Re: SuperSafe=PostMilter (was Re: [Mimedefang] comparemimedefangto mailscanner)
On 17 Jan 2007 at 23:40, Kevin A. McGrail wrote: Sorry to beat a dead-horse potentially but is this a no-brainer setting that everyone running MD should have on their sendmail install? I guess the question really is that I have no idea what the benefits or detriments of deferring synchronization of the queue file would be. The benefit would be speed, especially on a busy server where MIMEDefang rejects a large percentage of the messages. By not asking the OS to commit the file to disk (as opposed to letting it hang around in OS cache memory) during the first part of queueing, it will generally only occur if the OS has time for it (in which case, it's not really harming performance). The detriment would be that if your server crashes (power loss, etc.) during the time MIMEDefang is processing an incoming e-mail, then the file might not be on physical disk. This means that the other end would just retry when your server is back up, since sendmail would never have given the other end a final accept/reject response. So, you shouldn't ever lose data because of this setting (although it could definitely be delayed), since the other end *should* retry, but it might be the last attempt, or the other end might not be compliant, etc. -- Jeff Rife | Wheel of morality, | Turn, turn, turn. | Tell us the lesson | That we should learn | -- Yakko, Animaniacs ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
Les Mikesell [EMAIL PROTECTED] wrote on 01/17/2007 06:25:29 PM: Which is why the scanner should run as a milter so it can inform the MTA what to do at the appropriate time. Does anyone know of other commercial spam filters besides CanIt that are milter based or at least operate during the SMTP conversation. When I selected CanIt 3 years ago, it was the only one I came across that operated in this manner. Everthing else I looked at closed the connection and then scanned the message. I liked the milter approach, which made the selection a simple choice. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
[EMAIL PROTECTED] wrote: Does anyone know of other commercial spam filters besides CanIt that are milter based or at least operate during the SMTP conversation. (My marketing people will kill me for mentioning competitors...) Two big ones come to mind: Brightmail and PureMessage. Also, some outsourced solutions like Postini and MessageLabs seem to do at least some rejection during the SMTP conversation. There's definitely a tradeoff. Doing your filtering during SMTP imposes very aggressive time constraints. It's quite a challenge to scale a MIMEDefang/CanIt installation up to the several-million-messages/day level. Doing filtering after-the-fact lets you breathe a bit easier and smooth out peak loads over the day. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
John Rudd [EMAIL PROTECTED] wrote on 01/17/2007 07:11:51 PM: Dropping without notifying _anyone_ is an even worse practice. You don't have to notify the sender, as long as you notify the recipient (and visa versa). Which is just another piece of annoying email in the inbox. Why bother removing the spam if your just going to deliver a message held email in its place? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Re: compare mimedefang to mailscanner
Dropping without notifying _anyone_ is an even worse practice. You don't have to notify the sender, as long as you notify the recipient (and visa versa). Which is just another piece of annoying email in the inbox. Why bother removing the spam if your just going to deliver a message held email in its place? We have an Exchange Public Folder called Spam, that our users are instructed to dump anything that gets past our spam filters. When an email is quarantined (due to high SpamAssassin score, for example), quarantine notices are sent to the recipients. Guess where those end up? Yep... The users dump the notices into the Spam folder. :/ Ken ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
On Thu, 2007-01-18 at 09:22 -0500, [EMAIL PROTECTED] wrote: John Rudd [EMAIL PROTECTED] wrote on 01/17/2007 07:11:51 PM: Dropping without notifying _anyone_ is an even worse practice. You don't have to notify the sender, as long as you notify the recipient (and visa versa). Which is just another piece of annoying email in the inbox. Why bother removing the spam if your just going to deliver a message held email in its place? It's a damned if you do, damned if you don't type situation. If you delivery it, the recipient gets unwanted spam. If you drop it even though it's thoroughly high scoring, the recipient actually wanted it. -- Stephen Johnson [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
