Re: [AMaViS-user] Can't start Amavis after update

[Tony Earnshaw]

fre, 22.07.2005 kl. 02.22 skrev Gary V:

[...]

 Nice work, looks like you have something in common with SuSE 9.1:
 From http://www.ijs.si/software/amavisd/#faq-trouble :
 
 Michael W Cocke writes: the reason DB_PRIVATE was enabled is that
 SuSE 9.1 ships with BDB built wrong! Download BDB 4.2.52 from sleepycat
 (specifically that version because A LOT of the apps that SuSE 9.1 ships
 with are hardcoded to that specific version). Compile with --enable-cxx
 and NOT posixmutexes! Then install it as usual. You make have to rebuild
 BerkeleyDB as well. I have no idea if SuSE 9.2 has the same problem.

Please note that Sleepycat's BDB 4.2.52 source code needs 2 mandatory
patches (available from the download site) to avoid locking problems and
OpenLDAP 2.2 and 2.3 users (at least) are advised to use 2 extra
optional patches. All of these patches are available at a single site:
http://www.stanford.edu/services/directory/openldap/configuration/bdb-build-42.html

Best,

--Tonni

-- 
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl




---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] Problem with reporting script

[Sven Schuster]

Hi MJ,

On Wed, Jul 20, 2005 at 06:19:37PM +0300, MJ told us:
 Hi,
 I am sucessfully using pflogsumm-1.1.0.pl and my-spam-report.pl 
 downloaded from http://www.flakshack.com/anti-spam/wiki/index.php but when I 
 try to run 3rd script my-virus-report.pl  which is to get Virus statistics, 
 it is giving me following error. Can some one help in this. This script is 
 available at http://www.xmission.com/~kn/AddClamAV/my-virus-report.txt
 
 
 #./my-virus-report.pl /var/log/syslog.1
 ---
 Virus Filter Report
 ---
 
 Summary
 
 0  Viruses blocked
 
 
 Viruses Blocked - Top 50
 # Virus name 
 ---
 Use of uninitialized value in concatenation (.) or string at 
 ./my-virus-report.pl line 106,  line 19.
 
   Virus types detected

I took a quick look at this perl script, this was quite easy to fix.
Apply the attached patch to the script via

patch -p0 /some/where/my-virus-report.diff

Nevertheless, what version of amavis is this script intended for??
I tried to use it with my maillog (I'm using postfix + amavisd-new on
my home machine) and it didn't find anything (but I _do_ have received
some viruses since the last logrotate)


Regards,

Sven

-- 
Linux zion 2.6.13-rc3-mm1 #6 PREEMPT Mon Jul 18 19:42:52 CEST 2005 i686 athlon 
i386 GNU/Linux
 23:38:14 up 2 days,  3:50,  1 user,  load average: 0.13, 0.06, 0.05
--- my-virus-report.pl.orig 2005-07-20 17:28:01.0 +0200
+++ my-virus-report.pl  2005-07-20 17:28:38.0 +0200
@@ -88,6 +88,9 @@
 EOL
 
 $numberofdomains = 0;
+
+my($NumberOfTypes) = 0;
+
 for my $row(@Viruses) {
   if ($numberofdomains  50)  # only print this many lines
   {

Re: [AMaViS-user] Will our machine handle it?

[Dan Pritts]

On Wed, Jul 20, 2005 at 08:38:08PM -0400, Matt Juszczak wrote:
 Just an update to everyone.
 
 I just got the data from our outsourced spam provider.
 
 Yesterday, the 19th, they processed 123,728 messages for us. Of those, 
 71,097 were blocked and 20,000 quarantined.
 
 So my question below should wrap around that data.  Will it be able to 
 process 123,728 messages per day, with antivirus/antispam and local mail 
 delivery?
 

Why don't you start your local processing now on the 50,000 messages per
day that are coming in from postini?  That will give you a good idea of
the performance and i'd be real surprised if your server couldn't keep up.

