OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Large mail gateway setup

From: Bob Cunningham (bobcdsinc.com)
Date: Wed Jun 01 2005 - 14:49:45 CDT

On Jun 1, 2005, at 5:11 AM, Gerhard de Jager wrote:

> Hi.
>
> Thanx.
>
> The thing that I'm worried about is that it might grow very fast
> (users
> and messages).
>
> I want to design it so that it will be scalable.
>
> Can you perhaps suggest a layout, I have about 5 boxes that I can use.

I've used the 3-tier inbound (1-tier outbound) scheme as described
Ean Kingston for
sites ranging from 100 up to about 60,000 users. It scales very
well. Monitored carefully,
you can easily tell where additional boxes and/or add hardware are
needed.

Here is what I'd suggest for a start ...

1st-tier: 2 ea. MX servers (you *will* want a minimum of two for
redundancy).
These are the only systems with public MX records. They accept incoming
messages, make instant accept/reject decisions, and pass accepted
messages to your 2nd tier. Until and unless things "back up" on the
next tier, these
systems need very little disk space. Consider aggregating the
logging of
these machines to a separate, dedicated syslog server.
server. Put your cheapest and least powerful systems at this tier,
but do have
plenty of memory. Preferrably, use identical hardware. Definitely
use identical software configurations. Do as much anti-UCE blocking
here
that you can.

[Although exactly what anti-UCE measures you adopt will depend
on whatever policies you have (or develop), you should probably
using a couple of good RBLs. Think about whether you also want
to greylist as well. Note that using RBLs means doing a lot of DNS
lookups. With only
two machines at this tier, I'd run a caching-only nameserver on each
machine.
If you end up having more than two machines at this tier, I'd suggest
that
each simply have a high-speed connection to one or more separate
namserver
machines. Regardless of exactly what anti-UCE measure you use,
always REJECT;
do not bounce.]

Middle tier: at least one machine dedicated to deep virus and spam
checking.
Various software can be used for checking. Personally, I prefer
using two
independent virus checks, starting with clamav plus a commercial package
as well (e.g., WebTrends); but a single spam checker will usually
suffice. (if your anti-UCE measure at the previous tier are draconian
enough
you will be surprised at how little spam you'll actually detect at
this tier!)

2nd-tier machine(s) need more CPU power than the 1st-tier machines,
and at least as much memory. Disk space needs can either be modest,
if you
opt not to hold anything in "quarantine", or significant -- if you
quarantine.

[If you decide not to use dedicated machine(s) for relaying outbound
mail,
you can also use the machines at this tier as outbound mail relays as
well.
The anti-virus/anti-spam checks are just as useful for outgoing mail
as for incoming mail.]

Final tier: your mailstore, and POP/IMAP setup. Storage, storage,
and more storage.
But make sure it's "quick". A large hardware RAID array is what you
want. RAID 5
(or 4) is okay, since reads will definitely dominate writes. What you
really want is to have your mailstore on a NAS server. To allow easy
LAN-based access to the mail store for separate SMTP delivery final
delivery, POP, IMAP, and webmail boxes.

Separate: a dedicated webmail machine. With a back-end
connection to the NAS (and its attached mail store), and good front-end
connections to the LAN your users will connect from. Besides fast
network connections, these machine(s) probably need the most CPU power
and plenty of memory.

In summary ... for a 6-box starter system:

     2 MX machines (lightweight systems, but with plenty of memory)
     1 virus/spam checking machine (more CPU power, perhaps even more
memory,
         plus significant disk if you opt to "quarantine"
         [This machine can also be your outgoing mail relay]
     1 mailstore/POP/IMAP machine (reasonable CPU and memory)
     1 NAS box with a large hardware disk array (most of your storage
$$$ will go here)
     1 webmail server (maximum CPU, plenty of memory)
     optional: (but highly desirable) a separate, dedicated syslog
machine for all of the above

Performance monitoring will tell you where you need more capacity. A
separate outgoing
mail relay(s) might be the first thing you may want to add, although
you may find
that you just virus/spam checking for incoming mail instead.

If you add 2nd-tier capacity, check to make sure that the 1st tier
never becomes
a bottleneck. At a minimum, use N 2nd-tier machines with N+1 1st
tier machines.
Better: N 2nd-tier machines and 2*N 1st-tier machines.