Re: [AMaViS-user] Can't start Amavis after update
fre, 22.07.2005 kl. 02.22 skrev Gary V: [...] Nice work, looks like you have something in common with SuSE 9.1: From http://www.ijs.si/software/amavisd/#faq-trouble : Michael W Cocke writes: the reason DB_PRIVATE was enabled is that SuSE 9.1 ships with BDB built wrong! Download BDB 4.2.52 from sleepycat (specifically that version because A LOT of the apps that SuSE 9.1 ships with are hardcoded to that specific version). Compile with --enable-cxx and NOT posixmutexes! Then install it as usual. You make have to rebuild BerkeleyDB as well. I have no idea if SuSE 9.2 has the same problem. Please note that Sleepycat's BDB 4.2.52 source code needs 2 mandatory patches (available from the download site) to avoid locking problems and OpenLDAP 2.2 and 2.3 users (at least) are advised to use 2 extra optional patches. All of these patches are available at a single site: http://www.stanford.edu/services/directory/openldap/configuration/bdb-build-42.html Best, --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Problem with reporting script
Hi MJ, On Wed, Jul 20, 2005 at 06:19:37PM +0300, MJ told us: Hi, I am sucessfully using pflogsumm-1.1.0.pl and my-spam-report.pl downloaded from http://www.flakshack.com/anti-spam/wiki/index.php but when I try to run 3rd script my-virus-report.pl which is to get Virus statistics, it is giving me following error. Can some one help in this. This script is available at http://www.xmission.com/~kn/AddClamAV/my-virus-report.txt #./my-virus-report.pl /var/log/syslog.1 --- Virus Filter Report --- Summary 0 Viruses blocked Viruses Blocked - Top 50 # Virus name --- Use of uninitialized value in concatenation (.) or string at ./my-virus-report.pl line 106, line 19. Virus types detected I took a quick look at this perl script, this was quite easy to fix. Apply the attached patch to the script via patch -p0 /some/where/my-virus-report.diff Nevertheless, what version of amavis is this script intended for?? I tried to use it with my maillog (I'm using postfix + amavisd-new on my home machine) and it didn't find anything (but I _do_ have received some viruses since the last logrotate) Regards, Sven -- Linux zion 2.6.13-rc3-mm1 #6 PREEMPT Mon Jul 18 19:42:52 CEST 2005 i686 athlon i386 GNU/Linux 23:38:14 up 2 days, 3:50, 1 user, load average: 0.13, 0.06, 0.05 --- my-virus-report.pl.orig 2005-07-20 17:28:01.0 +0200 +++ my-virus-report.pl 2005-07-20 17:28:38.0 +0200 @@ -88,6 +88,9 @@ EOL $numberofdomains = 0; + +my($NumberOfTypes) = 0; + for my $row(@Viruses) { if ($numberofdomains 50) # only print this many lines {
Re: [AMaViS-user] Will our machine handle it?
On Wed, Jul 20, 2005 at 08:38:08PM -0400, Matt Juszczak wrote: Just an update to everyone. I just got the data from our outsourced spam provider. Yesterday, the 19th, they processed 123,728 messages for us. Of those, 71,097 were blocked and 20,000 quarantined. So my question below should wrap around that data. Will it be able to process 123,728 messages per day, with antivirus/antispam and local mail delivery? Why don't you start your local processing now on the 50,000 messages per day that are coming in from postini? That will give you a good idea of the performance and i'd be real surprised if your server couldn't keep up. Then experiment a bit by sending additional mail direct into your servers, without going through postini. danno --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Can't start Amavis after update
Hi, I updated some rpms and my kernel, and now Amavis won't start. I was running 2.2.0, but since it stopped working, I tried to upgrade to 2.3.2, but got exactly the same error (only different line): Jul 21 23:08:32 servername /usr/sbin/amavisd[13301]: No secondary av scanner: KasperskyLab kavscanner Jul 21 23:08:32 servername /usr/sbin/amavisd[13301]: TROUBLE in pre_loop_hook: db_init: BDB bad db env. at /var/amavis/db: Invalid argument, . at (eval 36) line 244. Suicide () TROUBLE in pre_loop_hook: db_init: BDB bad db env. at /var/amavis/db: Invalid argument, . at (eval 36) line 244. Got this when running in debug mode No other errors up till that. I'm currently running Whitebox Linux, kernel 2.4.21-32.0.1.ELsmp. I've looked through the list of updated packages, and I can't find anything that would cause this error. Earlier I was running kernel 2.4.21-27.0.4.ELsmp, but when I load this kernel, I get the same error. Any kind of assistance would be helpful... Regards, Cariad --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it?