Then experiment a bit by sending additional mail direct into your servers,
without going through postini.

danno


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[AMaViS-user] Can't start Amavis after update

[Joel Sjögren]

Hi,
I updated some rpms and my kernel, and now Amavis won't start.
I was running 2.2.0, but since it stopped working, I tried to upgrade to 
2.3.2, but got exactly the same error (only different line):


Jul 21 23:08:32 servername /usr/sbin/amavisd[13301]: No secondary av 
scanner: KasperskyLab kavscanner
Jul 21 23:08:32 servername /usr/sbin/amavisd[13301]: TROUBLE in 
pre_loop_hook: db_init: BDB bad db env. at /var/amavis/db: Invalid 
argument, . at (eval 36) line 244.
Suicide () TROUBLE in pre_loop_hook: db_init: BDB bad db env. at 
/var/amavis/db: Invalid argument, . at (eval 36) line 244.


Got this when running in debug mode

No other errors up till that.
I'm currently running Whitebox Linux, kernel 2.4.21-32.0.1.ELsmp. I've 
looked through the list of updated packages, and I can't find anything 
that would cause this error. Earlier I was running kernel 
2.4.21-27.0.4.ELsmp, but when I load this kernel, I get the same error.


Any kind of assistance would be helpful...
Regards, Cariad



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it?

[Gary V]

I cast my vote: yeah
Gary V

Matt wrote:

 Hi all,

 OK, I think I've made a final decision on what I'd like to do.

 I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz 
 machines with IDE drives). I'm going to call one relay1 and one relay2.

 I'm going to setup MX records for the 500+ domains we have. Half of them 
 will have relay1 as their primary and half of them will have relay2 as 
 their primary. The remaining server will be set as secondary MX.

 These two 1U boxes will be IDENTICAL and have support for ALL domains. 
 Upon processing of spam and antivirus, each box will then relay the mail 
 directly to the mail server. All the mail server will do is receive the 
 processed emails and deliver them.

 The reason I decided this is for a few reasons:

 1) Tonight I upgraded nss_ldap on the mail server and I messed some 
 stuff up bad (it worked on the testing box, btw). It took me 20 minutes 
 to fix it.

 2) Mail processing is easy. Spam and antivirus processing is a bit more 
 complicated process. Since I'll have two boxes doing the processing, I 
 can easily take one of the boxes down if something goes wrong (IE, I can 
 take relay1 down at anytime, and relay2 will still function for all mail 
 because of backup MX records).

 3) It takes the load off the mail server and uncomplicates things. If 
 something on the mail server breaks, I'll have to figure out whether its 
 the LDA, MTA, amavisd, spamd, or antivirus, or even LDAP. Now, I divide 
 it up a bit to make things easier.

 Please let me know what all of you think about this final idea. In the 
 end it leaves me with a three server setup but at least things will be a 
 bit more spread out, and I'll have nice backup processing servers.

 Regards,
 Matt



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Pete Barnwell]

On Fri, 2005-07-22 at 00:35 -0400, Matt Juszczak wrote:
 Hi all,
 
 OK, I think I've made a final decision on what I'd like to do.
 
 I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz 
 machines with IDE drives). I'm going to call one relay1 and one
relay2.
 
 I'm going to setup MX records for the 500+ domains we have. Half of
them 
 will have relay1 as their primary and half of them will have relay2
as 
 their primary. The remaining server will be set as secondary MX.
 
 These two 1U boxes will be IDENTICAL and have support for ALL
domains. 
 Upon processing of spam and antivirus, each box will then relay the
mail 
 directly to the mail server. All the mail server will do is receive
the 
 processed emails and deliver them.


Um - doesn't what you've described here mean that anything delivered to
the secondary MX won't be spam or virus checked? Or are you planning on
that server doing that as well, on the basis that it shouldn't see too
much spam since the other two will pick it up first?

If the former then this is doomed to failure - sooner rather than later!

If the latter then I'm not sure how well this will work - a *lot* OF
spam software I see tries the lowest prio MX *first* (presumably becuase
often this belongs to your ISP and won't have the same level of
restrictions on it that the primary does).

Personally I'd set 1/2 the domains to have one of the 1Us as primary and
the other 1U as secondary and the other 1/2 domains the other way round,
and have the main server only accept mail from the 2 1Us.

Rgds

Pete




---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[AMaViS-user] Bizarre behavior between Exim-AMaViS-SpamAssassin

[Jonathan Gonzalez]

Hi,

i would like to know if there's some special feature that needs to be 
enabled/disabled in order to work 100% compliant with exim+spamassassin.


