Hi Stephen, Many thanks for your shared experience. May I know how to implement the "smart-hosted" way you mentioned?
BTW, my issue is for outbound traffic, we will relay customers' traffic to internet, and we don't know whether the mail is blocked or not before delivering... Regards, King 2015-07-03 22:06 GMT+08:00 Stephen Satchell <l...@satchell.net>: > On 07/02/2015 11:56 PM, King Cao wrote: > >> Hi Wietse, >> >> Actually it's our relay mta and can not know if it's deliverable or not >> until bounced by downsteam... >> > > King: > > I ran into this problem when I used Postfix to front a large number of > Plesk (qmail) and CPanel (exim) systems at a Web hosting company. My > inbound MTA cluster was the focal point for inbound mail -- I did this to > centralize all the anti-spam measures. A series of small Unix shell > scripts would forward the valid mail addresses to the master MX boxes, so > that they would know what inbound mail addresses were valid and which were > not. > > Incoming mail was then distributed by the inbound MX cluster to the many > Web boxes, spam already removed unless the customer didn't want spam > removal on one or more mailboxes, so those boxes couldn't be DoSed by spam > mail. Our business was Web hosting, after all. > > The inbound MX clusters would reject unwanted messages during the SMTP > transaction, so that NDR bounce messages would be generated by the upstream > MTA if appropriate. No bounce traffic was created by the inbound cluster > itself. > > If the inbound cluster did create new mail (don't know why, but I'm a > belt-and-suspenders man) any such mail was smart-hosted to my outbound MX > servers. The outbound MX servers had per-endpoint rate-limiting to reduce > the chance of being blocked due to mail volume. (Bulk mailers each had > their own rate-limiting outgoing MX.) > > At my network edge, I blocked inbound port-25 mail to all but my inbound > MX cluster. Customers could submit mail from "outside" to their Web server > mail agent via port 587, as I recall, or by the sendmail(1) utility from > within their Web sites. > > With this system, the only time the inside MTAs would generate NDR > messages was when mail quotas were exceeded. Those NDRs were smart-hosted > to my outbound MX servers. The volume of NDR traffic from each of the Web > host MTAs was low enough that I didn't bother trying to deal with it. >
