 21 Apr 2011 11:43:57 -0300 Subject: [SA-exim] synchronizing tuplets between multiple mtas In-Reply-To: <1303396503.5433.10.camel@rusty.rus.uni-stuttgart.de> References: <2EEB37F71F42394E82F37D5EBE8FDEC103035BD1@NCCEXCHANGE.ncc.loc> <1303391532.5433.4.camel@rusty.rus.uni-stuttgart.de> <20110421142050.GA29891@merlins.org> <1303396503.5433.10.camel@rusty.rus.uni-stuttgart.de> Message-ID: <2EEB37F71F42394E82F37D5EBE8FDEC103035DE5@NCCEXCHANGE.ncc.loc> Thanks for all the input you guys. I do only have 2 mtas here running greylisting, so for the moment I'm going to not synchronize the tuplets until I give it a few days and see how many legitimate emails get lost in the ether. Then I think I will make an attempt with the cron job and rsync. -----Original Message----- From: Kilian Krause [mailto:kk at verfaction.de] Sent: Thursday, April 21, 2011 11:35 AM To: sa-exim at lists.merlins.org Cc: Jeremy Hockin; sa-exim at lists.merlins.org Subject: Re: [SA-exim] synchronizing tuplets between multiple mtas Marc, On Thu, 2011-04-21 at 07:20 -0700, Marc MERLIN wrote: > On Thu, Apr 21, 2011 at 03:12:12PM +0200, Kilian Krause wrote: > > if you have an NFS available in your LAN, why not use that as shared > > storage? > > I think most folks don't like to have NFS on their DMZ, or on internet > facing servers :) I was just making the point you *could* use a shared storage in case you would be having one. There was no mentioning of having it face the internet (or even having it routed beyond the LAN in any way). My idea was just to contrast the idea of actively syncing the files with something that would be doing this by design already (like an FC LUN using a cluster filesystem or NFS). Moreover you would of course want proper firewalling in place anyway. IMHO pulling out the storage to another (implicitly linked) layer will reduce the likelyness of introducing more problems than you're trying to solve - given that you would already be having one readily available. If you're just talking an empty DMZ with these two servers then *only for the greylisting* rsync may be a good idea. -- Best regards, Kilian