SpamAssassin & DNSBLs (was Re: PostFix as a "/dev/null" MTA?)

[Bill Cole]

On 13 Oct 2016, at 1:06, li...@lazygranch.com wrote:


On the surface, SA hitting multiple RBLs sounds inefficient.


SpamAssassin is inherently inefficient. That's why in a production 
environment with heavily loaded systems, it is important to have layers 
ahead of it to deal with the bulk of spam. Fortunately, recent versions 
(since 3.3, I think) are more parallelized so that high-latency tests 
(i.e. 'net' rules) don't block each other or faster scans, so it is not 
a huge problem. Essentially all the DNSBL, DNSWL, and URIBL checks are 
done in the time it takes to do the slowest one.



However does each hit add to the SA rating?


Yes, although it's variable and subject to local adjustments.

There are some complications involving multiplexed DNSBLs and a few meta 
rules that combine DNSBL rules with each other or with other rules, but 
essentially DNSBL rules get summed up just like any other SA rules. The 
default ruleset has 65 scored rules calling the check_rbl_sub or 
check_rbl methods. Each rule's score is either determined by the SA 
project's RuleQA/massscan service or is set to a fixed value that can be 
changed in local config but isn't subject to nightly automated tuning. 
Few (if any) are ever individually scored above 3.6, so no single DNSBL 
can cause a message to be tagged as spam if you use the default 
threshold (5.) Of those 65 rules, 25 are disabled by having fixed scores 
of 0, 15 are effectively informational with fixed or tuned scores 
between -0.1 and 0.1, 11 are whitelists with scores < -0.1, and 14 are 
blacklists with scores > 0.1.


If so, that sounds like a plan. That is if a message is rejected by N 
RBLs, it is more significant than just one RBL.


That's the principle both in SA and in postscreen. SA does a much more 
complex aggregation of DNSBL results than I'd want to make postscreen 
do, but it is useful to have a simpler aggregation in postscreen to 
handle the clearest cases without needing to do any more work.

Re: so many warnings, are these spams?

[vod vos]

There still many many logs in /var/log/mail.log



How can I eliminate or ignore this kind of logs if doing this do not harm mail 
server?




 On 星期四, 13 十月 2016 00:02:45 -0700Benny Pedersen m...@junc.eu wrote 





On 2016-10-13 08:30, vod vos wrote: 

 

 Oct 12 14:38:50 postfix/smtpd[1877]: warning: hostname 

 4d1q192.urbanchipps.net does not resolve to address 104.200.137.192: 

 Name or service not known 

 

 are these spams, how can I do? thanks. 

 

no its more just a badly configured mailserver that have not performed 

fully qualified dns reverse name for that ip 

 

basic: 

 

host ip 

dig ptr 

 

does not match same ip vs ptr 

 

and you cant do anything to it 

Re: postscreen_whitelist_interfaces behind proxy

[Wietse Venema]

Dave:
> Hi,
> 
> I'm running multiple Postfix MX servers behind HAProxy load balancer. I was
> just configuring "MX Policy test" in postscreen and I couldn't get it work.
> Then I tried to use the external IP (the one on the proxy) instead of the
> one Postfix listens on. I suggest it could be mentioned in docs for anyone
> else who would have similar setup (or am I missing something?)

When email arrives through a proxy, the local server's IP address
is irrelevant. I thought that should be obvious.

> Also, it would be convenient to be able to set a port in
> postscreen_whitelist_interfaces - so e.g. port 25 for primary MX and port
> 2525 for "fake" backup MX with postscreen whitelisting disabled. Something
> like:
> 
> postscreen_whitelist_interfaces = !:2525 static:all

That would have to be a new feauture, because all things on the
right-hand side of the '=' would be matched against the form host:port
(instead of 'host' as it is now). I can't break all the existing
configurations.

Wietse

> I realize it doesn't have much use without proxy and it is not usual setup..
> But in my case, it would save me from configuring several IPs on several
> machines. So, just a suggestion.
> 
> Thanks,
> 
> Dave
> 
> 
> 
> 
> --
> View this message in context: 
> http://postfix.1071664.n5.nabble.com/postscreen-whitelist-interfaces-behind-proxy-tp86701.html
> Sent from the Postfix Users mailing list archive at Nabble.com.
> 

Re: postscreen_whitelist_interfaces behind proxy

[Lukas Erlacher]

Hi,

On 10/14/2016 02:30 PM, Dave wrote:

I'm running multiple Postfix MX servers behind HAProxy load balancer. I was
just configuring "MX Policy test" in postscreen and I couldn't get it work.


please clarify whether you are using the haproxy PROXY protocol (See: 
http://permalink.gmane.org/gmane.comp.web.haproxy/8881 / 
http://www.postfix.org/postconf.5.html#postscreen_upstream_proxy_protocol)? 
Because in that case it would definitely be expected for postfix to be 
using the connection information from the frontend.


Mit freundlichen Gruessen,
Lukas Erlacher

--
Rechnerbetriebsgruppe der Fakultäten Mathematik und Informatik
Raum 00.05.042
Tel. 089-289-18258
erlac...@in.tum.de
Technische Universität München - Boltzmannstr. 3 - 85748 Garching



smime.p7s
Description: S/MIME Cryptographic Signature

postscreen_whitelist_interfaces behind proxy

[Dave]

Hi,

I'm running multiple Postfix MX servers behind HAProxy load balancer. I was
just configuring "MX Policy test" in postscreen and I couldn't get it work.
Then I tried to use the external IP (the one on the proxy) instead of the
one Postfix listens on. I suggest it could be mentioned in docs for anyone
else who would have similar setup (or am I missing something?)

Also, it would be convenient to be able to set a port in
postscreen_whitelist_interfaces - so e.g. port 25 for primary MX and port
2525 for "fake" backup MX with postscreen whitelisting disabled. Something
like:

postscreen_whitelist_interfaces = !:2525 static:all

I realize it doesn't have much use without proxy and it is not usual setup..
But in my case, it would save me from configuring several IPs on several
machines. So, just a suggestion.

Thanks,

Dave




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/postscreen-whitelist-interfaces-behind-proxy-tp86701.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: how to proper use content_filter

[Wietse Venema]

Pawe? Grzesik:
> It's of course not a production code. I'm only trying to
> learn and understand how exactly it works.
> 
> I cannot find anything about "--" in the postfix documentation
> (or I'm looking on the wrong page?). There is any explanation
> somewhere? (instead of at the source code).

Look at "man getopt" the, i.e. the SYSTEM LIBRARY function that
parses command-line options. Without the '--' before the recipients,
a recipient address starting with '-' would change the way that the
sendmail command works.

Wietse

Re: how to proper use content_filter

[Paweł Grzesik]

It's of course not a production code. I'm only trying to
learn and understand how exactly it works.

I cannot find anything about "--" in the postfix documentation
(or I'm looking on the wrong page?). There is any explanation
somewhere? (instead of at the source code).

Thanks for your help!

2016-10-14 1:07 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > I think I can do the same in Ruby using IO.popen like:
> >
> >   IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|
> >
> > as I see in this case I don't even need to use my_str with \" \".
> >
> > But I'm still confused about -f option in master.cf, and characters "--"
> > between ${sender} and ${recipient}.
> > Why is that?
>
> Specify
>
> popen(["/usr/sbin/sendmail", "-G", "-i", "-f", sender, "--", my_str, "w")
>
> The -- is needed to close a different security hole.
>
> If you don't know about these bugs that go back to 1996 and earlier,
> then please don't write code that handles network data.
>
> Wietse
>