DFS wrote on 01/18/2007 09:21:32 AM: (My marketing people will kill me for mentioning competitors...) No doubt, but your openess is appreciated! Two big ones come to mind: Brightmail and PureMessage. Also, some outsourced solutions like Postini and MessageLabs seem to do at least some rejection during the SMTP conversation. I looked at Brightmail, but did not do an eval. Price and level of customization were the big factors. Given our end users are teacher who would not want their own trap to review, and CanIt streamed by domain (school district) works very well for us. There's definitely a tradeoff. Doing your filtering during SMTP imposes very aggressive time constraints. It's quite a challenge to scale a MIMEDefang/CanIt installation up to the several-million-messages/day level. Doing filtering after-the-fact lets you breathe a bit easier and smooth out peak loads over the day. Yeah, tell me about it. We're up to 71 school districts we're filtering and I'm in my second round of adding servers. But I remain convinced that filtering during SMTP is the correct way to go. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
[EMAIL PROTECTED] wrote: Which is just another piece of annoying email in the inbox. Why bother removing the spam if your just going to deliver a message held email in its place? Ever heard of a quarantine report? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] MIMEDefang 2.59-BETA-2 is Available
This release includes a spiffy new tool for monitoring a cluster of MIMEDefang machines. Man page is man watch-multiple-mimedefangs and since we all love screenshots, there's one at http://www.roaringpenguin.com/watch-multiple-mimedefangs.png David, I've been playing with the new Beta, and you are right... This new tool is spiffy! Can it be expanded to include the other features currently present in watch-mimedefang (latency, activations, reaps, etc.), the reread filters button, the slider for update interval, and so on? I especially like the busy slaves windows, showing where each thread is at in its processing of an email, and the ability to strace a process by simply clicking on it. Ken ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: compare mimedefang to mailscanner
HI. John Rudd [EMAIL PROTECTED] wrote on 01/17/2007 07:11:51 PM: Dropping without notifying _anyone_ is an even worse practice. You don't have to notify the sender, as long as you notify the recipient (and visa versa). Which is just another piece of annoying email in the inbox. Why bother removing the spam if your just going to deliver a message held email in its place? Here is my approach (I guess other implementations are similar): Known Virus = discard silently. Bad filename (or unknown virus) = replace the attachment with a warning. The recipient gets the message without the attachment. High score spam (score 10) = Reject message. Probable spam (5 score 10) = Quarantine the message in a spamdrop. However a daily report is sent to the end user, listing all the quarantined messages with information such as sender+subject. Other mail = let it through. So, if a user is receiving 100 spam messages, 90% of them are normally blocked as high score spam, and 10 probable spam go to the spamdrop. The user will get a day after only 1 email message with a short list of the 10 probable spam message, so he can look for false positive. That is 1 message per day for about 100 spam (10 probable spam) messages. Most spam is filtered, but in case of false positive either the sender or recipient has a chance to know about it. I think that this is a good trade-off for the end users and the sysadmin. Yizhar Hurwitz http://yizhar.mvps.org ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
Yizhar Hurwitz wrote: HI. John Rudd [EMAIL PROTECTED] wrote on 01/17/2007 07:11:51 PM: Dropping without notifying _anyone_ is an even worse practice. You don't have to notify the sender, as long as you notify the recipient (and visa versa). Which is just another piece of annoying email in the inbox. Why bother removing the spam if your just going to deliver a message held email in its place? Here is my approach (I guess other implementations are similar): Known Virus = discard silently. Bad filename (or unknown virus) = replace the attachment with a warning. The recipient gets the message without the attachment. High score spam (score 10) = Reject message. Probable spam (5 score 10) = Quarantine the message in a spamdrop. However a daily report is sent to the end user, listing all the quarantined messages with information such as sender+subject. Other mail = let it through. Here's what I do: Greet Pause: 3 seconds (rejects) Helo (in filter_sender): reject it if it says it's coming from my own domain, but isn't. Sender: reject *.local (I also used to do a Botnet check here, that did rejections, but I've moved that code into the Botnet spamassassin plugin) Recipient: reject *.local and non-existent recipients RBLs: reject Bad attachments (name or type): reject ClamAV thinks it's a virus: reject Spam score = 10: reject Spam score = 5: mark as spam, drop into spam folder, give some form of notice (options for per-message quarantine notice, per day, or per week). Spam score 5: mark as ham, normal delivery ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] MIMEDefang 2.59-BETA-2 is Available
