Am 17.09.2014 um 21:10 schrieb Jari Fredriksson: > What kind of simple load balancers are you using? I have been using just > DNS multiple address but that does not work any more. Something a *bit* > more intelligent is needed
have you considered how to reduce the amount making it
to SA at all? 3 weeks production turns out that most
can be rejected by the MTA and so reduce the need
of load balancing greatly
in my case Postfix/Postscreen with a bundle of RBL's
with different weight to avoid false positives and
a honeypot-mx answering in any case with 450
the honeypot-mx catchs a lot of botnet crap never
connecting to the real MX and even if i saw enough
not blocked by RBL's at the first connect but on
the retry to the primary MX
below some numbers from this week
* per day around 3000 legit mail
* SA blocked 949 messages
* 67396 rejected by postscreen
* 2791 rejected by postfix (making it through postscreen)
* 66220 RBL rejects out of the 67396 postcreen ones
* 1942 is crap talking too early (postscreen_greet_wait)
in fact most connections are not making it to smtpd at all
some of the DNSBL/DNSWL are internally ones or mirrored
on a internal 'dnsrbld' to reduce WAN load, i would suggest
looking at the postfix-docs for some options below
_____________________________________________________________________
postscreen_cache_retention_time = 7d
postscreen_bare_newline_ttl = 7d
postscreen_greet_ttl = 7d
postscreen_non_smtp_command_ttl = 7d
postscreen_pipelining_ttl = 7d
postscreen_dnsbl_ttl = 15m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:10}s
postscreen_whitelist_interfaces = !<honeypot-ip>, static:all
postscreen_dnsbl_sites = dnsbl.thelounge.net*16
dnsbl.sorbs.net=127.0.0.10*8
zen.spamhaus.org=127.0.0.[10;11]*8
b.barracudacentral.org*7
dnsbl.inps.de*7
dnsbl.sorbs.net=127.0.0.5*6
zen.spamhaus.org=127.0.0.[4..7]*6
bl.mailspike.net*4
bl.spamcop.net*4
bl.spameatingmonkey.net*4
dnsbl-ix.thelounge.net*4
dnsrbl.swinog.ch*4
zen.spamhaus.org=127.0.0.3*4
dnsbl-surriel.thelounge.net*3
dnsbl-uce.thelounge.net*3
zen.spamhaus.org=127.0.0.2*3
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
dnsbl-backscatterer.thelounge.net*1
dnswl-whitelisted-org.thelounge.net*-2
list.dnswl.org=127.0.[0..255].0*-2
dnswl-aggregate.thelounge.net=127.0.0.5*-3
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
dnswl-aggregate.thelounge.net=127.0.0.4*-8
dnswl-aggregate.thelounge.net=127.0.0.3*-16
dnswl-aggregate.thelounge.net=127.0.0.2*-24
_____________________________________________________________________
spamfilter-general-stats.sh
Connections: 84415
Delivered: 9637
Invalid User: 1427
Rejected-1: 67396
Rejected-2: 2791
Blacklist: 66220
Pregreet: 1942
Protocol Error: 809
Spamfilter: 949
Virus: 52
Helo: 152
Subject: 10
Attachment: 18
Sender Blocked: 111
Sender Invalid: 103
Sender Spoofed: 509
PTR Missing: 511
PTR Generic: 144
SPF: 1
_____________________________________________________________________
spamfilter-honeypot-stats.php
Default-MX: 18535
Honeypot-MX: 8774
Honeypot-Only: 7321
_____________________________________________________________________
dnsblcount.sh
spamhaus.org 40305
barracudacentral.org 12764
sorbs.net 7407
inps.de 5407
thelounge.net 185
manitu.net 63
mailspike.net 57
spamcop.net 21
psbl.org 7
swinog.ch 4
spameatingmonkey.net 2
uceprotect.net 1
=================================
Total DNSBL rejections: 66223
signature.asc
Description: OpenPGP digital signature
