Re: 4xx or 5xx: just a matter of taste?
On 01/10/2007, Riaan Kok [EMAIL PROTECTED] wrote: I'd still be interested if you or anybody have a rough idea what difference policyd-weight's cache makes on a system where PW already uses a caching DNS server on localhost.. especially because the latest patch at Version 0.1.14 beta-10 disables the PW cache for whomever wants to use 421's as their primary go-away action. or, maybe that patch only applies for triggers of DEFER_STRING? (hehe, in which case I should get used to being wrong!) Riaan
Re: 4xx or 5xx: just a matter of taste?
On Mon, Oct 01, 2007 at 01:41:56PM +0100, Riaan Kok wrote: On 01/10/2007, Robert Felber [EMAIL PROTECTED] wrote: On Mon, Oct 01, 2007 at 11:47:50AM +0100, Riaan Kok wrote: Fair enough, about default intentions, but the default operation of policyd-weight does not adhere to this. As low scores are more likely to be good and high scores are more likely to be bad, most of your false positives will sit in the score range just above the REJECTLEVEL.. And by default, everything above REJECTLEVEL and below DEFER_LEVEL gets deferred Not everything but clients whose log-line match DEFER_STRING. Which is SPAMCOP (a temporarily issue) and BOGUS_MX (a testing safety). ok, whoops, my misinterpretation then: it was not very clear to me from the .conf's notes that DEFER_LEVEL and DEFER_STRING are related. I'd still be interested if you or anybody have a rough idea what difference policyd-weight's cache makes on a system where PW already uses a caching DNS server on localhost.. Negative answeres reach their time to life rather quickly. Also this overrules RRs with a short TTL. In addition: 1 unix socket lookup should be quicker than ~ 15 DNS lookups. especially because the latest patch at Version 0.1.14beta-10 disables the PW cache for whomever wants to use 421's as their primary go-away action. thanks, Riaan -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
4xx or 5xx: just a matter of taste?
(starting a new thread as this is a bit of a heavy post, and doesn't quite belong under the previous question/subject) On 19/09/2007, Robert Felber [EMAIL PROTECTED] wrote: On Wed, Sep 19, 2007 at 09:56:48AM +0100, Riaan Kok wrote: What's the thinking behind choosing between 450s and 550s in policyd-weight? Be more specific? It seems to me that in policyd-weight, by default, 450s are used for clients with DNS errors or client connections with a lowish score (and stuff shortcircuited in the DEFER_STRING), and 550s then for everything else: high scoring clients, multi-RBL-listed clients, etc. I'm not sure that I understand the reasoning that has gone before here (especially, why being listed in spamcop (IN_SPAMCOP) or having a bogus mx record would shortcircuit the default reject to the defer_action?). Anyway, my understanding of 4xx versus 5xx is this: a 4xx (defer) from an MTA means go-away-and-try-again-later (keeping the responsibility with the client), and a 5xx pretty much means go-away-and-notify-the-sender (shifting the responsibility to the sender). By far the most of the messages that gets rejected by policyd-weight in sheer numbers seems to be by hardcore listed spamfountains, and it doesn't really matter how you reject the msg as long as you don't allow it! Also, these clients will just keep on inventing new messages and senders so it doesn't matter whether you defer or reject, they will sit there and hog your smtpd processes and try and try again. In the worst case, 5xx rejects on these will create scatter to faked senders. The remaining percentage of rejected messages will be from poorly-configured-yet-well-meaning clients, where the SENDER is either an uncaring webmailer or server daemon, or a clueless human with no idea or control over the reason for the reject.. And the most reliable way of notifying the administrator of the offending client (rather than the clueless sender) seems to me to be: letting a queue grow on his/her server by issuing 4xx defers! Which will allow all non-expired messages to be delivered anyway as soon he/she gets around to fixing the client's problem (RBL/HELO/etc). Soo, I'm not quite sure in what scenario one would ever want to use a 5xx reject for policy stuff. The last piece of the puzzle is that there seems to be a growing tendency to recommend using 421 actions for some RBLs, as recent Postfix versions (2.3+, I think) treat 421 (closing channel) actions quite literally: the server process does just that, it closes the channel, disconnecting without waiting for the client to issue a QUIT, freeing up the smtpd process for a new, hopefully legit, incoming connection. Here's what I'm thinking: Why not use 421 across the board in policyd-weight? my regards, Riaan
Re: 4xx or 5xx: just a matter of taste?
Original-Nachricht Datum: Thu, 20 Sep 2007 19:10:31 +0100 Von: Riaan Kok [EMAIL PROTECTED] An: policyd-weight-list@ek-muc.de Betreff: 4xx or 5xx: just a matter of taste? (starting a new thread as this is a bit of a heavy post, and doesn't quite belong under the previous question/subject) On 19/09/2007, Robert Felber [EMAIL PROTECTED] wrote: On Wed, Sep 19, 2007 at 09:56:48AM +0100, Riaan Kok wrote: What's the thinking behind choosing between 450s and 550s in policyd-weight? Be more specific? It seems to me that in policyd-weight, by default, 450s are used for clients with DNS errors or client connections with a lowish score (and stuff shortcircuited in the DEFER_STRING), and 550s then for everything else: high scoring clients, multi-RBL-listed clients, etc. I'm not sure that I understand the reasoning that has gone before here (especially, why being listed in spamcop (IN_SPAMCOP) or having a bogus mx record would shortcircuit the default reject to the defer_action?). Anyway, my understanding of 4xx versus 5xx is this: a 4xx (defer) from an MTA means go-away-and-try-again-later (keeping the responsibility with the client), and a 5xx pretty much means go-away-and-notify-the-sender (shifting the responsibility to the sender). By far the most of the messages that gets rejected by policyd-weight in sheer numbers seems to be by hardcore listed spamfountains, and it doesn't really matter how you reject the msg as long as you don't allow it! Also, these clients will just keep on inventing new messages and senders so it doesn't matter whether you defer or reject, they will sit there and hog your smtpd processes and try and try again. In the worst case, 5xx rejects on these will create scatter to faked senders. The remaining percentage of rejected messages will be from poorly-configured-yet-well-meaning clients, where the SENDER is either an uncaring webmailer or server daemon, or a clueless human with no idea or control over the reason for the reject.. And the most reliable way of notifying the administrator of the offending client (rather than the clueless sender) seems to me to be: letting a queue grow on his/her server by issuing 4xx defers! Which will allow all non-expired messages to be delivered anyway as soon he/she gets around to fixing the client's problem (RBL/HELO/etc). Soo, I'm not quite sure in what scenario one would ever want to use a 5xx reject for policy stuff. The last piece of the puzzle is that there seems to be a growing tendency to recommend using 421 actions for some RBLs, as recent Postfix versions (2.3+, I think) treat 421 (closing channel) actions quite literally: the server process does just that, it closes the channel, disconnecting without waiting for the client to issue a QUIT, freeing up the smtpd process for a new, hopefully legit, incoming connection. Here's what I'm thinking: Why not use 421 across the board in policyd-weight? 421 would be good for all using Postfix = 2.3.0. my regards, Riaan -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser Policyd-weight Mailinglist - http://www.policyd-weight.org/