I cast my vote: yeah Gary V Matt wrote: Hi all, OK, I think I've made a final decision on what I'd like to do. I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz machines with IDE drives). I'm going to call one relay1 and one relay2. I'm going to setup MX records for the 500+ domains we have. Half of them will have relay1 as their primary and half of them will have relay2 as their primary. The remaining server will be set as secondary MX. These two 1U boxes will be IDENTICAL and have support for ALL domains. Upon processing of spam and antivirus, each box will then relay the mail directly to the mail server. All the mail server will do is receive the processed emails and deliver them. The reason I decided this is for a few reasons: 1) Tonight I upgraded nss_ldap on the mail server and I messed some stuff up bad (it worked on the testing box, btw). It took me 20 minutes to fix it. 2) Mail processing is easy. Spam and antivirus processing is a bit more complicated process. Since I'll have two boxes doing the processing, I can easily take one of the boxes down if something goes wrong (IE, I can take relay1 down at anytime, and relay2 will still function for all mail because of backup MX records). 3) It takes the load off the mail server and uncomplicates things. If something on the mail server breaks, I'll have to figure out whether its the LDA, MTA, amavisd, spamd, or antivirus, or even LDAP. Now, I divide it up a bit to make things easier. Please let me know what all of you think about this final idea. In the end it leaves me with a three server setup but at least things will be a bit more spread out, and I'll have nice backup processing servers. Regards, Matt --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
On Fri, 2005-07-22 at 00:35 -0400, Matt Juszczak wrote: Hi all, OK, I think I've made a final decision on what I'd like to do. I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz machines with IDE drives). I'm going to call one relay1 and one relay2. I'm going to setup MX records for the 500+ domains we have. Half of them will have relay1 as their primary and half of them will have relay2 as their primary. The remaining server will be set as secondary MX. These two 1U boxes will be IDENTICAL and have support for ALL domains. Upon processing of spam and antivirus, each box will then relay the mail directly to the mail server. All the mail server will do is receive the processed emails and deliver them. Um - doesn't what you've described here mean that anything delivered to the secondary MX won't be spam or virus checked? Or are you planning on that server doing that as well, on the basis that it shouldn't see too much spam since the other two will pick it up first? If the former then this is doomed to failure - sooner rather than later! If the latter then I'm not sure how well this will work - a *lot* OF spam software I see tries the lowest prio MX *first* (presumably becuase often this belongs to your ISP and won't have the same level of restrictions on it that the primary does). Personally I'd set 1/2 the domains to have one of the 1Us as primary and the other 1U as secondary and the other 1/2 domains the other way round, and have the main server only accept mail from the 2 1Us. Rgds Pete --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Bizarre behavior between Exim-AMaViS-SpamAssassin
Hi, i would like to know if there's some special feature that needs to be enabled/disabled in order to work 100% compliant with exim+spamassassin. I'm my actual installation (Exim 4.50 + amavisd-new-20030616-p10 + ClamAV 0.86 + SpamAssassin 3.0 on a Debian Sarge platform) the MTA passes the email to amavis that checks for antivirus correctly but about the spam checks and it's behavior i'm not sure that all works fine. I can see in the amavis logs that the spam checks are being made but no headers are added to the body of the email before being delivered to the user Mailbox. This X-Headers are for me quite important because further tasks are based on those headers. In example, i can see that a email is classified above the spam limit (11 points) and the message is delivered anyway to the user mailbox, something that previously didn't happened when MTA talked direclty with SpamAssassin. Seems that the interaction between MTA and amavis is not good, or between SA and amavis is not good maybe. Any ideas will be welcomed. Thanks in advance, jonathan --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Bizarre behavior between Exim-AMaViS-SpamAssassin