I'm my actual installation (Exim 4.50 + amavisd-new-20030616-p10 + 
ClamAV 0.86 + SpamAssassin 3.0 on a Debian Sarge platform) the MTA 
passes the email to amavis that checks for antivirus correctly but about 
the spam checks and it's behavior i'm not sure that all works fine.


I can see in the amavis logs that the spam checks are being made but no 
headers are added to the body of the email before being delivered to the 
user Mailbox.


This X-Headers are for me quite important because further tasks are 
based on those headers.


In example, i can see that a email is classified above the spam limit 
(11 points) and the message is delivered anyway to the user mailbox, 
something that previously didn't happened when MTA talked direclty with 
SpamAssassin. Seems that the interaction between MTA and amavis is not 
good, or between SA and amavis is not good maybe.


Any ideas will be welcomed.
Thanks in advance,

jonathan


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] Bizarre behavior between Exim-AMaViS-SpamAssassin

[Gary V]

Jonathan wrote:

 Hi,

 i would like to know if there's some special feature that needs to be 
 enabled/disabled in order to work 100% compliant with exim+spamassassin.

 I'm my actual installation (Exim 4.50 + amavisd-new-20030616-p10 + 
 ClamAV 0.86 + SpamAssassin 3.0 on a Debian Sarge platform) the MTA 
 passes the email to amavis that checks for antivirus correctly but about 
 the spam checks and it's behavior i'm not sure that all works fine.

 I can see in the amavis logs that the spam checks are being made but no 
 headers are added to the body of the email before being delivered to the 
 user Mailbox.

 This X-Headers are for me quite important because further tasks are 
 based on those headers.

 In example, i can see that a email is classified above the spam limit 
 (11 points) and the message is delivered anyway to the user mailbox, 
 something that previously didn't happened when MTA talked direclty with 
 SpamAssassin. Seems that the interaction between MTA and amavis is not 
 good, or between SA and amavis is not good maybe.

 Any ideas will be welcomed.
 Thanks in advance,

 jonathan

Remember, for X-Spam* reports to be inserted, the recipient's domain
must be considered local. Put your domain(s) in @local_domains_acl,
something like this would work:

@local_domains_acl = qw( .example.com .example2.com );

The $sa_tag_level_deflt determines at what level the X-Spam* reports
will be inserted, so I set mine to insert the report no matter what:

$sa_tag_level_deflt  = -.9;

Gary V



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Pete Barnwell]

On Fri, 2005-07-22 at 16:58, Gary V wrote:
 Pete wrote:
 
  Personally I'd set 1/2 the domains to have one of the 1Us as primary and
  the other 1U as secondary and the other 1/2 domains the other way round,
  and have the main server only accept mail from the 2 1Us.
  Rgds
  Pete
 
 I don't mean to speak for Matt here, but I think you have
 misunderstood, Pete. The way I read it, this IS how it is going to be
 set up. Both 1U's will filter everything (half and half), then relay to
 the LDA. Each 1U is set as a backup for the other. Then I would assume
 that after a couple weeks (to give time for external name servers to
 clear their cache), the LDA will be reconfigured to only accept mail
 from the two 1U's. If the LDA is currently only accepting mail from
 Postini, then it would be configured to accept mail from Postini and
 the 2 1U's for a couple weeks (or longer if desired), then drop Postini
 after that.


I'm going to setup MX records for the 500+ domains we have. Half
of them will have relay1 as their primary and half of them will have
relay2 as their primary. The remaining server will be set as secondary
MX.

Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or
the LDA...

We're in agreement, but arguing over semantics I suspect ;)


Pete



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Gary V]

Pete wrote:

 On Fri, 2005-07-22 at 16:58, Gary V wrote:
 Pete wrote:
 
  Personally I'd set 1/2 the domains to have one of the 1Us as primary and
  the other 1U as secondary and the other 1/2 domains the other way round,
  and have the main server only accept mail from the 2 1Us.
  Rgds
  Pete
 
 I don't mean to speak for Matt here, but I think you have
 misunderstood, Pete. The way I read it, this IS how it is going to be
 set up. Both 1U's will filter everything (half and half), then relay to
 the LDA. Each 1U is set as a backup for the other. Then I would assume
 that after a couple weeks (to give time for external name servers to
 clear their cache), the LDA will be reconfigured to only accept mail
 from the two 1U's. If the LDA is currently only accepting mail from
 Postini, then it would be configured to accept mail from Postini and
 the 2 1U's for a couple weeks (or longer if desired), then drop Postini
 after that.


