Discussion:
[SA-exim] synchronizing tuplets between multiple mtas
Jeremy Hockin
2011-04-20 14:57:57 UTC
Permalink
I'm looking to deploy SA-exim with intelligent greylisting to one of my
mail environments that runs with 2 exim mtas screening and relaying mail
to a windows mail server on the same LAN. They are using round robin
dns to "load balance" incoming and outgoing mail but this generates a
problem when using greylisting. I am using sa-exim with greylisting in
another environment with a single mta and really quite pleased with it,
but the round robin dns makes this dangerous for the 2 box setup. My
thought was using something like unison to keep the tuplet directories
synchronized in real time between the two exim boxes. Does this sound
like a recipe for disaster or a proper method to accomplish this. The
two exim boxes are on the same LAN and run identical exim configs.



Thanks
Marc MERLIN
2011-04-20 15:43:10 UTC
Permalink
Post by Jeremy Hockin
I'm looking to deploy SA-exim with intelligent greylisting to one of my
mail environments that runs with 2 exim mtas screening and relaying mail
to a windows mail server on the same LAN. They are using round robin
dns to "load balance" incoming and outgoing mail but this generates a
problem when using greylisting. I am using sa-exim with greylisting in
another environment with a single mta and really quite pleased with it,
but the round robin dns makes this dangerous for the 2 box setup. My
thought was using something like unison to keep the tuplet directories
synchronized in real time between the two exim boxes. Does this sound
like a recipe for disaster or a proper method to accomplish this. The
two exim boxes are on the same LAN and run identical exim configs.
I would indeed use something like rsync or unison:
- you don't have to propagate deletes, so it's easy, each new file is copied
on the other side.
- it's not a big deal if you overwrite one file with another one of the same
name but slightly different data in case the same tuple was created
independently on both sides.
- replication does not have to be instant: greylisting is supposed to tell
sender to go away for a while, so you have up to one hour to replicate
the missing tuples.

In other words, I haven't done this myself due to lack of need, but I don't
see this being a problem.

Also, if you only have 2 servers, you don't actually need to replicate: you
can just let the sending server try both your MXes and on the 3rd time, if
at least one hour has passed, it'll go through.

Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
Kilian Krause
2011-04-21 13:12:12 UTC
Permalink
Hi Jeremy,
Post by Jeremy Hockin
I'm looking to deploy SA-exim with intelligent greylisting to one of
my mail environments that runs with 2 exim mtas screening and relaying
mail to a windows mail server on the same LAN. They are using round
robin dns to "load balance" incoming and outgoing mail but this
generates a problem when using greylisting. I am using sa-exim with
greylisting in another environment with a single mta and really quite
pleased with it, but the round robin dns makes this dangerous for the
2 box setup. My thought was using something like unison to keep the
tuplet directories synchronized in real time between the two exim
boxes. Does this sound like a recipe for disaster or a proper method
to accomplish this. The two exim boxes are on the same LAN and run
identical exim configs.
if you have an NFS available in your LAN, why not use that as shared
storage?
--
Best regards,
Kilian
Marc MERLIN
2011-04-21 14:20:50 UTC
Permalink
Post by Kilian Krause
if you have an NFS available in your LAN, why not use that as shared
storage?
I think most folks don't like to have NFS on their DMZ, or on internet
facing servers :)

Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
Kilian Krause
2011-04-21 14:35:03 UTC
Permalink
Marc,
Post by Marc MERLIN
Post by Kilian Krause
if you have an NFS available in your LAN, why not use that as shared
storage?
I think most folks don't like to have NFS on their DMZ, or on internet
facing servers :)
I was just making the point you *could* use a shared storage in case you
would be having one. There was no mentioning of having it face the
internet (or even having it routed beyond the LAN in any way). My idea
was just to contrast the idea of actively syncing the files with
something that would be doing this by design already (like an FC LUN
using a cluster filesystem or NFS). Moreover you would of course want
proper firewalling in place anyway.

IMHO pulling out the storage to another (implicitly linked) layer will
reduce the likelyness of introducing more problems than you're trying to
solve - given that you would already be having one readily available.

If you're just talking an empty DMZ with these two servers then *only
for the greylisting* rsync may be a good idea.
--
Best regards,
Kilian
Jeremy Hockin
2011-04-21 14:43:57 UTC
Permalink
Thanks for all the input you guys. I do only have 2 mtas here running greylisting, so for the moment I'm going to not synchronize the tuplets until I give it a few days and see how many legitimate emails get lost in the ether. Then I think I will make an attempt with the cron job and rsync.


-----Original Message-----
From: Kilian Krause [mailto:***@verfaction.de]
Sent: Thursday, April 21, 2011 11:35 AM
To: sa-***@lists.merlins.org
Cc: Jeremy Hockin; sa-***@lists.merlins.org
Subject: Re: [SA-exim] synchronizing tuplets between multiple mtas

Marc,
Post by Marc MERLIN
Post by Kilian Krause
if you have an NFS available in your LAN, why not use that as shared
storage?
I think most folks don't like to have NFS on their DMZ, or on internet
facing servers :)
I was just making the point you *could* use a shared storage in case you
would be having one. There was no mentioning of having it face the
internet (or even having it routed beyond the LAN in any way). My idea
was just to contrast the idea of actively syncing the files with
something that would be doing this by design already (like an FC LUN
using a cluster filesystem or NFS). Moreover you would of course want
proper firewalling in place anyway.

IMHO pulling out the storage to another (implicitly linked) layer will
reduce the likelyness of introducing more problems than you're trying to
solve - given that you would already be having one readily available.

If you're just talking an empty DMZ with these two servers then *only
for the greylisting* rsync may be a good idea.

--
Best regards,
Kilian

Loading...