Jonathan wrote: Hi, i would like to know if there's some special feature that needs to be enabled/disabled in order to work 100% compliant with exim+spamassassin. I'm my actual installation (Exim 4.50 + amavisd-new-20030616-p10 + ClamAV 0.86 + SpamAssassin 3.0 on a Debian Sarge platform) the MTA passes the email to amavis that checks for antivirus correctly but about the spam checks and it's behavior i'm not sure that all works fine. I can see in the amavis logs that the spam checks are being made but no headers are added to the body of the email before being delivered to the user Mailbox. This X-Headers are for me quite important because further tasks are based on those headers. In example, i can see that a email is classified above the spam limit (11 points) and the message is delivered anyway to the user mailbox, something that previously didn't happened when MTA talked direclty with SpamAssassin. Seems that the interaction between MTA and amavis is not good, or between SA and amavis is not good maybe. Any ideas will be welcomed. Thanks in advance, jonathan Remember, for X-Spam* reports to be inserted, the recipient's domain must be considered local. Put your domain(s) in @local_domains_acl, something like this would work: @local_domains_acl = qw( .example.com .example2.com ); The $sa_tag_level_deflt determines at what level the X-Spam* reports will be inserted, so I set mine to insert the report no matter what: $sa_tag_level_deflt = -.9; Gary V --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
On Fri, 2005-07-22 at 16:58, Gary V wrote: Pete wrote: Personally I'd set 1/2 the domains to have one of the 1Us as primary and the other 1U as secondary and the other 1/2 domains the other way round, and have the main server only accept mail from the 2 1Us. Rgds Pete I don't mean to speak for Matt here, but I think you have misunderstood, Pete. The way I read it, this IS how it is going to be set up. Both 1U's will filter everything (half and half), then relay to the LDA. Each 1U is set as a backup for the other. Then I would assume that after a couple weeks (to give time for external name servers to clear their cache), the LDA will be reconfigured to only accept mail from the two 1U's. If the LDA is currently only accepting mail from Postini, then it would be configured to accept mail from Postini and the 2 1U's for a couple weeks (or longer if desired), then drop Postini after that. I'm going to setup MX records for the 500+ domains we have. Half of them will have relay1 as their primary and half of them will have relay2 as their primary. The remaining server will be set as secondary MX. Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or the LDA... We're in agreement, but arguing over semantics I suspect ;) Pete --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
Pete wrote: On Fri, 2005-07-22 at 16:58, Gary V wrote: Pete wrote: Personally I'd set 1/2 the domains to have one of the 1Us as primary and the other 1U as secondary and the other 1/2 domains the other way round, and have the main server only accept mail from the 2 1Us. Rgds Pete I don't mean to speak for Matt here, but I think you have misunderstood, Pete. The way I read it, this IS how it is going to be set up. Both 1U's will filter everything (half and half), then relay to the LDA. Each 1U is set as a backup for the other. Then I would assume that after a couple weeks (to give time for external name servers to clear their cache), the LDA will be reconfigured to only accept mail from the two 1U's. If the LDA is currently only accepting mail from Postini, then it would be configured to accept mail from Postini and the 2 1U's for a couple weeks (or longer if desired), then drop Postini after that. I'm going to setup MX records for the 500+ domains we have. Half of them will have relay1 as their primary and half of them will have relay2 as their primary. The remaining server will be set as secondary MX. Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or the LDA... Good point, I glossed right over that and made an assumption he was talking about the other 1U, but it appears it refers to the LDA. In that case, all your comments are 100% correct. The LDA will get slammed if it is set up as secondary. Most notably by dictionary attacks. We're in agreement, but arguing over semantics I suspect ;) Pete Yep, except that we are not even arguing 8-} Gary V --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it?
