SpamAssassin & DNSBLs (was Re: PostFix as a "/dev/null" MTA?)
On 13 Oct 2016, at 1:06, li...@lazygranch.com wrote: On the surface, SA hitting multiple RBLs sounds inefficient. SpamAssassin is inherently inefficient. That's why in a production environment with heavily loaded systems, it is important to have layers ahead of it to deal with the bulk of spam. Fortunately, recent versions (since 3.3, I think) are more parallelized so that high-latency tests (i.e. 'net' rules) don't block each other or faster scans, so it is not a huge problem. Essentially all the DNSBL, DNSWL, and URIBL checks are done in the time it takes to do the slowest one. However does each hit add to the SA rating? Yes, although it's variable and subject to local adjustments. There are some complications involving multiplexed DNSBLs and a few meta rules that combine DNSBL rules with each other or with other rules, but essentially DNSBL rules get summed up just like any other SA rules. The default ruleset has 65 scored rules calling the check_rbl_sub or check_rbl methods. Each rule's score is either determined by the SA project's RuleQA/massscan service or is set to a fixed value that can be changed in local config but isn't subject to nightly automated tuning. Few (if any) are ever individually scored above 3.6, so no single DNSBL can cause a message to be tagged as spam if you use the default threshold (5.) Of those 65 rules, 25 are disabled by having fixed scores of 0, 15 are effectively informational with fixed or tuned scores between -0.1 and 0.1, 11 are whitelists with scores < -0.1, and 14 are blacklists with scores > 0.1. If so, that sounds like a plan. That is if a message is rejected by N RBLs, it is more significant than just one RBL. That's the principle both in SA and in postscreen. SA does a much more complex aggregation of DNSBL results than I'd want to make postscreen do, but it is useful to have a simpler aggregation in postscreen to handle the clearest cases without needing to do any more work.
Re: so many warnings, are these spams?
There still many many logs in /var/log/mail.log How can I eliminate or ignore this kind of logs if doing this do not harm mail server? On 星期四, 13 十月 2016 00:02:45 -0700Benny Pedersen m...@junc.eu wrote On 2016-10-13 08:30, vod vos wrote: Oct 12 14:38:50 postfix/smtpd[1877]: warning: hostname 4d1q192.urbanchipps.net does not resolve to address 104.200.137.192: Name or service not known are these spams, how can I do? thanks. no its more just a badly configured mailserver that have not performed fully qualified dns reverse name for that ip basic: host ip dig ptr does not match same ip vs ptr and you cant do anything to it
Re: postscreen_whitelist_interfaces behind proxy
Dave: > Hi, > > I'm running multiple Postfix MX servers behind HAProxy load balancer. I was > just configuring "MX Policy test" in postscreen and I couldn't get it work. > Then I tried to use the external IP (the one on the proxy) instead of the > one Postfix listens on. I suggest it could be mentioned in docs for anyone > else who would have similar setup (or am I missing something?) When email arrives through a proxy, the local server's IP address is irrelevant. I thought that should be obvious. > Also, it would be convenient to be able to set a port in > postscreen_whitelist_interfaces - so e.g. port 25 for primary MX and port > 2525 for "fake" backup MX with postscreen whitelisting disabled. Something > like: > > postscreen_whitelist_interfaces = !:2525 static:all That would have to be a new feauture, because all things on the right-hand side of the '=' would be matched against the form host:port (instead of 'host' as it is now). I can't break all the existing configurations. Wietse > I realize it doesn't have much use without proxy and it is not usual setup.. > But in my case, it would save me from configuring several IPs on several > machines. So, just a suggestion. > > Thanks, > > Dave > > > > > -- > View this message in context: > http://postfix.1071664.n5.nabble.com/postscreen-whitelist-interfaces-behind-proxy-tp86701.html > Sent from the Postfix Users mailing list archive at Nabble.com. >
Re: postscreen_whitelist_interfaces behind proxy
Hi, On 10/14/2016 02:30 PM, Dave wrote: I'm running multiple Postfix MX servers behind HAProxy load balancer. I was just configuring "MX Policy test" in postscreen and I couldn't get it work. please clarify whether you are using the haproxy PROXY protocol (See: http://permalink.gmane.org/gmane.comp.web.haproxy/8881 / http://www.postfix.org/postconf.5.html#postscreen_upstream_proxy_protocol)? Because in that case it would definitely be expected for postfix to be using the connection information from the frontend. Mit freundlichen Gruessen, Lukas Erlacher -- Rechnerbetriebsgruppe der Fakultäten Mathematik und Informatik Raum 00.05.042 Tel. 089-289-18258 erlac...@in.tum.de Technische Universität München - Boltzmannstr. 3 - 85748 Garching smime.p7s Description: S/MIME Cryptographic Signature
postscreen_whitelist_interfaces behind proxy
Hi, I'm running multiple Postfix MX servers behind HAProxy load balancer. I was just configuring "MX Policy test" in postscreen and I couldn't get it work. Then I tried to use the external IP (the one on the proxy) instead of the one Postfix listens on. I suggest it could be mentioned in docs for anyone else who would have similar setup (or am I missing something?) Also, it would be convenient to be able to set a port in postscreen_whitelist_interfaces - so e.g. port 25 for primary MX and port 2525 for "fake" backup MX with postscreen whitelisting disabled. Something like: postscreen_whitelist_interfaces = !:2525 static:all I realize it doesn't have much use without proxy and it is not usual setup.. But in my case, it would save me from configuring several IPs on several machines. So, just a suggestion. Thanks, Dave -- View this message in context: http://postfix.1071664.n5.nabble.com/postscreen-whitelist-interfaces-behind-proxy-tp86701.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: how to proper use content_filter
Pawe? Grzesik: > It's of course not a production code. I'm only trying to > learn and understand how exactly it works. > > I cannot find anything about "--" in the postfix documentation > (or I'm looking on the wrong page?). There is any explanation > somewhere? (instead of at the source code). Look at "man getopt" the, i.e. the SYSTEM LIBRARY function that parses command-line options. Without the '--' before the recipients, a recipient address starting with '-' would change the way that the sendmail command works. Wietse
Re: how to proper use content_filter
It's of course not a production code. I'm only trying to learn and understand how exactly it works. I cannot find anything about "--" in the postfix documentation (or I'm looking on the wrong page?). There is any explanation somewhere? (instead of at the source code). Thanks for your help! 2016-10-14 1:07 GMT+01:00 Wietse Venema: > Pawe? Grzesik: > > I think I can do the same in Ruby using IO.popen like: > > > > IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe| > > > > as I see in this case I don't even need to use my_str with \" \". > > > > But I'm still confused about -f option in master.cf, and characters "--" > > between ${sender} and ${recipient}. > > Why is that? > > Specify > > popen(["/usr/sbin/sendmail", "-G", "-i", "-f", sender, "--", my_str, "w") > > The -- is needed to close a different security hole. > > If you don't know about these bugs that go back to 1996 and earlier, > then please don't write code that handles network data. > > Wietse >