Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Running Two Mail Servers? (Snow Leopard Server)

Running Two Mail Servers? (Snow Leopard Server)
Thread Tools
l008com
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status: Offline
Reply With Quote
Aug 1, 2015, 03:57 AM
 
Heeeeey. So I'm running Snow Leopard Server on my primary server that lives in a data center. I'm running the mail server that comes with OS X Server, and controlled by Server Admin.app.

I've been getting TONS of spam lately. I know that this version of postfix (I think its postfix?) has the option to do greylisting. And when I do greylisting, it works at preventing most and nearly all of my spam. HOWEVER just by virtue of the way greylisting works, it can cause significant slow-downs in legit email, particularly mail from large multi-server providers like GMAIL.

So what I clearly need is to FINALLY put those SPF records to good use, and enable greylisting, but only for incoming email that fails SPF check, or that has no SPF records. Or to put it another way, greylist all mail, but allow a bypass for mail that successfully passes an SPF record check.

Well, I don't think my mail server can do this. Not without a lot of work that some random security update could easily undo (it's not impossible that there could be another update, even on this older OS). So then it got me thinking...

What if I set up a second mailserver running right on the same machine? I could set up the old mailserver to listen on port 26 instead of 25 (in addition to 587), and the new server could listen on 25. It could do the spf/greylisting, and then all mail it accepts, it could just relay to the "real" mailserver. The real mailserver could be configured to whitelist it's own host, so all mail from the greylist server should come in no problem.

Does this sound like a workable plan? Am I missing any logical problems in this process? I guess I would have to ass my realtime blacklists to the new server too, not the 'real' server, for them to work effectively. What do you think?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 1, 2015, 11:00 AM
 
I think you are making things needlessly complicated. You can whitelist GMail if the delay time is insufferable, or just see if their mail is sent through some sort of proxy that will remain constant for your greylisting.

It's bad architecture to add complexity to solve problems that you don't know are real. I'd setup the greylisting for a while and take care of your actual problem, and then go from there.

I would also suggest putting your mail services on AWS, but I guess you're doing other things with your SL Server.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 1, 2015, 11:02 AM
 
I'd suggest also setting up SpamAssassin, SpamHaus, and perhaps even ClamAV (with Amavis) too.
     
l008com  (op)
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status: Offline
Reply With Quote
Aug 2, 2015, 07:18 AM
 
I think you are making things needlessly complicated. You can whitelist GMail if the delay time is insufferable, or just see if their mail is sent through some sort of proxy that will remain constant for your greylisting.
How many mail servers do you think google owns? There's no way to whitelist them all. And there's also no way to whitelist every other legit server. There's no sane way to implement this. What is needed is a whitelist that is the SPF records.

It's bad architecture to add complexity to solve problems that you don't know are real. I'd setup the greylisting for a while and take care of your actual problem, and then go from there.
I don't know my problems are real? What are you talking about? I can't just turn on greylisting and "go from there", because... well read the original post. Email from new mail servers can take hours to get delivered. And gmail has so many mail servers, that nearly all emails from a gmail user come from new servers. This is the point of this thread and the problem i'm trying to solve. You're more or less telling me my problem isn't real just ignore it. What the hell kind of advice is that?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 2, 2015, 08:53 AM
 
Reread what I wrote about proxies, or not.

However many servers Google owns is irrelevant, because most will not be put on their DMZ. They surely use load balancers/proxies to relay to machines in their private VLAN.

Below that, if I had to guess, I'd say that each individual node on their private VLAN is a VM that relays to their gateway which is either a physical piece of hardware or VM bridged to an 802.11q interface used for segmenting traffic within their VLANs.

Can the belligerence if you actually want help.
( Last edited by besson3c; Aug 2, 2015 at 09:33 AM. )
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Aug 2, 2015, 01:31 PM
 
I see what besson's getting at. It doesn't matter how many servers Google has - managing them is their problem. That means that all of those servers must appear identical to the outside world. Whitelist their basic server address, and I'll bet mail will get through.

Glenn -----OTR/L, MOT, Tx
     
l008com  (op)
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status: Offline
Reply With Quote
Aug 3, 2015, 06:49 AM
 
Originally Posted by ghporter View Post
I see what besson's getting at. It doesn't matter how many servers Google has - managing them is their problem. That means that all of those servers must appear identical to the outside world. Whitelist their basic server address, and I'll bet mail will get through.
Even if that would work, which I don't think it will, that's only going to help with google. There's still the problem of every other mail server in the world that isn't google, that might send me a legit email at some point in the future.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 3, 2015, 09:25 AM
 
Why would anybody greylist then if it required that much maintenance and potential customer support overhead? All of the large providers run load balancers/proxies.

If you haven't done so already, I would start with SpamHaus, then SpamAssassin, and then postgrey, if you need a third line of defense. I run all of these plus Amavis and ClamAV, and it is very rare that I have to whitelist a server with Postgrey. When I do it's because some much smaller servers are misconfigured. I don't remember ever having problems with the larger providers.
( Last edited by besson3c; Aug 3, 2015 at 10:02 AM. )
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 09:24 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,