On Thu, 2015-07-16 at 12:26 +0300, James Bottomley wrote:
> > Yeah, at the moment I believe 'unacceptable' mail to vger lists just
> > gets black-holed. Leaving users wondering WTF they did wrong. Or just
> > wondering why they didn't get any responses.
> > 
> > It would be much nicer to do the same tests at SMTP time, giving the
> > rejection immediately.
> 
> I'll let DaveM speak for himself on vger, but the reason I don't do this
> type of thing at SMTP time is that it holds the connections open and you
> can easily swamp the system.  If you queue the scans, you have a much
> tighter control on your machine load (admittedly my "cloud" system is
> still a single processor i586 so I might be slightly behind the
> technology curve).

It's no *additional* work; the scanning was being done anyway. Yes, it
means you keep a TCP socket open while you do the scan. But that really
shouldn't be a big resource issue.

If the machine is overloaded, it can stop taking incoming connections
or it can slow them down. Both of which will happen naturally. The
overall result will be that there's a slight delay, and it accepts the
mail later instead. Which is basically the same as if the message is
queued and processed later.

Besides, I believe most of the scans we're talking about¹ are simple
regex stuff and just shouldn't take that long anyway. Although many
people *do* run things like CRM114/ClamAV/SpamAssassin a SMTP time,
even on i586-class machines.


-- 
dwmw2
¹ http://vger.kernel.org/majordomo-taboos.txt