The mailing list for listmasters using Sympa

[John Gibson <address@concealed>]

Malcom,

 

Super helpful !

 

Thanks.

 

John

 

From: Malcolm Waltz [mailto:address@concealed]
Sent: Thursday, January 26, 2012 6:35 PM
To: John Gibson
Cc: 'address@concealed'
Subject: RE: Are separate IPs desirable for the MTA and web interface ?

 

Hi John,

 

I'm sorry I misunderstood your original question.  We use just one IP address for the server.  I didn't see a need to have separate IPs in our environment.

 

For simplicities sake, I would suggest using a single IP address, unless your environment is specifically set up to isolate certain types of traffic to certain networks, in which case you would have plenty of other examples of multi-homed systems in your environment.

 

If you do plan to use multiple IPs on separate Ethernet interfaces, it would be good to make sure that they are on _separate_subnets_ and that you have all of the IP routing planned in advance (you may need custom route entries on your server or a dedicated link to your mail relays).  You could also configure Apache to listen exclusively on one of the IPs and Postfix to listen exclusively on the other (+ localhost).

 

In a situation where multiple Ethernet interfaces with unique IP addresses are on the same subnet, typically only one of those interfaces will be used for outbound traffic from the server to the network.  This means for one of the IPs, you will have a split route, with inbound traffic going to the first interface and outbound traffic (for the same TCP connections) leaving from the second interface (or vice versa).  If the interface associated with the outbound route becomes unavailable in certain ways (i.e. ifconfig eth1 down), you could loose all connectivity to the system.  This makes the system less reliable than a single IP address on a single link.  It also fails to isolate the two types of traffic.  This can be verified with "netstat -rn" on most systems (or tcpdump, wireshark, etc).

 

A better way to implement multiple IP addresses on the same host on the same subnet (if you must), is to put them on the same Ethernet interface (though this would not isolate web and mail traffic).  All modern server OSs can do this (and most desktop OSs).  If your environment supports some form of fail-over or ether-channeling for redundancy, you could layer both of those IPs on top of the redundant Ethernet connections (giving you redundancy for both IPs).

 

In my experience, mail traffic doesn't really effect the web interface much.  University of the Pacific, does not run the biggest mailing list server on this discussion list, but it's reasonably active with 330 lists and over 22,000 unique subscribers.  Messages routinely go out to a list with over 9,000 subscribers with no noticeable effect on the performance of the web-interface.  There _are_ things that will slow down the web interface of Sympa.  Most notably a large number of lists causes a lot of disk-IO before the "List of lists" page can be displayed for instance.  If you search the archive of this discussion list, you will see plenty of references to that problem (and a few solutions).  You will also want to use the mod_fcgid Apache module, or the web interface will be terribly slow.

 

I would expect that you would get a better performance advantage by using separate disks for Sympa and your postfix queues than by using separate Ethernet interfaces (I could be wrong).  I also found that tuning Sympa and the MTA to be inline with your SMTP gateways can give a significant performance increase.  For instance, our SMTP gateways are configured to allow 50 recipients per message.  By default Sympa is configured to send out messages in groups of 25 recipients per message (nrcpt in sympa.conf, default_destination_recipient_limit for Postfix).  Increasing that parameter to match our SMTP gateways cut the number of messages leaving the server in half (for larger lists).  The SMTP gateways then further divide up the recipients as necessary when delivering to other MTAs at other organizations (like Yahoo, etc).  This particular tuning is not effective if "Allow message personalization (merge_feature)" is turned on, since the server has to send out individual messages for each recipient.

 

If security is your concern and not performance as I have assumed, you are probably better off using a single IP and using some combination of host-based firewall rules (ipchains, ipfw, pf, etc) and IP-based restrictions from within Apache and Postfix.  I'm sure there are exceptions to this (DMZ).

 

I hope this helps.

 

Malcolm Waltz

Unix Systems Administrator III

Office of Information Technology

University of the Pacific

 

From: John Gibson [mailto:address@concealed]
Sent: Thursday, January 26, 2012 12:40 PM
To: Malcolm Waltz
Subject: RE: Are separate IPs desirable for the MTA and web interface ?

 

Malcolm,

 

Your design of the Sympa MTA (postfix) routing only to/from gateways is what I was planning, so it is nice to get confirmation of that methodology.

 

What I was wondering is whether the Sympa server should have two ethernet ports configured.  One for the MTA and one for the web server.  Do you have only one ethernet address configured for everything ?

 

Thanks for your previous response !

 

…john

 

From: Malcolm Waltz [mailto:address@concealed]
Sent: Thursday, January 26, 2012 12:23 PM
To: John Gibson; address@concealed
Subject: RE: Are separate IPs desirable for the MTA and web interface ?

 

Hi John,

 

Personally, I would recommend always having an MTA on the same server as Sympa (or mailman, or whatever).  It will be much easier to integrate features of the MTA with Sympa (aliases, etc).  If your Sympa server looses network connectivity, it's not as big a problem because messages will just queue locally.  With a local MTA, you have more control on how messages come and go from the server.  I would think that troubleshooting would be easier and there could be a performance advantage (potentially) by using a local MTA.

 

You can always choose to route mail through another MTA for inbound mail, outbound mail or both.  In our environment, Sympa is configured to use a local MTA (postfix), but that MTA only communicates with our SMTP gateways.  All inbound and all outbound mail is routed through our gateways, which are also our SPAM filters.

 

Good luck,

 

Malcolm Waltz

Unix Systems Administrator III

Office of Information Technology

University of the Pacific

 

 

From: address@concealed [mailto:address@concealed] On Behalf Of John Gibson
Sent: Thursday, January 26, 2012 11:05 AM
To: address@concealed
Subject: [sympa-users] Are separate IPs desireable for the MTA and web interface ?

 

Any suggestions would be appreciated.  This is my first installation.

 

Should Sympa be configured with one IP address, or multiple addresses ?

 

It seems like it might be helpful to have separate paths for the different services (http, smtp).

 

…john