one verify.db with two postfix instances?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

one verify.db with two postfix instances?

Stefan Jakobs
Hello list,

I use Postfix 2.4.3 on two (actually four, but let's assume two) mailgateways.
Both do recipient verification and cache the results with the
address_verify_map (verify.db). Sometimes it happens that a foreign server
tries to deliver a message and gets a 4xx response from one of my servers
because the recipient verification doesn't finish in time. Then it waits some
time and tries the other one. From that one it gets a 4xx response, too,
because the second server doesn't know that the first server has allready
done the recipient verification and does it again by itself. This process
delays the delivery of a message and I like to avoid that.
My idea: Is it possible to use one verify.db, let's say on a NFS share, with
two (or more) postfix servers? Or will it produce problems with accessing the
file?

+----------------+
|postfix server 1|----+    
+----------------+    |        +---------+
                      +--------|verify.db|
+----------------+    |        +---------+ NFS
|postfix server 2|----+
+----------------+                        

My postconf -n output:
2bounce_notice_recipient = <censored>
address_verify_map = btree:/etc/postfix/verify
address_verify_sender = <>
alias_maps = hash:/etc/mx/aliases, hash:/etc/mx/report_aliases
body_checks = regexp:/etc/mx/body_checks
bounce_notice_recipient = <censored>
bounce_queue_lifetime = 1d
bounce_size_limit = 1
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
default_process_limit = 300
delay_notice_recipient = <censored>
disable_vrfy_command = yes
error_notice_recipient = <censored>
header_checks = regexp:/etc/mx/header_checks
html_directory = no
lmtp_connect_timeout = 1
mail_owner = postfix
mailbox_size_limit = 2000000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 5d
mydestination = $myhostname localhost.$mydomain
mydomain = <censored>
mynetworks = 127.0.0.0/8 /etc/mx/networks
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains = fast_flush_domains,mynetworks,relay_domains
queue_directory = /var/spool/postfix
queue_minfree = 100000000
readme_directory = /usr/share/doc/packages/postfix/README_FILES
recipient_bcc_maps = hash:/etc/mx/recipient_bcc
recipient_canonical_classes = envelope_recipient
recipient_canonical_maps = hash:/etc/mx/recipient_canonical
relay_domains = $mydestination /etc/mx/domains
relocated_maps = hash:/etc/mx/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtpd_client_connection_count_limit = 15
smtpd_client_connection_rate_limit = 30
smtpd_client_restrictions = check_client_access hash:/etc/mx/client_access  
permit_mynetworks  reject_unknown_reverse_client_hostname  permit
smtpd_data_restrictions = reject_unauth_pipelining  permit
smtpd_error_sleep_time = 0
smtpd_etrn_restrictions = reject
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname  permit
smtpd_recipient_restrictions = reject_non_fqdn_recipient  
reject_unknown_recipient_domain  check_recipient_access
hash:/etc/mx/recipient_access  permit_mynetworks  check_recipient_access  
reject_unauth_destination permit
smtpd_sender_restrictions = reject_non_fqdn_sender  check_sender_access
hash:/etc/mx/sender_access  reject_unknown_sender_domain  permit
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/mx/transport
unknown_address_reject_code = 550
unverified_recipient_reject_code = 550

Thanks for help.

Greetings
Stefan              
Reply | Threaded
Open this post in threaded view
|

Re: one verify.db with two postfix instances?

Wietse Venema
Stefan Jakobs:

> Hello list,
>
> I use Postfix 2.4.3 on two (actually four, but let's assume two) mailgateways.
> Both do recipient verification and cache the results with the
> address_verify_map (verify.db). Sometimes it happens that a foreign server
> tries to deliver a message and gets a 4xx response from one of my servers
> because the recipient verification doesn't finish in time. Then it waits some
> time and tries the other one. From that one it gets a 4xx response, too,
> because the second server doesn't know that the first server has allready
> done the recipient verification and does it again by itself. This process
> delays the delivery of a message and I like to avoid that.
> My idea: Is it possible to use one verify.db, let's say on a NFS share, with
> two (or more) postfix servers? Or will it produce problems with accessing the
> file?

You can't have more than one process writing to a Berkeley DB verify
database, not even when they run on the same machine.

If you want to share the file with more than one Postfix server,
you have several options.

Option 1 uses the Postfix 2.5 proxywrite service, plus some
source code changes:

- Add a configuration parameter "proxywrite_service" that
  has a default of MAIL_SERVICE_PROXYWRITE.

- Update dict_proxy.c so that it understands "proxywrite_service
  = inet:host:port".

- Update master.cf to run the proxywrite service on an "inet"
  socket.

- Firewall this service from the idiots on the Internet.

Option 2 adds "update" support to the Postfix mysql client.

        Wietse