On Fri, Jul 22, 2005 at 12:35:04AM -0400, Matt Juszczak wrote: OK, I think I've made a final decision on what I'd like to do. I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz machines with IDE drives). I'm going to call one relay1 and one relay2. I'm going to setup MX records for the 500+ domains we have. Half of them will have relay1 as their primary and half of them will have relay2 as their primary. The remaining server will be set as secondary MX. These two 1U boxes will be IDENTICAL and have support for ALL domains. Upon processing of spam and antivirus, each box will then relay the mail directly to the mail server. All the mail server will do is receive the processed emails and deliver them. Excellent plan; this is pretty much optimal. If I'd realized you had two machines to spare, I would have recommended this. The reason I decided this is for a few reasons: ... All good reasons. Please let me know what all of you think about this final idea. In the end it leaves me with a three server setup but at least things will be a bit more spread out, and I'll have nice backup processing servers. The one catch in this suggestion is that the more sophisticated variety of both viruses and spammers will try to go around your spam filter servers to hit your mailserver directly. This can mean getting totally hammered during a major virus outbreak. Several strong suggestions: 1) Don't list your end mailserver as an MX record; use Postfix transports to route directly it from your antispam filter to your mailserver. 2) Once everything is working right, firewall inbound SMTP connections from outside your IP space or restrict them via an access list. 3) Optionally, name your mailserver something other than mail, mta, mx, etc. because those names are part of what they will look for in DNS. -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] Tiki Technologies Lead Programmer/Software Architect My own personal theory is that this is the very dawn of the world. We're hardly more than an eyeblink away from the fall of Troy, and scarcely an interglaciation removed from the Altamira cave painters. We live in extremely interesting ancient times. I like this idea. It encourages us to be earnest and ingenious and brave, as befits ancestral peoples; but keeps us from deciding that because we don't know all the answers, they must be unknowable and thus unprofitable to pursue. -- Teresa Nielsen Hayden, 1995 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it?
Looks like a good plan. On the two relay servers I would setup postfix to do a verify on the incoming mail addr. using reject_unverified_recipient and also set out-going e-mail to go trough the relay's as well.. Milton On Fri, 2005-07-22 at 09:21 -1000, Clifton Royston wrote: On Fri, Jul 22, 2005 at 12:35:04AM -0400, Matt Juszczak wrote: OK, I think I've made a final decision on what I'd like to do. I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz machines with IDE drives). I'm going to call one relay1 and one relay2. I'm going to setup MX records for the 500+ domains we have. Half of them will have relay1 as their primary and half of them will have relay2 as their primary. The remaining server will be set as secondary MX. These two 1U boxes will be IDENTICAL and have support for ALL domains. Upon processing of spam and antivirus, each box will then relay the mail directly to the mail server. All the mail server will do is receive the processed emails and deliver them. Excellent plan; this is pretty much optimal. If I'd realized you had two machines to spare, I would have recommended this. The reason I decided this is for a few reasons: ... All good reasons. Please let me know what all of you think about this final idea. In the end it leaves me with a three server setup but at least things will be a bit more spread out, and I'll have nice backup processing servers. The one catch in this suggestion is that the more sophisticated variety of both viruses and spammers will try to go around your spam filter servers to hit your mailserver directly. This can mean getting totally hammered during a major virus outbreak. Several strong suggestions: 1) Don't list your end mailserver as an MX record; use Postfix transports to route directly it from your antispam filter to your mailserver. 2) Once everything is working right, firewall inbound SMTP connections from outside your IP space or restrict them via an access list. 3) Optionally, name your mailserver something other than mail, mta, mx, etc. because those names are part of what they will look for in DNS. -- Clifton --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