I'm going to setup MX records for the 500+ domains we have. Half
of them will have relay1 as their primary and half of them will have
 relay2 as their primary. The remaining server will be set as secondary
 MX.

 Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or
 the LDA...

Good point, I glossed right over that and made an assumption he was
talking about the other 1U, but it appears it refers to the LDA. In
that case, all your comments are 100% correct. The LDA will get
slammed if it is set up as secondary. Most notably by dictionary
attacks.

 We're in agreement, but arguing over semantics I suspect ;)
 Pete

Yep, except that we are not even arguing 8-}

Gary V



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it?

[Clifton Royston]

On Fri, Jul 22, 2005 at 12:35:04AM -0400, Matt Juszczak wrote:
 OK, I think I've made a final decision on what I'd like to do.
 
 I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz 
 machines with IDE drives). I'm going to call one relay1 and one relay2.
 
 I'm going to setup MX records for the 500+ domains we have. Half of them 
 will have relay1 as their primary and half of them will have relay2 as 
 their primary. The remaining server will be set as secondary MX.
 
 These two 1U boxes will be IDENTICAL and have support for ALL domains. 
 Upon processing of spam and antivirus, each box will then relay the mail 
 directly to the mail server. All the mail server will do is receive the 
 processed emails and deliver them.

  Excellent plan; this is pretty much optimal.  If I'd realized you had
two machines to spare, I would have recommended this.
 
 The reason I decided this is for a few reasons:
...

  All good reasons.

 Please let me know what all of you think about this final idea. In the 
 end it leaves me with a three server setup but at least things will be a 
 bit more spread out, and I'll have nice backup processing servers.

  The one catch in this suggestion is that the more sophisticated
variety of both viruses and spammers will try to go around your spam
filter servers to hit your mailserver directly.  This can mean getting
totally hammered during a major virus outbreak.  Several strong
suggestions:

1) Don't list your end mailserver as an MX record; use Postfix
transports to route directly it from your antispam filter to your
mailserver.

2) Once everything is working right, firewall inbound SMTP connections
from outside your IP space or restrict them via an access list.

3) Optionally, name your mailserver something other than mail, mta,
mx, etc. because those names are part of what they will look for in
DNS.
  -- Clifton

-- 
  Clifton Royston  --  [EMAIL PROTECTED] 
 Tiki Technologies Lead Programmer/Software Architect
  My own personal theory is that this is the very dawn of the world.
We're hardly more than an eyeblink away from the fall of Troy, and
scarcely an interglaciation removed from the Altamira cave painters. We
live in extremely interesting ancient times.
  I like this idea. It encourages us to be earnest and ingenious and
brave, as befits ancestral peoples; but keeps us from deciding that
because we don't know all the answers, they must be unknowable and thus
unprofitable to pursue.  -- Teresa Nielsen Hayden, 1995 


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it?

[Milton Cyrus]

Looks like a good plan.

On the two relay servers I would setup postfix to do a verify on the
incoming mail addr. using reject_unverified_recipient and also set
out-going e-mail to go trough the relay's as well..


Milton

On Fri, 2005-07-22 at 09:21 -1000, Clifton Royston wrote:
 On Fri, Jul 22, 2005 at 12:35:04AM -0400, Matt Juszczak wrote:
  OK, I think I've made a final decision on what I'd like to do.
  
  I think I'm going to setup two of the 1U boxes we have (the 3.06 ghz 
  machines with IDE drives). I'm going to call one relay1 and one relay2.
  
  I'm going to setup MX records for the 500+ domains we have. Half of them 
  will have relay1 as their primary and half of them will have relay2 as 
  their primary. The remaining server will be set as secondary MX.
  
