On 12/03/2011 09:48 PM, Pandu Poluan wrote:
Thanks! Very helpful resources.
You mentioned amavisd-new. What's their relationship? I mean, if I
deploy postscreen, how will it affect amavisd-new?
Postscreen sits in front of smtpd, and handles all incoming connections.
It hands the "good" connections off to the real smtpd daemon.
Amavisd-new (in both before/after-queue configurations) interacts with
the real smtpd, so postscreen doesn't directly affect it at all.
What was I talking about?
With amavisd-new, a before-queue filter is generally nicer, because you
can reject spam, notifying the sender, rather than discarding it or
backscattering. But, amavisd-new is a hog, and with a before-queue
filter, an amavis process gets used every time ANY connection is made.
Since 95% of your connections will be crap (that is a technical term),
you waste tons of resources creating/killing amavisd-new processes for
botnets and other scum that will be rejected quickly.
On a busy server, it will kill you.
Postscreen only passes the "good" connections to a real smtpd, so with
postscreen running, new amavis processes only get used for those good
connections. If postscreen can get reject 90% of the incoming
connections, you'll use an order of magnitude less resources doing
before-queue filtering than you would without postscreen.
So, in essence, postscreen is what allows you to run the before-queue
filter with comparable resources to the after-queue filter.
