|Svetozar Mihailov||Aug 26, 2008 1:20 am|
|Sam Varshavchik||Aug 26, 2008 4:04 am|
|Svetozar Mihailov||Aug 26, 2008 5:15 am|
|Steve Shockley||Aug 26, 2008 8:28 am|
|Sam Varshavchik||Aug 26, 2008 3:15 pm|
|Gordon Messmer||Aug 26, 2008 3:53 pm|
|Paweł Tęcza||Sep 16, 2008 1:04 am|
|Manuel Schneider||Sep 16, 2008 1:33 am|
|Paweł Tęcza||Sep 16, 2008 1:52 am|
|Steve Shockley||Sep 16, 2008 3:34 am|
|Paweł Tęcza||Sep 16, 2008 6:08 am|
|Svetozar Mihailov||Sep 16, 2008 9:15 am|
|Paweł Tęcza||Sep 18, 2008 1:11 am||.patch, .patch|
|Subject:||Re: [courier-users] Courier Cluster|
|From:||Svetozar Mihailov (cour...@j.zarhi.com)|
|Date:||Aug 26, 2008 5:15:30 am|
On Tue, 2008-08-26 at 07:04 -0400, Sam Varshavchik wrote:
Svetozar Mihailov writes:
I'm building Courier Cluster and have few questions.
Hardware details: 4 core quad servers with 8GB ram, iscsi storage with gfs2. Full cluster will have total 8 servers.
1. Sam, This cluster will offer free hosting ( mail and www ) services for our customers which already pay for internet connectivity. Do I need some kind of license for courier suite? Is this changes if this hosting also offer payed services?
No and no.
2. DNS: Which dns structure is allowed/better:
2.1 One MX record for mail.example.com and 8 A records for each server. OR 2.2 Eight MX records with equal priority to c(1-8).mail.example.com for smtp and additional eight A records for mail.example.com for pop/imap.
I would suggest a combination, 4 MX records with two A addresses for each one.
2.2 I do not want to use load balancer because if load balancer dies everything stop. I will implement monitoring (ping?) daemon, which will add/remove servers to dns if some of them dies. Is there recomended minimal TTL for dns records in this case?
With eight servers, I wouldn't even bother, and leave the default TTL set to one day.
3. Do I need special care of file locking? All servers have consistent view of file system, and is possible one user to login to few servers at same time via pop/imap.
Locking is used very minimally, only in the IMAP server. No special consideration is necessary.
4. What about MAXPERIP setting? It is possible to make this cluster aware? Otherwise each user can login up to MAXPERIP times on each server at same time.
No, MAXPERIP is per-server.
5. I think to place /etc/courier and /etc/authdaemon on iscsi/gfs2 so all servers will see same configs all time. Modifying configs and running make* scripts will be done on one separate server. I'm thinking to create additional daemon, which will fam monitor this two folders and issue 'courier restart' and 'service authdaemon restart' on change. Is this will be ok?
This is ok, but you should carefully set each server's hostname. Each server needs to know its own FQDN.
5.1 /var/spool/courier will be also on iscsi/gfs2, but as I know it is not possible to share this over servers?
5.2 It is possible at compile time to move certificates from /usr/lib/courier/share to /etc/courier/share? Or just to symlink certificates to /etc/courier/share?
Use a symlink.
7. I use mysql backed with services separation like this (/etc/courier/imapd):
ADDRESS=0 PORT=143,127.0.0.1.144 AUTHSERVICE143=imap AUTHSERVICE144=imapl AUTHSERVICE993=imaps
It is possible to setup imap:143 to issue 'imaps' if user send STARTTLS before authentication? Or implement something like AUTHSERVICESSLADD=s' which depends only on connection status (clear/ssl|tls)? Same thing with pop3.
No, but that's a good point.
Thanks for quick answer. I have few more question which was in first email blocked because wrong from address ( delete it please ).
5.x Is courier needs write access to /etc/courier and/or /etc/authdaemon? Is safe to mount them as read-only?
8. I have idea to implement 'ONFAILSQL' and/or 'ONFAILSCRIPT' to authdaemon. Now I parse maillog file to catch spammers and add them to local rbl dns server. It will be nice if authdaemon logs directly to script/sql ip address of failed authentications attempts. Realtime local blacklist will be very easy with this information. But this will need a lot of source modification because now authdaemon do now know client ip address. Similar logging can be implemented in filter to catch positive spamd/clamd results ( python filter? ).
Best regards, Svetozar Mihailov
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ courier-users mailing list cour...@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users