Stan Hoeppner wrote:
For example: http://www.spamhaus.org/datafeed/
"The Spamhaus DNSBL Datafeed is a service for users with professional
DNSBL query requirements, such as corporate networks and ISPs. It offers
both a Query service and an Rsync service (you can choose)."
The paid "Query" service mentioned above requires the Postfix feature
you are asking about. It's an authentication mechanism.
The Rsync service allows downloading the entire Spamhaus databases
multiple times a day and hosting them on a local dns server or via an
rbldnsd daemon on each MX. The latter is suitable for those such as big
ISPs with massive mail flows, who cannot afford the latency of over the
wire network based dnsbl queries.
It's also a reasonable option due to cost; the paid query service is
more expensive (at least at the level we were looking at here) compared
to the rsync service.
A remote dnsbl query can take anywhere from 20-200 milliseconds (or
more) depending on number of hops and network conditions. A query to a
local network dns server can take less than 1ms. A query to an rbldnsd
daemon residing on the MX MTA host itself can occur in a few
microseconds, as it is an interprocess communication occurring at the
speed of system memory. This is the preferred method for some of the
worlds busiest MTAs. All this performance comes at a cost: the rbldnsd
method requires multiple gigabytes of system memory for the Spamhaus
zone files alone.
Hmm, no, less than 100M:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
28776 rbldns 20 0 81740 65m 700 S 0 3.3 118:49.42 rbldnsd
And this with a modest local blacklist loaded in as well. The on-disk
files for all of the lists total just over 100M. We just run the
Spamhaus data on a non-public zone on our general resolvers (running
dnscache) and we have yet to see any latency problems.
The biggest sysadmin/network costs for the rsync service are in
configuration (may need extra scripting to distribute the data to
multiple rbldnsd instances, depending on how you want to arrange your
DNS services - otherwise, it's "set up once, let it run") and update
bandwidth - currently they provide a script intended to be called once a
minute to update the zone data source files.
-kgd
