On Tue, Jun 15, 2010 at 8:02 AM, Markus Stumpf
wrote:

> You are probably running tcpserver on 0.0.0.0.
> You could duplicate the startup script and have the tcpserver in one
> listen to the external visible IP address and the other listen on
> 127.0.0.1.
> That way you have two connection pools.
> Make your script connect to 127.0.0.1.
>

Thanks for that word of advice. For some reason--am I'm a hack at TCP
networking--it eluded me that you could have a separate listener on
localhost than on the external IP. I was thinking I needed a second IP
address (which I have, but your approach is simpler).

>
> Keep in mind however that if the external incoming connections
> saturate your (still single) working queue, deliveries from the local
> pool will be delayed, too, but at least accepted.
>

That is acceptable behavior in my case. Thanks for the warning. Plus or
minus a little, our CVS commit notices say "A colleague changed some
code--you might want to look at the change". These notices aren't generally
time-critical.

>
> Another thing I found useful is to
> echo "10" > /var/qmail/control/timeoutsmtpd
> Rarely see a legit mailserver run into that, but a lot of spam
> connections get dropped.
>
> I dropped mine down to 300 (from the default 1200). However, that was one
question lingering in mind -- how long is reasonable? With network speeds
being what they are these days, I just didn't fully understand why a value
like 1200 would be the default. I did not know that something as low as 5
would work.

I'm not actually sure where most SPAM comes from (it is hijacked PC's, or
what?).

In any case, I doubled the maximum number of SMTP receiving processes (from
20 to 40) and decreased timeoutsmtpd to 300. If that doesn't work (or when
the SPAM volume gets high enough that it stops working), I'll adopt your
suggestion and go with separate listeners.

Thanks, Datesfat