From: Erik Hensema
Date: 2005-01-25 08:47:25 -0500
Subject: Re: milter-ahead on a backup mx
More information..: http://www.milter.info/#Support
On Tue, Jan 25, 2005 at 08:14:10AM -0500, April Lorenzen wrote:
> Erik states he has a gateway configuration, and I am assuming that both
> his pri and sec are gateways ahead of all the virtual hosts. That's how
> my own system is set up, or rather we have several
> sendmail-clamav-milter-siq gateways in front of a single
> sendmail-dbmail-pop/imap machine.
> But the way I interpret "downstream" is the virtual hosts protected by
> the gateways.
> primary gateway ---------------- virtual hosts pool
> secondary gateway ------------- virtual hosts pool
No, this is not my setup. I have multiple servers which do shared
webhosting. These servers are fully configured to receive mail from the
When a client wants to have his mail virus scanned, then the primary mx is
a gateway server which relays the mail to the webhosting server.
I also have a backup mx which just relays mail to a primary mx, being the
gateway server or the webhosting server.
For example, hensema.net has virusscan.hostingxs.nl as primary mx and
mailrelay.hostingxs.nl as backup mx. Virusscan relays the mail to my
Virusscan also does spamfiltering, using both dns blacklists and
So, if virusscan is down, then the path of the mail is as follows:
mailrelay -> virusscan (when it's up again) -> webserver
mailrelay doesn't do spamfiltering.
virusscan now receives around 1500 connects from mailrelay every day. I
suspect this is 95+% spam. In normal operation there is no reason
whatsoever why mailrelay should receive any mail. I could even stop
sendmail until a server or network goes down.
> milter-ahead needs to not only ask the virtual hosts "do you have this
> user?" --- the existing functionality of milter-ahead
> But for the new function we are discussing, it seems milter-ahead would
> not be asking the downstream virtual hosts pool - it would be asking its
> peer (albeit first in line peer) the primary MX - "are you accepting
> So I don't understand the logic of deciding anything about whether this
> is a legitimate connection which may have been deferred or rejected by
> the primary MX, by asking the "downstream" anything?
Well, this new function has actually little to do with the main function of
milter-ahead, so maybe it should be implemented in a new milter. However
since all the infrastructure is already there in milter-ahead, it was just
a convienent place to start hacking ;-)
Erik Hensema (firstname.lastname@example.org)
Copyright 2009, 2012 by SnertSoft. All rights reserved.