  These two 1U boxes will be IDENTICAL and have support for ALL domains. 
  Upon processing of spam and antivirus, each box will then relay the mail 
  directly to the mail server. All the mail server will do is receive the 
  processed emails and deliver them.
 
   Excellent plan; this is pretty much optimal.  If I'd realized you had
 two machines to spare, I would have recommended this.
  
  The reason I decided this is for a few reasons:
 ...
 
   All good reasons.
 
  Please let me know what all of you think about this final idea. In the 
  end it leaves me with a three server setup but at least things will be a 
  bit more spread out, and I'll have nice backup processing servers.
 
   The one catch in this suggestion is that the more sophisticated
 variety of both viruses and spammers will try to go around your spam
 filter servers to hit your mailserver directly.  This can mean getting
 totally hammered during a major virus outbreak.  Several strong
 suggestions:
 
 1) Don't list your end mailserver as an MX record; use Postfix
 transports to route directly it from your antispam filter to your
 mailserver.
 
 2) Once everything is working right, firewall inbound SMTP connections
 from outside your IP space or restrict them via an access list.
 
 3) Optionally, name your mailserver something other than mail, mta,
 mx, etc. because those names are part of what they will look for in
 DNS.
   -- Clifton
 



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Gary V]

Gary wrote:

 Pete wrote:

 On Fri, 2005-07-22 at 16:58, Gary V wrote:
 Pete wrote:
 
  Personally I'd set 1/2 the domains to have one of the 1Us as primary and
  the other 1U as secondary and the other 1/2 domains the other way round,
  and have the main server only accept mail from the 2 1Us.
  Rgds
  Pete
 
 I don't mean to speak for Matt here, but I think you have
 misunderstood, Pete. The way I read it, this IS how it is going to be
 set up. Both 1U's will filter everything (half and half), then relay to
 the LDA. Each 1U is set as a backup for the other. Then I would assume
 that after a couple weeks (to give time for external name servers to
 clear their cache), the LDA will be reconfigured to only accept mail
 from the two 1U's. If the LDA is currently only accepting mail from
 Postini, then it would be configured to accept mail from Postini and
 the 2 1U's for a couple weeks (or longer if desired), then drop Postini
 after that.


I'm going to setup MX records for the 500+ domains we have. Half
of them will have relay1 as their primary and half of them will have
 relay2 as their primary. The remaining server will be set as secondary
 MX.

 Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or
 the LDA...

 Good point, I glossed right over that and made an assumption he was
 talking about the other 1U, but it appears it refers to the LDA. In
 that case, all your comments are 100% correct. The LDA will get
 slammed if it is set up as secondary. Most notably by dictionary
 attacks.

My own setup is an example. I have two MX (gateway) servers, I have
all my domains set to use server1 as primary and server2 as secondary.
These machines receive an EQUAL number of delivery attempts! 83% of
which are addressed to nonexistent users (and are rejected by Postfix).

I'm sure you are aware of this Matt, but on your 2 gateway servers,
you MUST reject mail to nonexistent users. I don't know if or how you
are doing this now, but I've heard that use of a relay_recipients map
may be more efficient than LDAP queries, but of course this means that
programs have to be written to extract email addresses from LDAP
and load them into the map(s), and of course, this would have to
automatically happen on a regular basis.

Gary V



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Matt Juszczak]

I'm going to setup MX records for the 500+ domains we have. Half
of them will have relay1 as their primary and half of them will have
relay2 as their primary. The remaining server will be set as secondary
MX.
 


Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or
the LDA...
   



Good point, I glossed right over that and made an assumption he was
talking about the other 1U, but it appears it refers to the LDA. In
that case, all your comments are 100% correct. The LDA will get
slammed if it is set up as secondary. Most notably by dictionary
attacks.
 



I meant the remaining server for each situation. In other words, the 
domains that have relay1 setup as primary MX will have relay2 as 
secondary. The domains that have relay2 as primary will have the 
remaining server (relay1) set as secondary. That way its full 
redundancy if one goes down.


The main mail server will ONLY accept incoming messages from the two 1U's

Hope that clarifies.