On Thu, 18 Jan 2007 15:13:37 -0500, Cormack, Ken wrote snip David, I've been playing with the new Beta, and you are right... This new tool is spiffy! snip I'll second your comments and raise you another request: Can we also have a port number option for each server? Something like servername:22 Thanks for this excellent tool. Bill -- Bill Maidment Maidment Enterprises Pty Ltd www.maidment.vu ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: compare mimedefang to mailscanner
On Thu, January 18, 2007 08:21, David F. Skoll wrote: (My marketing people will kill me for mentioning competitors...) Two big ones come to mind: Brightmail and PureMessage. Also, some outsourced solutions like Postini and MessageLabs seem to do at least some rejection during the SMTP conversation. I have a fair bit of experience with PureMessage... they apparently don't like sendmail very much (as coders atleast). my work uses PM and their support kept telling our mail managers they should consider postfix. i cut my teeth on sendmail and told them everything those support people were telling them was wrong (about sendmail). out of hte box (using supplied versions of sendmail and postfix), the PM+postfix was handling about 700 to 800 messages a minute on a given test system. their stock PM+sendmail only would do about 300 or so per minute. i screamed bullchit... about 10 minutes of config tweaking (to their build only, not recompiling) and it was handling 850 to 950 per minute using sendmail. that isn't an issue though, i personally don't like PM due to the fact that it is a serious resource hog. much worse than any install of MD that I have used. 2 sun 280r (dual 900mhz proc, 5gig ram, 2x36gig disks) systems were used as internet facing MX hosts, and both were fairly loaded all day (all inbound mail for about 20,000 employees, + spam). we were rejecting about 300,000 connections per day using the greet_pause alone, and still getting another 400k to 500k spam messages per day, when they were using sendmail. they have sense switched to PM+postfix, so i offer no advice or help to them anymore (which was one of the things they were told when they made the decision by my bosses. they would only get OS/hardware level support from me). of the 3 systems (md/canit, brightmail, PM), i personally lean toward md/canit. it's by far the most admin friendly, assuming you know wtf you are doing. a someone else said lately, it's the swiss army knife in my tool belt. all my personal stuff (where i can that is) uses MD... ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.59-BETA-2 is Available
Cormack, Ken wrote: I've been playing with the new Beta, and you are right... This new tool is spiffy! Great! Glad you like it! Can it be expanded [...] Uh-oh... OK. I wrote the tool to diagnose some thorny performance issues at a large customer installation. Unfortunately, messing with watch-multiple-mimdefangs isn't directly revenue-generating. :-( So when I have time, I will add requested features. But it may take a while... to include the other features currently present in watch-mimedefang (latency, activations, reaps, etc.), the reread filters button, the slider for update interval, and so on? Does anyone find activations and reaps useful? I don't. And we already include latency. I especially like the busy slaves windows, showing where each thread is at in its processing of an email, and the ability to strace a process by simply clicking on it. Yeah, I like that too. :-) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.59-BETA-2 is Available
Bill Maidment wrote: Can we also have a port number option for each server? Something like servername:22 Nope, we can't have that. The reason is you can do that in your .ssh/config file: Host machine-not-on-port-22-he-he-he HostName real-machine-name Port 23 Check out man ssh_config for other goodies. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.59-BETA-2 is Available
On Thu, 18 Jan 2007 17:02:38 -0500, David F. Skoll wrote Bill Maidment wrote: Can we also have a port number option for each server? Something like servername:22 Nope, we can't have that. The reason is you can do that in your ..ssh/config file: Host machine-not-on-port-22-he-he-he HostName real-machine-name Port 23 Check out man ssh_config for other goodies. Thanks David. That works a treat. You learn something new every day. A couple of observations after using it for a few minutes: 1. The busy slaves graph sometimes flat-lines, even though the other two graphs show activity. It seems to happen in the relatively quiet traffic periods. 2. Entering the ssh passwords for multiple servers is a bit confusing. I work around it by starting only one server initially and then adding the others one by one. Cheers Bill -- Bill Maidment Maidment Enterprises Pty Ltd www.maidment.vu ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.59-BETA-2 is Available
On Fri, 2007-01-19 at 11:21 +1000, Bill Maidment wrote: 2. Entering the ssh passwords for multiple servers is a bit confusing. I work around it by starting only one server initially and then adding the others one by one. Use public key authentication and the ssh-agent. Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang