Re: [exim] how 2 split exim load across two servers, and sti…

Etusivu
Poista viesti
Vastaa
Lähettäjä: Graeme Fowler
Päiväys:  
Vastaanottaja: exim-users
Aihe: Re: [exim] how 2 split exim load across two servers, and stillnotify the sending server of rejects?
On Fri, 2007-06-08 at 08:26 -0700, snowcrash+exim-users wrote:
> hm, ok re: the DENYs ...
>
> i'm not clear, though, as to why i would/might generate bounces, and
> more than normal, i presume.
>
> is this 2-box config, with one Gateway "front-ending" one/many other
> servers a fairly common implementation scenario?


Yes, it is. It's also a well-documented way to generate backscatter,
assuming that the "edge" Exim instance doesn't have full knowledge of
the valid recipients of the "core" Exim. The fact that you are running
Exim in the first place makes this less likely, as you can share
userlists trivially (or "on demand" with recipient verification callouts
from your "edge" server to the "core" server).

> mostly, yes. AND, an attempt to let the router/fw box do its job and
> keep as much 'noise' off my LAN as possible. once an inbound email
> passed all the non-content-scanning filters & incremental delays @ the
> gateway, it' odds of being rejected "just" on virus/spam content would
> be significantly lower -- not zero, i know.


As long as you have consistent configuration on each machine, the
likelihood of an AV/AS hit on the "core" machine is zero.

> i'd considered this, but decided against because i thought i'd be
> significantly increasing network/lan traffic due to "multiple passes"
> of the offloaded message.
>
> e.g., for an "ok" message, the message would pass back-n-forth to the
> LAN-server/scanner *5* times,
>
>   gateway         -> lan AV scanner
>   lan AV scanner  -> gateway
>   gateway         -> SA scanner
>   SA scanner      -> gateway
>   gateway         -> IMAP store

>
> which _seems_ to me a 'bad' way to do things.


...and is also not correct.

The reality would be:
Data          Flow           Type
Message       edge -> core   AV scan
Result        core -> edge   Hit/Not hit
Message       edge -> core   SA Scan
Result        core -> edge   SA report
Message       edge -> core   Message delivery


Note that the "Result" data is far smaller, in most cases, than the
message itself; and that the first pass will only take place for
messages with MIME parts of an appropriate type anyway (the malware
condition is quite choosy, as it should be).

> am i just better off avoiding the gateway altogether, and passing the
> message to the lan-based server in the first place? if so, that seems
> counterintuitive ...


Nope.

Make sure your gateway has knowledge in some way of the valid recipients
on your lan-based server, as previously mentioned. Run ClamAV on both
machines (this way you will catch *outbound* virus infections, too), but
SA on only one and call it accordingly from the gateway.

To reduce the load further, make use of Exim's ability to reject based
on avrious other criteria. I have a number of machines at my fingertips
which use fairly complex tests, but the first one - which is the most
effective - is a logic test to check the incoming IP against three DNS
blocklists, and reject the connection if 2 or more are hit. That stops
your AV/AS being triggered in the first place.

Graeme