Gary wrote: Pete wrote: On Fri, 2005-07-22 at 16:58, Gary V wrote: Pete wrote: Personally I'd set 1/2 the domains to have one of the 1Us as primary and the other 1U as secondary and the other 1/2 domains the other way round, and have the main server only accept mail from the 2 1Us. Rgds Pete I don't mean to speak for Matt here, but I think you have misunderstood, Pete. The way I read it, this IS how it is going to be set up. Both 1U's will filter everything (half and half), then relay to the LDA. Each 1U is set as a backup for the other. Then I would assume that after a couple weeks (to give time for external name servers to clear their cache), the LDA will be reconfigured to only accept mail from the two 1U's. If the LDA is currently only accepting mail from Postini, then it would be configured to accept mail from Postini and the 2 1U's for a couple weeks (or longer if desired), then drop Postini after that. I'm going to setup MX records for the 500+ domains we have. Half of them will have relay1 as their primary and half of them will have relay2 as their primary. The remaining server will be set as secondary MX. Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or the LDA... Good point, I glossed right over that and made an assumption he was talking about the other 1U, but it appears it refers to the LDA. In that case, all your comments are 100% correct. The LDA will get slammed if it is set up as secondary. Most notably by dictionary attacks. My own setup is an example. I have two MX (gateway) servers, I have all my domains set to use server1 as primary and server2 as secondary. These machines receive an EQUAL number of delivery attempts! 83% of which are addressed to nonexistent users (and are rejected by Postfix). I'm sure you are aware of this Matt, but on your 2 gateway servers, you MUST reject mail to nonexistent users. I don't know if or how you are doing this now, but I've heard that use of a relay_recipients map may be more efficient than LDAP queries, but of course this means that programs have to be written to extract email addresses from LDAP and load them into the map(s), and of course, this would have to automatically happen on a regular basis. Gary V --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
I'm going to setup MX records for the 500+ domains we have. Half of them will have relay1 as their primary and half of them will have relay2 as their primary. The remaining server will be set as secondary MX. Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or the LDA... Good point, I glossed right over that and made an assumption he was talking about the other 1U, but it appears it refers to the LDA. In that case, all your comments are 100% correct. The LDA will get slammed if it is set up as secondary. Most notably by dictionary attacks. I meant the remaining server for each situation. In other words, the domains that have relay1 setup as primary MX will have relay2 as secondary. The domains that have relay2 as primary will have the remaining server (relay1) set as secondary. That way its full redundancy if one goes down. The main mail server will ONLY accept incoming messages from the two 1U's Hope that clarifies. -Matt --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] (no subject)
confirm 847457 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
Matt wrote: I'm sure you are aware of this Matt, but on your 2 gateway servers, you MUST reject mail to nonexistent users. I don't know if or how you are doing this now, but I've heard that use of a relay_recipients map may be more efficient than LDAP queries, but of course this means that programs have to be written to extract email addresses from LDAP and load them into the map(s), and of course, this would have to automatically happen on a regular basis. This thread was only referring to the introduction of amavisd into our network. Postfix is very well configured and has very restrictive smtpd_recipient_restrictions as well as helo_checks, sender_checks, recipient_checks, and the like. About 50% of the mail sent to the server is immediately rejected (without accepting it first). I assume that percentage will increase once postini is abolished. This is all excellent, but as you describe it here, your server does not reject mail to nonexistent users. Please correct me if I am mistaken and it won't be mentioned again. Unless you reject mail to nonexistent users at your gateway servers, amavisd-new will have burn time, energy and CPU power processing each and every one of these worthless mails, not to mention filling up your deferred queues. Like I said, 83% of my mail is addressed to nonexistent users. You have to find a way to reject this dictionary attack crap. The head relay servers (relay1 and relay2) will now takeover the exact configuration our existing mail server has. That way they continue to function as our current mail server does. Your current server delivers mail locally, and the gateway servers will relay mail, so at least in that respect, they must be configured differently, but I think this is assumed. Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or the LDA... I meant the remaining server for each situation. In other words, the domains that have relay1 setup as primary MX will have relay2 as secondary. The domains that have relay2 as primary will have the remaining server (relay1) set as secondary. That way its full redundancy if one goes down. The main mail server will ONLY accept incoming messages from the two 1U's Hope that clarifies. It does, Thanks. And like Clifton said, Excellent plan; this is pretty much optimal. Regards, Matt Gary V --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
RE: [AMaViS-user] FINAL DECISION: Will our machine handle it
