efa in the cloud

General eFa discussion
Post Reply
MattS
Posts: 20
Joined: 12 Dec 2017 14:00

efa in the cloud

Post by MattS »

The blacklisting feature in efa is a bit lacking on the ease of use front when dealing with the 12 domain names we use, having to add each IP address to blacklist for each domain we have without any seeming option to use a wildcard or CIDR notation. I decided, in exasperation, to take the nuclear option with our firewall at the network edge to block four class C networks that are responsibile for probably 80+% of the spam we recive each day. These spam networks have of course started dumping all of their s&$t through our external SMTP backup service which means we're effectively worse off than we were originally as we obviously can't block the IP addresses of the backup mail service.

I'm now trying to weigh up whether to move to a commercial antispam service for all of the incoming mail and effectively hand the problem to somebody else to keep ticking along. Though this might become expensive to protect 12 domains (<15 actual physical users) even though only three of those are really in use as far as incoming mail is concerned.

Alternatively, I could dump our existing backup SMTP service and deploy efa somewhere in the cloud to effectively act as a backup SMTP server and to also filter the inbound rubbish but I'm not sure on the sizing required. It repidly gets expensive if I size it based on the efa requirements and wondered whether anybody had a decent handle on the viable sizing of an efa install on a cloud hosting service or cloud virtual machine for circa 2,000 inbound emails a day?

Hopefully makes vague sense....
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: efa in the cloud

Post by henk »

without any seeming option to use a wildcard or CIDR notation.
There are quite some options, you just need to search this forum.

On Country and IP cidr blocks.
viewtopic.php?t=2659
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
amaclach
Posts: 26
Joined: 14 Aug 2023 06:53

Re: efa in the cloud

Post by amaclach »

Sorry to resurrect this necro-thread, but I'm going through some sizing exercises at the moment.
I guess it's going to depend mostly on the number of MailScanner threads you elect to run and your users appetite for delays if mail starts backing up.
I'd start by looking at the actual load on your production system and work from there - if you have 8GB memory and it's only using 3GB at peak times, try downsizing the memory and see how it goes. If you don't have any mail queues building up during business hours, then maybe reduce the MailScanner child processes - that should also reduce memory consumption - again the real measure is if messages are delayed in any meaningful way during business hours (who cares if queues build up overnight when a huge batch of spam hits the gateway - as long as the queue is clear by the morning, all is good).
Anyway I just ordered a (probably) oversized VPS and I'm going to run it for a while to see how it copes and how I can right-size it before I add additional hosts for redundancy and to share the load. I'll be turning the message retention right down to save SSD space, and the MailScanner children down to 2 then increasing as necessary.
I'm getting the filter appliances to do all the heavy lifting so that the mail hosts don't have to do any anti-spam/anti-malware stuff and they can be kept as light and simple as possible.

One thing I learned today is that Azure don't block inbound SMTP traffic, but don't allow anything outbound - so the net effect is that they are blocking SMTP because the SMTP service can't have a conversation with the sender. That's confirmed with portscans and manual testing.
They DO however allow authenticated TLS wrapped sessions with smarthosts over 587/TCP

https://learn.microsoft.com/en-us/azure ... nnectivity

That's OK for MailHosts hosted in Azure so long as they communicate with the filter over this port and send outbound through the filter this way too - I just need to host the filters NOT on Azure - which I was planning on doing anyway. Good to keep the options open and to keep things flexible!
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: efa in the cloud

Post by henk »

Planning and stuff hosted in Azure: Mariadb retirement and migration.
https://learn.microsoft.com/nl-nl/azure ... to-mariadb
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
amaclach
Posts: 26
Joined: 14 Aug 2023 06:53

Re: efa in the cloud

Post by amaclach »

I'm kind of over hosting stuff on Azure. For quick tests I tend to fire up a local VM. If I need anything long term I add another VPS from my VPS provider, and if it's just a quick test that needs full inbound internet connectivity, then I will fire up an Azure VM for the few hours that I need it for.
The only thing that I use long term is the loadbalancing service.
Post Reply