Splitting Up Server Roles

B

bclancey

Verified User
Joined
May 19, 2004
Messages
35
We currently have DA, email and web on the same physical machine. We propose adding another physical machine and splitting up the roles of the machines.

One would handle all websites. The other would handle all email. Since DA cannot handle multiple machines, we would move DA to the email box to manage exim, mail forwarders and so forth.

Will uninstalling/stopping DA on the web server machine uninstall Apache, PHP, MySql? Or will all they all continue operating as currently configured even though DA no longer works on that box?

As some background, it is not that the computer is normally incapable of handling the jobs requested. However, it is the case that when inbound spam peaks we suffer an effective DOS situation because it saturates the machine and there are hundreds of connections in a TIME_WAIT state even though exim is configured with smtp_accept_max = 25

Using tail I can see that we are getting two to three spams per second, with the majority sent to exim's blackhole
 
You can probably solve the problem a lot more cheaply than adding another server: simply change the catchall account(s) on the server from ignore to fail.

In fact I recommend that the ignore option not even be included as a possible option, since it doesn't blackhole the email for nonexistent users until after it's completely processed (hence your problem with lots of mail on the server slowing it down). fail means mail for nonexistent users won't even be acceted onto the server.

I'd also look into using SpamBlocker blocking for all domains on the server if you don't already do that; see the SpamBlocker threads on these forums (DA is currently installing SpamBlocker2.1.1, but older versions of DA may have older versions of SpamBlocker in which case I recommend updating).

But if you really want to add another server, yes, I think what you suggest will work.

Of course if you add new domains to the system you'll have to set them up manually on the http server.

Jeff
 
Thank you for the suggestion. Some domains had the catchall set to fail and some were set to ignore. I changed them all to fail. I will monitor the situation and see if this resolves the issue.

I have been using SpamBlocker for a couple of years. I have not upgraded since last year.

I will probably continue working on this project, however, because I am keenly interested in reducing the number of machines in our server room by dedicating cores from quad CPUs to individual VMs.

We had previously split up the websites over two machines -- with DA running on the machine which handles our primary website and all our email. Since we never accept email on new domains, new sites are added to the other machine.

######

As a question, do you know if changing to "fail" will have a positive impact on spam volume. In your experience, does this tend to reduce spam because the failure causes spammers to remove invalid email addresses from their lists?
 
Last edited:
Absolutely.

Two nights ago i was up all night because of huge dictionary attacks on one domain (a regional bank) on one of our servers.

Finally I decided to look at fail vs ignore. When I discovered their catchall was set to ignore, I reached their admin and got his permission to make the change.

Then I manually killed all exim processes and restarted exim.

Our server load went from 35.6 to 0.65 in a matter of minutes.

It saved us from having to move his email to a dedicated server.

(Note the client is a bank; only their insecure pages and email are on a shared server; their Internet banking system is on it's own server ;) ).

It works :) .

Jeff
 
There were already warnings not to use it... I'm going to add even more ;)

1) Changed "not recommended" to "not recommended"
2) added a hyperlink javascript alert for the "not recommended" text, explaining *why* not to use it.
3) made the same alert/warning pop-up when you actually select the ignore option.
4) if your mouse is hovering anywhere over that row, you'll get a hover-over warning as well.

I would hope they get the hint.

In some cases it's needed if you find your server bouncing hundreds of emails to an unsuspecting account. 99% of the time, you shouldn't be using it, but I have found a few cases where it was useful.

John
 
John,

Ever since I wrote the first updated exim.conf file exim should NOT be able to bounce emails to an unsuspecting account; it should only tell the sending server (and only the sending server, having nothing to do with the return address) that the mail is undeliverable. And that IS important, even if they don't suspect they're sending spam so they can do something about it before they get blocked by one or more blocklists.

Really I can't think of any reason it would be used with the way exim is set up in DA, because exim in DA doesn't accept the email, and therefore can't bounce it back. It simply tells the server trying to send it mail that the address doesn't exist.

Jeff
 
You must log in or register to reply here.
Back
Top