Dealing with MailScanner overloads {Scanned by HJMS}

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Mon Sep 15 19:41:13 IST 2003


> -----Original Message-----
> From: Antony Stone [mailto:Antony at SOFT-SOLUTIONS.CO.UK]
> Sent: Monday, September 15, 2003 1:03 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Dealing with MailScanner overloads {Scanned by HJMS}
>
> On Monday 15 September 2003 6:55 pm, Clas Net Newsletter wrote:
> > Just so we don't re-invent the wheel, you can throttle
> using tcp wrappers
>
> I would not run tcpwrappers for email service on a reasonably
> loaded server -
> it introduces far too much latency for each email coming in,

I wonder what you mean by latency - if you mean the delay that occurs when
the remote MTA connects to yours and gets no response, that's easily dealt
with by rejecting the connection instead of "dropping" it.  I'm still
thinking in terms of iptables though - it's been a long time since I used
the separate tcp wrappers package, so I'm not sure whether it rejects or
ignores connections.  When the connection is rejected, sendmail immediately
goes to the next MX.

Even with just dropping the connection, sendmail's default timeout seems to
be 1 minute, after which it immediately tries a different MX.

> So many remote systems don't respond to Ident requests these
> days that it's
> hardly worth bothering sending them out, and they do add a
> significant delay
> when they get blocked and have to time out.

So tcp wrappers does an ident lookup on originating servers?  That would be
annoying.  I always assumed it was just sendmail doing that, which is why I
explicitly reject ident with the following iptables statements (from a FAQ
somewhere):
iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with
tcp-reset
iptables -A INPUT -p udp -m udp --dport 113 -j REJECT



More information about the MailScanner mailing list