-Matt


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[AMaViS-user] (no subject)

[Steve Zeng]

confirm 847457 


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Gary V]

Matt wrote:


I'm sure you are aware of this Matt, but on your 2 gateway servers,
you MUST reject mail to nonexistent users. I don't know if or how you
are doing this now, but I've heard that use of a relay_recipients map
may be more efficient than LDAP queries, but of course this means that
programs have to be written to extract email addresses from LDAP
and load them into the map(s), and of course, this would have to
automatically happen on a regular basis.
  


 This thread was only referring to the introduction of amavisd into our 
 network.

 Postfix is very well configured and has very restrictive 
 smtpd_recipient_restrictions as well as helo_checks, sender_checks, 
 recipient_checks, and the like. About 50% of the mail sent to the server 
 is immediately rejected (without accepting it first). I assume that 
 percentage will increase once postini is abolished.

This is all excellent, but as you describe it here, your server does
not reject mail to nonexistent users. Please correct me if I am mistaken
and it won't be mentioned again.

Unless you reject mail to nonexistent users at your gateway servers,
amavisd-new will have burn time, energy and CPU power processing each
and every one of these worthless mails, not to mention filling up your
deferred queues. Like I said, 83% of my mail is addressed to nonexistent
users. You have to find a way to reject this dictionary attack crap.

 The head relay servers (relay1 and relay2) will now takeover the exact 
 configuration our existing mail server has. That way they continue to 
 function as our current mail server does.

Your current server delivers mail locally, and the gateway
servers will relay mail, so at least in that respect, they must be
configured differently, but I think this is assumed.

Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or
the LDA...

 I meant the remaining server for each situation. In other words, the
 domains that have relay1 setup as primary MX will have relay2 as
 secondary. The domains that have relay2 as primary will have the
 remaining server (relay1) set as secondary. That way its full
 redundancy if one goes down.

 The main mail server will ONLY accept incoming messages from the two 1U's
 Hope that clarifies.

It does, Thanks.
And like Clifton said, Excellent plan; this is pretty much optimal.

 Regards,
 Matt

Gary V



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

RE: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Bojan Zdrnja]

 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Gary V
 Sent: Saturday, 23 July 2005 8:04 a.m.
 To: amavis-user@lists.sourceforge.net
 Subject: Re: [AMaViS-user] FINAL DECISION: Will our machine handle it
 
 I'm sure you are aware of this Matt, but on your 2 gateway servers,
 you MUST reject mail to nonexistent users. I don't know if or how you
 are doing this now, but I've heard that use of a relay_recipients map
 may be more efficient than LDAP queries, but of course this means that
 programs have to be written to extract email addresses from LDAP
 and load them into the map(s), and of course, this would have to
 automatically happen on a regular basis.

I completely agree with Gary. Rejecting e-mail for non existent users *at
the front-end* is a MUST.
There are multiple ways to do it. Using a relay_recipients (or
virtual_alias_maps, if you have virtual domains) map will be, of course,
more efficient because postfix just checks a local hash table so it's very,
very fast.
LDAP is easier because both servers will contact only one directory,
however, you now have a single point of failure if your LDAP server goes
down (that's why I decided to go with local host tables on our system here,
if you saw my presentation).

Now, that all a side, time to lookup a user is close to zero comparing to
the time you will spend on AV and anti-spam checks, so I wouldn't worry
about this at all.

Cheers,

Bojan



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Matt Juszczak]

I completely agree with Gary. Rejecting e-mail for non existent users *at
the front-end* is a MUST.
There are multiple ways to do it. Using a relay_recipients (or
virtual_alias_maps, if you have virtual domains) map will be, of course,
more efficient because postfix just checks a local hash table so it's very,
very fast.
LDAP is easier because both servers will contact only one directory,
however, you now have a single point of failure if your LDAP server goes
down (that's why I decided to go with local host tables on our system here,
if you saw my presentation).

Now



Hiya :)

OK I'll clarify :) The new 1U boxes will use the same config as the 
existing mail server, including rejecting users that dont exist. Our 
amavisd settings will also be stored in LDAP, so that look up will take 
place anyway.