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary V Sent: Saturday, 23 July 2005 8:04 a.m. To: amavis-user@lists.sourceforge.net Subject: Re: [AMaViS-user] FINAL DECISION: Will our machine handle it I'm sure you are aware of this Matt, but on your 2 gateway servers, you MUST reject mail to nonexistent users. I don't know if or how you are doing this now, but I've heard that use of a relay_recipients map may be more efficient than LDAP queries, but of course this means that programs have to be written to extract email addresses from LDAP and load them into the map(s), and of course, this would have to automatically happen on a regular basis. I completely agree with Gary. Rejecting e-mail for non existent users *at the front-end* is a MUST. There are multiple ways to do it. Using a relay_recipients (or virtual_alias_maps, if you have virtual domains) map will be, of course, more efficient because postfix just checks a local hash table so it's very, very fast. LDAP is easier because both servers will contact only one directory, however, you now have a single point of failure if your LDAP server goes down (that's why I decided to go with local host tables on our system here, if you saw my presentation). Now, that all a side, time to lookup a user is close to zero comparing to the time you will spend on AV and anti-spam checks, so I wouldn't worry about this at all. Cheers, Bojan --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
I completely agree with Gary. Rejecting e-mail for non existent users *at the front-end* is a MUST. There are multiple ways to do it. Using a relay_recipients (or virtual_alias_maps, if you have virtual domains) map will be, of course, more efficient because postfix just checks a local hash table so it's very, very fast. LDAP is easier because both servers will contact only one directory, however, you now have a single point of failure if your LDAP server goes down (that's why I decided to go with local host tables on our system here, if you saw my presentation). Now Hiya :) OK I'll clarify :) The new 1U boxes will use the same config as the existing mail server, including rejecting users that dont exist. Our amavisd settings will also be stored in LDAP, so that look up will take place anyway. Also, we have three redundant LDAP servers. One primary write only and two read only, which are speedy. LDAP runs our entire network, and we have hourly backups of the entire data, and spares that stand by :) I think we're covered from LDAP's end. Its honestly the simplest setup I've ever worked with. Once you understand it, of course. regards, Matt --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
Gary wrote: Matt wrote: I'm sure you are aware of this Matt, but on your 2 gateway servers, you MUST reject mail to nonexistent users. I don't know if or how you are doing this now, but I've heard that use of a relay_recipients map may be more efficient than LDAP queries, but of course this means that programs have to be written to extract email addresses from LDAP and load them into the map(s), and of course, this would have to automatically happen on a regular basis. This thread was only referring to the introduction of amavisd into our network. Postfix is very well configured and has very restrictive smtpd_recipient_restrictions as well as helo_checks, sender_checks, recipient_checks, and the like. About 50% of the mail sent to the server is immediately rejected (without accepting it first). I assume that percentage will increase once postini is abolished. This is all excellent, but as you describe it here, your server does not reject mail to nonexistent users. Please correct me if I am mistaken and it won't be mentioned again. Unless you reject mail to nonexistent users at your gateway servers, amavisd-new will have burn time, energy and CPU power processing each and every one of these worthless mails, not to mention filling up your deferred queues. Like I said, 83% of my mail is addressed to nonexistent users. You have to find a way to reject this dictionary attack crap. The head relay servers (relay1 and relay2) will now takeover the exact configuration our existing mail server has. That way they continue to function as our current mail server does. Your current server delivers mail locally, and the gateway servers will relay mail, so at least in that respect, they must be configured differently, but I think this is assumed. Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or the LDA... I meant the remaining server for each situation. In other words, the domains that have relay1 setup as primary MX will have relay2 as secondary. The domains that have relay2 as primary will have the remaining server (relay1) set as secondary. That way its full redundancy if one goes down. The main mail server will ONLY accept incoming messages from the two 1U's Hope that clarifies. It does, Thanks. And like Clifton said, Excellent plan; this is pretty much optimal. Regards, Matt Gary V Doh! I am red faced here, but I think I understand what is happening. I am so used to configuring gateway servers that I forgot that it is not necessary to configure an LDA to reject mail to nonexistent recipients, it happens by design with no additional settings. I think that Matt is thinking in terms of an LDA, and not in terms of a relay server. At this point, if