2
2
---------------------------------------
3
3
Mark Martinec, 2003-05-06
4
4
(based on initial research by Ricardo Stella)
5
last updated on: 2004-04-16
5
updated on: 2005-09-22 (added a reference to 'milter-ahead');
6
updated on: 2005-09-29 (added custom rules to reject unknown users outright,
7
provided by Matej Vela, thanks to Simone Marx)
7
9
The most recent version of this document can be found at:
8
10
http://www.ijs.si/software/amavisd/README.sendmail-dual
45
47
checking can be streamlined and performed at optimum throughput setting
46
48
(number of content checker processes) so as not to overwhelm host resources,
47
49
instead of leaving it at the mercy of the current number of incoming
48
SMTP sessions, where available crude controls are mostly based on system
50
SMTP sessions where available crude controls are mostly based on system
49
51
load. Typically the number of incoming SMTP sessions (tiny processes)
50
52
is desired to be many times above the number of content filtering
51
53
processes (heavy resource consumers).
103
105
names, and supply non-default names to MTA-RX explicitly. This will make
104
106
admin utilities like mailq, newaliases, hoststat and purgestat operate
105
107
on the outgoing mailer instance unless explicitly told otherwise.
106
It can just as well be the other way around.
108
It can just as well be the other way around.
108
110
MTA-RX (receiving mailer) will be responsible for accepting mail from
109
111
the Internet or from internal hosts on port 25, optionally accepting local
110
112
message submissions on tcp port 587 (rfc2476), and for message submissions
111
113
via sendmail program. It will forward all mail (both for local and for
112
114
nonlocal recipients) via SMTP protocol (or LMTP) to 127.0.0.1 (a loopback
113
interface) on tcp port 10024, where amavisd daemon will be listening.
115
interface) on tcp port 10024, where amavisd daemon will be listening.
114
116
- its queue: /var/spool/mqueue-rx
115
117
- its config file: /etc/mail/sendmail-rx.cf, /etc/mail/submit.cf
116
118
- the source (.mc) of the configuration file: thishost-rx.mc
128
130
In-between the two MTAs an amavisd daemon will accept mail via SMTP (or LMTP)
129
131
protocol on tcp port 10024, check it, and forward checked mail and
130
notifications via SMTP to MTA-TX.
132
notifications via SMTP to MTA-TX.
132
134
If you already have an existing sendmail installation, you already
133
135
have a queue directory /var/spool/mqueue and the configuration file(s)
140
142
settings should go to both.
142
144
The MTA-TX should have none or hardly any resource limits, or at least
143
have them larger that MTA-RX. Large message, common errors in mail, and
145
have them larger than MTA-RX. Large messages, common errors in mail, and
144
146
mail rush-ins should be stopped or limited at their entry to the system.
145
147
Accepting them first, but choking later can lead to trouble or at least
146
148
to wasted resources.
185
187
dnl Specify here also access controls, relayable domains, anti-spam measures
186
188
dnl including milter settings if needed, mail submission settings, client
187
189
dnl authentication, resource controls, maximum mail size and header size,
188
dnl confMIN_FREE_BLOCKS, and other settings needed for receiving mail.
190
dnl confMIN_FREE_BLOCKS, and other settings needed for receiving mail.
191
193
dnl confMIN_FREE_BLOCKS at MTA-RX should be kept higher than the same
192
dnl setting at MTA-TX, to quench down clients when disk space is low,
194
dnl setting at MTA-TX to quench down clients when disk space is low,
193
195
dnl and not to stop processing the already received mail.
195
197
dnl In particular, here are some settings to be considered:
196
198
dnl ( see also http://www.sendmail.org/m4/anti_spam.html )
198
dnl FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access.db')
200
dnl FEATURE(`access_db')
199
201
dnl VIRTUSER_DOMAIN(`sub1.example.com')dnl list valid users here
200
202
dnl VIRTUSER_DOMAIN(`sub2.example.com')dnl list valid users here
201
dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable')
203
dnl FEATURE(`virtusertable')
202
204
dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')
203
205
dnl FEATURE(`blacklist_recipients')
206
dnl FEATURE(`use_cw_file')
207
dnl FEATURE(`use_ct_file')
204
208
dnl INPUT_MAIL_FILTER(...)
205
209
dnl define(`confPRIVACY_FLAGS', `noexpn,novrfy,authwarnings') nobodyreturn ?