Also, we have three redundant LDAP servers. One primary write only and 
two read only, which are speedy. LDAP runs our entire network, and we 
have hourly backups of the entire data, and spares that stand by :) I 
think we're covered from LDAP's end. Its honestly the simplest setup 
I've ever worked with. Once you understand it, of course.


regards,

Matt


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] FINAL DECISION: Will our machine handle it

[Gary V]

Gary wrote:

 Matt wrote:


I'm sure you are aware of this Matt, but on your 2 gateway servers,
you MUST reject mail to nonexistent users. I don't know if or how you
are doing this now, but I've heard that use of a relay_recipients map
may be more efficient than LDAP queries, but of course this means that
programs have to be written to extract email addresses from LDAP
and load them into the map(s), and of course, this would have to
automatically happen on a regular basis.
  


 This thread was only referring to the introduction of amavisd into our 
 network.

 Postfix is very well configured and has very restrictive 
 smtpd_recipient_restrictions as well as helo_checks, sender_checks, 
 recipient_checks, and the like. About 50% of the mail sent to the server 
 is immediately rejected (without accepting it first). I assume that 
 percentage will increase once postini is abolished.

 This is all excellent, but as you describe it here, your server does
 not reject mail to nonexistent users. Please correct me if I am mistaken
 and it won't be mentioned again.

 Unless you reject mail to nonexistent users at your gateway servers,
 amavisd-new will have burn time, energy and CPU power processing each
 and every one of these worthless mails, not to mention filling up your
 deferred queues. Like I said, 83% of my mail is addressed to nonexistent
 users. You have to find a way to reject this dictionary attack crap.

 The head relay servers (relay1 and relay2) will now takeover the exact 
 configuration our existing mail server has. That way they continue to 
 function as our current mail server does.

 Your current server delivers mail locally, and the gateway
 servers will relay mail, so at least in that respect, they must be
 configured differently, but I think this is assumed.

Depends what Matt meant by 'the remaining server' ie the 'other' 1U, or
the LDA...

 I meant the remaining server for each situation. In other words, the
 domains that have relay1 setup as primary MX will have relay2 as
 secondary. The domains that have relay2 as primary will have the
 remaining server (relay1) set as secondary. That way its full
 redundancy if one goes down.

 The main mail server will ONLY accept incoming messages from the two 1U's
 Hope that clarifies.

 It does, Thanks.
 And like Clifton said, Excellent plan; this is pretty much optimal.

 Regards,
 Matt

 Gary V

Doh! I am red faced here, but I think I understand what is happening.
I am so used to configuring gateway servers that I forgot that it is
not necessary to configure an LDA to reject mail to nonexistent
recipients, it happens by design with no additional settings. I think
that Matt is thinking in terms of an LDA, and not in terms of a relay
server. At this point, if postini tries to deliver a message to a
nonexistent user, your LDA rejects it, and the reject ends up as just
another statistic in your 50% of the mail gets rejected. Postini is
the one who pays the price for your reject here, so you don't have
to bother yourself about it. Now, when you run your own relay servers,
here is what will happen. First understand that by default, a relay
server knows nothing about who valid recipients are. It knows to only
accept mail to your domains, but that's it. So, your relay server
receives a message to a nonexistent user in one of your domains. It
get scanned by amavisd-new and is passed to your LDA. The LDA rejects
it, and so your gateway server composes a nice DSN and tries to send
it to the sender. The sender is of course bogus, so the DSN sits in
your deferred queue, and many delivery attempts occur over the next 5
days (Postfix default). Multiply this by 20,000 per day, and in about
a week or less you will have no gateway server. You have to use a
mechanism to reject mail (at the gateway) addressed to nonexistent
recipients. Doing so will drop the volume of mail in the deferred
queue by 90%, and will save you from scanning this garbage.
I'll bet you the postini server measures its queue lifetime in hours, not days.

Gary V



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[AMaViS-user] Constant error trying to use amavisd-new

[Javier Carlos Viegas]

Hi, im havving this error, when i receive any email,
im testing
amavisd-new to see if i can use it for spam filtering
with SA.

This is on my logs:

Jul 22 21:05:27 vida amavis[4619]: DENIED ACCESS from
IP 192.168.1.10,
policy bank ''

I´ve modified main.cf and master.cf according the
readme files, like so:

main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10024

and in master.cf:

smtp-amavis unix-   -   n   - 
 2   smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes

127.0.0.1:10025 inetn   -   n   - 
 -   smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o
smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000

This is other logs entry:

Jul 22 21:09:57 vida postfix/smtp[4864]: connect to
127.0.0.1[127.0.0.1]:
server dropped connection without sending the initial
SMTP greeting (port
10024)

I´ve got amavisd listening on 127.0.0.1:10024

What´s wrong, am i forgetting some settings??

