NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-01

Re: RBL in Postfix with Load Balancing

From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Wed Jan 02 2008 - 15:30:32 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 02, 2008 at 10:20:35PM +0100, Ralf Hildebrandt wrote:

> * Carlos Jim??nez <zuberoteleline.es>:
> > Hello, everybody:
> >
> >
> >
> > I have two server with Postfix running as a Mail Gateway with antispam
> > filtering. These two computers are connected to a load balancer (hardware
> > appliance). Unfortunately, this device receives all SMTP traffic and
> > modifies IP value of the sender with its own (load balancer IP). We have
> > configured a filtering based on RBL???s, but it doesn???t work because this IP
> > address is a valid one.
>
> Lose the load balancer and use 2 MX hosts.
> Or replace the load balancer with something not quite as broken.
>

There are other reasons to expose multiple MX hosts rather than a single
load balancer IP:

- TLS session caching will work better with non-Postfix TLS clients
(Postfix clients usually work well even with a load balancer in the way).

    - Messages that that temp-fail the first MX may be delivered directly
    at a second MX host, but with both behind a load balancer, clients will
    defer the mail for a re-try.

    - If one of the two hosts behind the load balancer is overloaded
      and mail transactions time out, Postfix clients may experience
      bursts of errors and declare the site dead. With separate MX
      hosts, this won't happen.

This said, it may be possible to configure the load balancer to use
XCLIENT. Works well with an F5 in front of some Postfix MSAs here.
The load balancer is authorized to send the XCLIENT command. With
Postfix 2.4 or later, this is available and safe (the right to use
XCLIENT is lost once the new IP identity becomes active).

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]