Les Mikesell wrote:> On Fri, Feb 13, 2015 at 11:39 AM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >>> Otherwise it accept junk that your primary rejects >> Not exactly. If greylisting on primary is set, but on backup MX is not, >> still what is killed by greylisting by primary MX, almost never will come >> through backup MX. This is due to the same reason why greylisting is >> efficient: it trows off all that doesn't behave as mail server (thus never >> comes for re-delivery, and definitely doesn't try backup MX which real >> servers always do even before attempt of re-delivery). > I'm not convinced. Spam is big business and trying a 2nd MX is cheap. > >> Still, it is good >> to have the same greylisting on backup MX. And all other blows and >> whistles. > Greylisting would be kind of hard to do right. You'd have to keep the > known-good senders in sync across the receivers. But my bigger worry > would be a dictionary-type attack on user names as recipients if you > don't have access to the real user list on the secondary. Aside from > the blowback of the bounces, if you've ever accepted an address it is > likely to get on lists of known-good spam and cause extra traffic > forever after. >In this case the secondary MX has the same RBL's etc etc as the primary. I do see the spammers sending their junk to the secondary more than the primary MX. Agree the secondary does not know the difference between valid and invalid addresses. Thoughts on my configuration?? I might just change the DNS name in the secondary MX anyway. Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Fri, February 13, 2015 12:18 pm, Ken Smith wrote:> Les Mikesell wrote: >> On Fri, Feb 13, 2015 at 11:39 AM, Valeri Galtsev >> <galtsev at kicp.uchicago.edu> wrote: >>>> Otherwise it accept junk that your primary rejects >>> Not exactly. If greylisting on primary is set, but on backup MX is not, >>> still what is killed by greylisting by primary MX, almost never will >>> come >>> through backup MX. This is due to the same reason why greylisting is >>> efficient: it trows off all that doesn't behave as mail server (thus >>> never >>> comes for re-delivery, and definitely doesn't try backup MX which real >>> servers always do even before attempt of re-delivery). >> I'm not convinced. Spam is big business and trying a 2nd MX is cheap. >> >>> Still, it is good >>> to have the same greylisting on backup MX. And all other blows and >>> whistles. >> Greylisting would be kind of hard to do right. You'd have to keep the >> known-good senders in sync across the receivers. But my bigger worry >> would be a dictionary-type attack on user names as recipients if you >> don't have access to the real user list on the secondary. Aside from >> the blowback of the bounces, if you've ever accepted an address it is >> likely to get on lists of known-good spam and cause extra traffic >> forever after. >> > In this case the secondary MX has the same RBL's etc etc as the primary. > I do see the spammers sending their junk to the secondary more than the > primary MX. Agree the secondary does not know the difference between > valid and invalid addresses.What software the secondary MX is based on in whose case you say secondary MX doesn't know legitimate addresses of primary MX? I know about postfix. And all my servers are based on postfix. And even in the most trivial configuration of secondary MX based on postfix secondary MX _does_ have to have all legitimate addressed of primary MX. These are in relay_recipients table. Any address that is not in that table, will not be accepted by secondary MX. Postfix even in the most trivial configuration is sane and does not "accept everything". So, what is the secondary MX server that you are describing that "accepts everything" is based on? Valeri> > Thoughts on my configuration?? I might just change the DNS name in the > secondary MX anyway. > > Ken > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Fri, Feb 13, 2015 at 12:45 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >>> >> In this case the secondary MX has the same RBL's etc etc as the primary. >> I do see the spammers sending their junk to the secondary more than the >> primary MX. Agree the secondary does not know the difference between >> valid and invalid addresses. > > What software the secondary MX is based on in whose case you say secondary > MX doesn't know legitimate addresses of primary MX? > > I know about postfix. And all my servers are based on postfix. And even in > the most trivial configuration of secondary MX based on postfix secondary > MX _does_ have to have all legitimate addressed of primary MX. These are > in relay_recipients table. Any address that is not in that table, will not > be accepted by secondary MX. Postfix even in the most trivial > configuration is sane and does not "accept everything". > > So, what is the secondary MX server that you are describing that "accepts > everything" is based on?I think he means that the secondary does not know the user names on the primary. Which it won't, unless someone maintains it, regardless of the server software. -- Les Mikesell lesmikesell at gmail.com
On 13/02/15 18:45, Valeri Galtsev wrote:> So, what is the secondary MX server that you are describing that "accepts > everything" is based on?if you actually read the thread you are replying to blindly, you might find out ? -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc
Once upon a time, Ken Smith <kens at kensnet.org> said:> In this case the secondary MX has the same RBL's etc etc as the > primary. I do see the spammers sending their junk to the secondary > more than the primary MX. Agree the secondary does not know the > difference between valid and invalid addresses.That's a big "bad idea". Aside from spam filtering, your backup will accept invalid recipients and then (when delivery to primary fails) generate bounces back to senders. This is known as "back scatter" and will get your server black-listed. If you don't have a network name service of some type (e.g. LDAP), don't do this. The real question is: what are you trying to achieve with a backup MX? If it is to store mail when the primary is down, legitimate remote mail servers will do that for you; you don't need to have a backup. -- Chris Adams <linux at cmadams.net>