cgi-bin Scripts w/Multiple Mail Servers

Vernon Schryver vjs@calcite.rhyolite.com
Thu Oct 3 18:03:58 UTC 2002


> From: P David Schaub <dschaub@dschaub.com>

> I'm curious how folks with multiple mail servers are handling whitelisting
> using the cgi-bin scripts provided in the DCC distribution.

Is anyone using those scripts?  I'd like to think so, but I've no evidence.

>                                                              The way I
> understand it when using sendmail w/dccm each client needs to have access
> to a common set of whitelist files.  If that is correct then I see three
> possible options:
>
> -> Run one dccm for all sendmail instances - downside here is that you
> can't use a unix socket for your milter...you have to use an inet socket.
> Also the entire message is passed across the network to the dccm daemon as
> opposed to simple checksums from dccm to dccd.  On the plus side, managing
> client whitelists is quite simple.
>
> -> Run a cronjob to periodically move a master list of whitelist files from
> a single instance of dccm running the cgi-bin scripts to all of the other
> dccm clients.
>
> -> Mount the userlist directory across an NFS mount so it can be shared by
> all systems.  I'm not sure what implications this has on file locking...
>
> Have I missed something.  Is there a much better way of doing business?

My main disagreement is that dccm and the cgi-bin scripts are separate
mechanisms.  Dccm merely looks at /var/dcc/whiteclnt and dumps messages
into log directories.  The cgi-bin scripts only look for log files
and fiddles with the whiteclnt file.  The simplest case is to have
the HTTP server that runs the scripts be on the same computer that
runs dccm, but that's not the only possibility.

NFS mounting the log directories on computers running dccm should be ok,
because the worst that would happen even on systems such as Solaris that
don't understand fcntl() locking over NFS would be the loss or corruption
of an occassional log file.  I strongly recommend against NFS mounting
the binary whiteclnt.dccw files on system like Solaris because dccm and
dccproc need write-access to whiteclnt.dccs.  Even on systems such as IRIX
that supports file locking over NFS, lock-daemon chatter would be
irritating if not necessarily a performance problem.  Dccm only reads the
ASCII whiteclnt files and only occassionally, so having a single HTTP
server write it and several dccm running computers read it should be
tolerable, if the operating system tolerates the fcntl()s.

If your total DCC traffic is low enough to use a single instance of dccm
and if your MX servers are close enough that milter/TCP/IP packets would
not traverse the Internet, then the first alternative may be best.  The
sendmail milter mechanism involves a large number of round trips between
the filter process (e.g. dccm) and sendmail, but I doubt that number is
large enough to matter if you can use a single dccm process.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.