Thanks.
Javier


__
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] Constant error trying to use amavisd-new

[Javier Carlos Viegas]

 --- Gary V [EMAIL PROTECTED] escribió:

 Javier wrote:
 
 
  Hi, im havving this error, when i receive any
 email,
  im testing
  amavisd-new to see if i can use it for spam
 filtering
  with SA.
 
  This is on my logs:
 
  Jul 22 21:05:27 vida amavis[4619]: DENIED ACCESS
 from
  IP 192.168.1.10,
  policy bank ''
 
  I´ve modified main.cf and master.cf according the
  readme files, like so:
 
  main.cf:
 
  content_filter = smtp-amavis:[127.0.0.1]:10024
 
  and in master.cf:
 
  smtp-amavis unix-   -   n   - 

   2   smtp
  -o smtp_data_done_timeout=1200
  -o disable_dns_lookups=yes
 
  127.0.0.1:10025 inetn   -   n   - 

   -   smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o
 

smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o strict_rfc821_envelopes=yes
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
 
  This is other logs entry:
 
  Jul 22 21:09:57 vida postfix/smtp[4864]: connect
 to
  127.0.0.1[127.0.0.1]:
  server dropped connection without sending the
 initial
  SMTP greeting (port
  10024)
 
  I´ve got amavisd listening on 127.0.0.1:10024
 
  What´s wrong, am i forgetting some settings??
 
  Thanks.
  Javier
 
 to start, try adding -o
 smtp_send_xforward_command=yes:
 
 smtp-amavis unix-   -   -   -   
2   smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 
 then reload postfix, of course.
 
 Gary V
 
 

I added that, but still the same error.

Javier.







___ 
1GB gratis, Antivirus y Antispam 
Correo Yahoo!, el mejor correo web del mundo 
http://correo.yahoo.com.ar 



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] Constant error trying to use amavisd-new

[Gary V]

Gary wrote:

 Javier wrote:


 Hi, im havving this error, when i receive any email,
 im testing
 amavisd-new to see if i can use it for spam filtering
 with SA.

 This is on my logs:

 Jul 22 21:05:27 vida amavis[4619]: DENIED ACCESS from
 IP 192.168.1.10,
 policy bank ''

 Jul 22 21:09:57 vida postfix/smtp[4864]: connect to
 127.0.0.1[127.0.0.1]:
 server dropped connection without sending the initial
 SMTP greeting (port
 10024)


What are these settings set to?
$unix_socketname = $MYHOME/amavisd.sock; # amavis helper protocol socket
$inet_socket_port = 10024;# accept SMTP on this local TCP port
@inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP
  # (default is qw(127.0.0.1 [::1]) )


Gary V



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] Constant error trying to use amavisd-new

[Tony Earnshaw]

lør, 23.07.2005 kl. 02.39 skrev Javier Carlos Viegas:

   Hi, im havving this error, when i receive any
  email,
   im testing
   amavisd-new to see if i can use it for spam
  filtering
   with SA.
  
   This is on my logs:
  
   Jul 22 21:05:27 vida amavis[4619]: DENIED ACCESS
  from
   IP 192.168.1.10,
   policy bank ''

I'd say this is error caused by a change you've made to amavisd.conf
invalidating the standard policy_bank value. 

You should have something like:

$policy_bank{'ALT'} = {
  inet_acl = [qw( 127.0.0.1 192.168..1.10 )],
};
$interface_policy{'10024'} = 'ALT';

For an idea of what policy_bank can mean for you (it's powerful), look
through the amavisd.conf-sample file included with the source code, or
in /usr/share/doc/amavis-new-versionnr if you've installed from an rpm.

   I´ve modified main.cf and master.cf according the
   readme files, like so:

I don't believe this has anything to do with Postfix, your log gives an
amavis error.

[...]

--Tonni

-- 
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl




---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/