[KLUG Members] Solved: Solaris, Sendmail, LDAP problem

[Adam Bultman]

  Just an update for all of you who read, but didn't respond to my plea: 
I've solved my problem.

As I said before, we have postini for SOME users, but not all. That forces 
us to accept any spam for any other user on the domain, real or not (we 
still block invalid users.)

So, sendmail-LDAP did a number of lookups on it's own to determine a user, 
and depending on whether the user is valid. Checks for the user in LDAP. 
If it's real, it does a grab of mailRoutingAddress, mailHost, and 
mailLocalAddress.  If everything checks out, it delivers it locally, which 
requires more LDAP lookups (uid, gid, etc).

So, for each piece of mail we accept, we're doing a minimum of one 
lookup, with a possible maximum of 6 or 7.  It *appears*, on my test 
server, that adding additional search filters in the Solaris LDAP 
configuration files for uidNumber and gidNumber sped up searches for uids 
and gids (until I added the filters, it took a few seconds to translate a 
UID into a username).  I tried adding indexes on uidNumber and gidNumber, 
but the increases in performance were minimal.  Doing a file creation and 
file ownership of 28k names took two minutes longer without the additinal 
indexes.  *Listing* them got better results with the search filters 
configued for Solaris.

Assisting a great deal was a milter I found for sendmail called 
'milter-dnsrbl' (part of the mailutils package by Richard Gooch). You can 
see information on it here: http://www.atnf.csiro.au/people/rgooch/email/

milter-dnsrbl is a little C program that checks not only the connect IP, 
but the *relay* IP addresses as well (Every other RBL milter I foiund 
checked only the connecting IP address).   So, this allows us to block any 
spam during the SMTP conversation based on configurable blocklists - by 
default, ordb.org and spamcop.net .

The program has a few quirks - there's no whitelist, so you can't 
whitelist your own lan (You have to add your own network to the "private 
IP addresses"), and Richard doesn't feel that whitelists are any good (but 
anybody who has more than one mail server probably wants to make sure they 
can send mail to each other.)  It also doesn't have any type of local 
cache, so for every piece of mail, it would appear you do a lookup  in 
spamcop - and as a result, too much mail and the milter starts having some 
issues (I have it configured to send a 4xx and not a 5xx so the other end 
tries again.)

I had two Suns handling mail previously, and they would get pounded (loads 
of 30) by mail. I took a sendmail config, put the milter on it, and it 
handled almost 90 percent of the load before it started pitching fits 
(milter timeouts, mostly.)  We configured it to take 80% of the incoming 
mail, and it did so with a load of 1.5.  Obviously we quickly configured a 
second for redundancy, and put them at 50-50 - which is working 
wonderfully.

I have logtool set up on my syslog server, and I have spamcop blocks in 
brownish-yellow - and there's a constant stream of brownish-yellow test 
running across my terminal - we're probably accepting 30% (We blocked 24k 
pieces of spam in about an 8 hour period, and bunch of that time, we 
weren't running totally on the miltered servers - so we were still 
accepting junk on the other machines)  of the mail we used to accept - and 
load, queues, and all that are about a tenth of what they were without the 
milter.

If you have a setup like mine - where you have proxy hosts that don't 
filter for all users, - milter-dnsrbl is a lifesaver. I can actually rest 
easy at night, knowing the pager won't go off.

Adam