[KLUG Members] Solved: Solaris, Sendmail, LDAP problem
Adam Bultman
adamb at glaven.org
Fri Nov 10 15:30:13 EST 2006
Just an update for all of you who read, but didn't respond to my plea:
I've solved my problem.
As I said before, we have postini for SOME users, but not all. That forces
us to accept any spam for any other user on the domain, real or not (we
still block invalid users.)
So, sendmail-LDAP did a number of lookups on it's own to determine a user,
and depending on whether the user is valid. Checks for the user in LDAP.
If it's real, it does a grab of mailRoutingAddress, mailHost, and
mailLocalAddress. If everything checks out, it delivers it locally, which
requires more LDAP lookups (uid, gid, etc).
So, for each piece of mail we accept, we're doing a minimum of one
lookup, with a possible maximum of 6 or 7. It *appears*, on my test
server, that adding additional search filters in the Solaris LDAP
configuration files for uidNumber and gidNumber sped up searches for uids
and gids (until I added the filters, it took a few seconds to translate a
UID into a username). I tried adding indexes on uidNumber and gidNumber,
but the increases in performance were minimal. Doing a file creation and
file ownership of 28k names took two minutes longer without the additinal
indexes. *Listing* them got better results with the search filters
configued for Solaris.
Assisting a great deal was a milter I found for sendmail called
'milter-dnsrbl' (part of the mailutils package by Richard Gooch). You can
see information on it here: http://www.atnf.csiro.au/people/rgooch/email/
milter-dnsrbl is a little C program that checks not only the connect IP,
but the *relay* IP addresses as well (Every other RBL milter I foiund
checked only the connecting IP address). So, this allows us to block any
spam during the SMTP conversation based on configurable blocklists - by
default, ordb.org and spamcop.net .
The program has a few quirks - there's no whitelist, so you can't
whitelist your own lan (You have to add your own network to the "private
IP addresses"), and Richard doesn't feel that whitelists are any good (but
anybody who has more than one mail server probably wants to make sure they
can send mail to each other.) It also doesn't have any type of local
cache, so for every piece of mail, it would appear you do a lookup in
spamcop - and as a result, too much mail and the milter starts having some
issues (I have it configured to send a 4xx and not a 5xx so the other end
tries again.)
I had two Suns handling mail previously, and they would get pounded (loads
of 30) by mail. I took a sendmail config, put the milter on it, and it
handled almost 90 percent of the load before it started pitching fits
(milter timeouts, mostly.) We configured it to take 80% of the incoming
mail, and it did so with a load of 1.5. Obviously we quickly configured a
second for redundancy, and put them at 50-50 - which is working
wonderfully.
I have logtool set up on my syslog server, and I have spamcop blocks in
brownish-yellow - and there's a constant stream of brownish-yellow test
running across my terminal - we're probably accepting 30% (We blocked 24k
pieces of spam in about an 8 hour period, and bunch of that time, we
weren't running totally on the miltered servers - so we were still
accepting junk on the other machines) of the mail we used to accept - and
load, queues, and all that are about a tenth of what they were without the
milter.
If you have a setup like mine - where you have proxy hosts that don't
filter for all users, - milter-dnsrbl is a lifesaver. I can actually rest
easy at night, knowing the pager won't go off.
Adam
More information about the Members
mailing list