206
210
dnl define(`confDONT_PROBE_INTERFACES')
207
dnl undefine(`USE_CW_FILE')dnl cancel use_cw_file feature, no class {w} extras
208
211
dnl MASQUERADE_AS(...) FEATURE(`allmasquerade') FEATURE(`masquerade_envelope')
209
212
dnl define(`confTO_IDENT', `0')dnl Disable IDENT
210
213
dnl define(`confMAX_MESSAGE_SIZE',`10485760')
233
236
dnl Direct all mail to be forwarded to amavisd-new at 127.0.0.1:10024
234
237
FEATURE(stickyhost)dnl Keep envelope addr "u@local.host" when fwd to MAIL_HUB
235
define(`MAIL_HUB', `esmtp:[127.0.0.1]')dnl Forward all local mail to amavisd
236
define(`SMART_HOST',`esmtp:[127.0.0.1]')dnl Forward all other mail to amavisd
238
define(`MAIL_HUB', `esmtp:[127.0.0.1]')dnl Forward all local mail to amavisd
239
define(`SMART_HOST', `esmtp:[127.0.0.1]')dnl Forward all other mail to amavisd
240
define(`LOCAL_RELAY',`esmtp:[127.0.0.1]')dnl
238
242
define(`confDELIVERY_MODE',`q')dnl Delivery mode: queue only (a must,
239
243
dnl ... otherwise the advantage of this setup of being able to specify
252
256
undefine(`DECNET_RELAY')dnl
260
dnl The following solution to reject unknown recipients outright
261
dnl is provided by Matej Vela <m...@irb.hr>, see:
262
dnl http://groups.google.com/group/comp.mail.sendmail/
263
dnl browse_thread/thread/88cc72d7c4d3a6e/ee2a9474b3a4558d
264
dnl The FEATURE(stickyhost) short-circuits FEATURE(luser_relay) so that a:
265
dnl define(`LUSER_RELAY',`error:5.1.1:"550 User unknown"') can't be used.
266
dnl A simple solution is to disable FEATURE(stickyhost). If this is not
267
dnl possible, the alternative is to replace FEATURE(luser_relay) with custom
268
dnl rules below. The latter has the advantage of properly handling special
269
dnl aliases like ("|program", "/mailbox", and ":include:/list"). If choosing
270
dnl this route, one should NOT use `undefine(`ALIAS_FILE')dnl', and use the
271
dnl following custom rules:
275
Kaliasp hash -m /etc/mail/aliases
280
R$* $: <?> $&{rcpt_addr}
281
R<?> $+ @ $=w $: <@> $1 mark local address
282
R<?> $* @ $* $@ OK ignore remote address
283
R<?> $+ $: <@> $1 mark unqualified user
284
R<@> $+ + $* $: < $(aliasp $1+$2 $: @ $) > $1 + * plussed alias?
285
R<@> $+ + $* $: < $(aliasp $1+$2 $: @ $) > $1 +* alias?
286
R<@> $+ $: < $(aliasp $1 $: @ $) > $1 normal alias?
287
R<@> $+ $: < $(userp $1 $: @ $) > $1 system user?
288
R<@> $+ $#error $@ 5.1.1 $: "550 User unknown" nope, go away
255
290
---end-----------------------------------
343
378
settings as the already defined 'esmtp', except with port number 10024.
345
380
- depending on how local addresses are translated by MTA-RX, the
346
@local_domains list (in amavisd.conf) needs to be adjusted accordingly.
347
Check the amavisd-new log what recipient addresses it sees for local
348
recipients. The '[127.0.0.1]' may need to be added to the @local_domains.
381
%local_domains (or @local_domains_maps) in amavisd.conf needs to be
382
adjusted accordingly to be able to recognize local domains. Check the
383
amavisd-new log what recipient addresses it sees for local recipients.
384
The '[127.0.0.1]' may need to be added to the @local_domains.
350
386
- To make MTA-RX reject mail for nonexistent local users by itself
351
387
(instead of generating a bounce later on), one may use the 'virtusertable'
363
399
You may use the righthand side of the map to specify local user
364
400
(e.g. %1%3, or just jim, without domain name) in which case MAIL_HUB will
365
be used, or specify an explicit domain name that is not in the {w} class,
366
in which case the SMART_HOST will get consulted.
401
be used for forwarding, or specify an explicit domain name that is not
402
in the {w} class, in which case the SMART_HOST will get consulted.
368
404
Perhaps what Stephane Lentz writes is even better:
372
408
rule-set that checks addresses of your domain against a map of valid users
373
409
(valid_addresses.db). I hope some standard FEATURE will be provided
374
410
with sendmail - something like FEATURE(checkdomainaddresses) and
375
CHECKDOMAINADDRESSES(mydomain.com).
411
CHECKDOMAINADDRESSES(mydomain.com).
413
An alternative solution is to use a milter to do address verification
414
against the second MTA in chain. See the milter-ahead project:
416
http://www.milter.info/sendmail/milter-ahead/
378
420
PERFORMANCE NOTES
392
434
av-scanner (or no av scanner) (with or without SpamAssassin),
393
435
and between 2 and 3 with many command line scanners (regardless of SA).
394
436
If the host is low on memory and when spam checking (SpamAssassin)
395
is used, even 2 may be a lot.
437
is used, even 2 may be a lot for an elderly host.
397
439
Start conservatively, e.g. at 2 or 3, and if everything works normally
398
440
and higher throughput is needed, try a bit more. Anything above the point