postini tries to deliver a message to a nonexistent user, your LDA rejects it, and the reject ends up as just another statistic in your 50% of the mail gets rejected. Postini is the one who pays the price for your reject here, so you don't have to bother yourself about it. Now, when you run your own relay servers, here is what will happen. First understand that by default, a relay server knows nothing about who valid recipients are. It knows to only accept mail to your domains, but that's it. So, your relay server receives a message to a nonexistent user in one of your domains. It get scanned by amavisd-new and is passed to your LDA. The LDA rejects it, and so your gateway server composes a nice DSN and tries to send it to the sender. The sender is of course bogus, so the DSN sits in your deferred queue, and many delivery attempts occur over the next 5 days (Postfix default). Multiply this by 20,000 per day, and in about a week or less you will have no gateway server. You have to use a mechanism to reject mail (at the gateway) addressed to nonexistent recipients. Doing so will drop the volume of mail in the deferred queue by 90%, and will save you from scanning this garbage. I'll bet you the postini server measures its queue lifetime in hours, not days. Gary V --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Constant error trying to use amavisd-new
Hi, im havving this error, when i receive any email, im testing amavisd-new to see if i can use it for spam filtering with SA. This is on my logs: Jul 22 21:05:27 vida amavis[4619]: DENIED ACCESS from IP 192.168.1.10, policy bank '' I´ve modified main.cf and master.cf according the readme files, like so: main.cf: content_filter = smtp-amavis:[127.0.0.1]:10024 and in master.cf: smtp-amavis unix- - n - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inetn - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 This is other logs entry: Jul 22 21:09:57 vida postfix/smtp[4864]: connect to 127.0.0.1[127.0.0.1]: server dropped connection without sending the initial SMTP greeting (port 10024) I´ve got amavisd listening on 127.0.0.1:10024 What´s wrong, am i forgetting some settings?? Thanks. Javier __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! ¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Constant error trying to use amavisd-new
--- Gary V [EMAIL PROTECTED] escribió: Javier wrote: Hi, im havving this error, when i receive any email, im testing amavisd-new to see if i can use it for spam filtering with SA. This is on my logs: Jul 22 21:05:27 vida amavis[4619]: DENIED ACCESS from IP 192.168.1.10, policy bank '' I´ve modified main.cf and master.cf according the readme files, like so: main.cf: content_filter = smtp-amavis:[127.0.0.1]:10024 and in master.cf: smtp-amavis unix- - n - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inetn - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 This is other logs entry: Jul 22 21:09:57 vida postfix/smtp[4864]: connect to 127.0.0.1[127.0.0.1]: server dropped connection without sending the initial SMTP greeting (port 10024) I´ve got amavisd listening on 127.0.0.1:10024 What´s wrong, am i forgetting some settings?? Thanks. Javier to start, try adding -o smtp_send_xforward_command=yes: smtp-amavis unix- - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes then reload postfix, of course. Gary V I added that, but still the same error. Javier. ___ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Constant error trying to use amavisd-new
Gary wrote: Javier wrote: Hi, im havving this error, when i receive any email, im testing amavisd-new to see if i can use it for spam filtering with SA. This is on my logs: Jul 22 21:05:27 vida amavis[4619]: DENIED ACCESS from IP 192.168.1.10, policy bank '' Jul 22 21:09:57 vida postfix/smtp[4864]: connect to 127.0.0.1[127.0.0.1]: server dropped connection without sending the initial SMTP greeting (port 10024) What are these settings set to? $unix_socketname = $MYHOME/amavisd.sock; # amavis helper protocol socket $inet_socket_port = 10024;# accept SMTP on this local TCP port @inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP # (default is qw(127.0.0.1 [::1]) ) Gary V --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Constant error trying to use amavisd-new
lør, 23.07.2005 kl. 02.39 skrev Javier Carlos Viegas: Hi, im havving this error, when i receive any email, im testing amavisd-new to see if i can use it for spam filtering with SA. This is on my logs: Jul 22 21:05:27 vida amavis[4619]: DENIED ACCESS from IP 192.168.1.10, policy bank '' I'd say this is error caused by a change you've made to amavisd.conf invalidating the standard policy_bank value. You should have something like: $policy_bank{'ALT'} = { inet_acl = [qw( 127.0.0.1 192.168..1.10 )], }; $interface_policy{'10024'} = 'ALT'; For an idea of what policy_bank can mean for you (it's powerful), look through the amavisd.conf-sample file included with the source code, or in /usr/share/doc/amavis-new-versionnr if you've installed from an rpm. I´ve modified main.cf and master.cf according the readme files, like so: I don't believe this has anything to do with Postfix, your log gives an amavis error. [...] --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/