Re: RBL-based greylisting using Policyd-weight and Postgrey
On Wed, Jan 16, 2008 at 06:09:20PM +0100, fili wrote: Ok, a bug. Fixing appears troublesome (breaks lowest-resource-usage-policy). Not certain whether requests which will be answered with 'rc:' should generally not be cached (this wouldn't break cache-resources). $CACHESIZE=0; Thanks Rovert, I've got it up and running now using $CACHESIZE=0; Do you think that no-caching might result in higher loads on a mail-heavy server? Not load, but more smtpd processes waiting for a polw reply. I've read the release info of 0.1.14 beta-14, specificly: results with 'rc:' as action are not cached Is it useful for my current setup to update? Useful yes, required, not really. And should I then change $CACHESIZE back to the default value? You can delete it (with the latest version). On a different note, wouldn't it be a good idea to introduce a variable like: $BLOCK_RETRY_TTL = 30; 30 being the seconds in which retries will be temporarily blocked. If this value is set to 0, then Policyd-weight won't block retries at all. This is the job of $NTTL and $NTIME in concert $NTTL (default: 1) The client is penalized for that many retries. $NTIME (default: 30) The $NTTL counter will only be decremented if the client waits at least $NTIME seconds. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
Okay, I've installed the testing version of Policyd-weight from the Debian repository's. #/usr/sbin/policyd-weight -v policyd-weight version: 0.1.14 beta-5, CacheVer: 5 Perl version: 5.008008 Net::DNS version: 0.59 OS: Linux 2.6.18-5-686 The RC: restriction class feature now works like a charm. However, there seems to be a problem with the thing I'm trying to do. Let me try and explain: - A client connects to port 25 - Policyd-weight determines that this client appears on too many RBLs and returns 'rc:greylist' - Postgrey takes over and will greylist the client So far so good, but then: - Client appears to be legitimate and retries the connection after a waiting period - Policyd-weight recognizes this client as one it rejected a while back and returns '550 temporarily blocked because of previous errors - retrying too fast' Does anybody know how to completly disable the built-in cache of Policyd-weight? I've already set $NTIME = 0; without luck. Regards, Fili Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
Then your setup should work. Maybe you should set REJECTLEVEL to an insane high value like 100 or so. Thanks for the information! BTW. is $rejectlevel even used when $dnsbl_checks_only equals true? Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
fili wrote: Then your setup should work. Maybe you should set REJECTLEVEL to an insane high value like 100 or so. Thanks for the information! BTW. is $rejectlevel even used when $dnsbl_checks_only equals true? Policyd-weight Mailinglist - http://www.policyd-weight.org/ Hmm, $MAXDNSBLMSG probably isn't the way to tell postfix to execute the 'greylist' restriction class. I've tried the following in the policyd-weight.conf: $MAXDNSBLMSG = 'rc:greylist'; $MAXDNSBLMSG = 'greylist'; Both lead to this error in the mail.log: Jan 13 18:48:34 megatron postfix/policyd-weight[26327]: decided action=greylist; check http://rbls.org/?q=78.144.239.xxx Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: access table inet:127.0.0.1:12525 has entry with lookup table: greylist; check http://rbls.org /?q=78.144.239.xxx Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: do not specify lookup tables inside SMTPD access maps Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: define a restriction class and specify its name instead. Jan 13 18:48:34 megatron postfix/smtpd[30664]: NOQUEUE: reject: RCPT from unknown[78.144.239.xxx]: 451 4.3.5 Server configuration error; from=maconhu [EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=[78.144.239.xxx] Do you have any idea of what is going wrong? Regards, Fili Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
Sahil Tandon wrote: Get policyd-weight to return just 'greylist' which, I presume is a defined restriction class within your main.cf. The extra stuff after 'greylist' is causing the problem. Robert Felber wrote: Make sure you are running 0.1.14.6 by issuing: /path/to/policyd-weight -v There was a debian-package called 0.1.14 beta-6 which is a 0.1.14 If that's not the case, use 0.1.14 beta-12 from the official page. The extra stuff is automagically added by (this version of) Policyd-weight. #/usr/sbin/policyd-weight -v policyd-weight version: 0.1.14 beta, CacheVer: 3 So if I understand correctly, updating to the lastest version from the official website should fix the rc: feature? Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: Re: RBL-based greylisting using Policyd-weight and Postgrey
On Thu, Jan 10, 2008 at 07:42:10PM +0100, fili wrote: Should work. Depending on what you want to achieve. greylist clients which are on at least one RBL reject clients which are on too many rbls If possible, I would like to use greylisting -only- if client appears on too many RBLs. In all other situations clients should pass thru (no 550 reject, no greylisting). Then your setup should work. Maybe you should set REJECTLEVEL to an insane high value like 100 or so. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
RBL-based greylisting using Policyd-weight and Postgrey
Hello Policyd List, I'm trying to set up RBL-based greylisting using Policyd-weight and Postgrey on Debian Etch. After some intensive Google-ing I came to the conclusion that it should be possible. However, I couldn't find any concrete configuration examples. Would the following configuration work? --postfix: main.cf-- smtpd_restriction_classes = greylist greylist = check_policy_service inet:127.0.0.1:6 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:12525 --policyd-weight.conf-- $REJECTLEVEL = 4.25; $dnsbl_checks_only = 1; $MAXDNSBLHITS = 4; $MAXDNSBLMSG = 'rc:greylist'; $BIND_ADDRESS= 'all'; It is unclear to me if the 'rc:greylist' is supported on the Debian packaged version: 0.1.14-beta-6. Has anyone done this with Policyd-weight/Postgrey on Debian Etch? Thanks in advance for your reply, Fili Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
On Thu, Jan 10, 2008 at 04:51:52PM +0100, Fili wrote: Hello Policyd List, I'm trying to set up RBL-based greylisting using Policyd-weight and Postgrey on Debian Etch. After some intensive Google-ing I came to the conclusion that it should be possible. However, I couldn't find any concrete configuration examples. Would the following configuration work? --postfix: main.cf-- smtpd_restriction_classes = greylist greylist = check_policy_service inet:127.0.0.1:6 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:12525 --policyd-weight.conf-- $REJECTLEVEL = 4.25; $dnsbl_checks_only = 1; $MAXDNSBLHITS = 4; $MAXDNSBLMSG = 'rc:greylist'; $BIND_ADDRESS= 'all'; Should work. Depending on what you want to achieve. greylist clients which are on at least one RBL reject clients which are on too many rbls It is unclear to me if the 'rc:greylist' is supported on the Debian packaged version: 0.1.14-beta-6. It contains handling for rc: messages. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: Re: RBL-based greylisting using Policyd-weight and Postgrey
Should work. Depending on what you want to achieve. greylist clients which are on at least one RBL reject clients which are on too many rbls If possible, I would like to use greylisting -only- if client appears on too many RBLs. In all other situations clients should pass thru (no 550 reject, no greylisting). With this I'm hoping to combine the best of two worlds without rejecting or slowing down HAM (as much as possible). What configuration would you suggest to achieve this? Regards, Fili Policyd-weight Mailinglist - http://www.policyd-weight.org/