Re: couple of doubts about postfix milters
On Tue, Nov 9, 2010 at 10:19 AM, Noel Jones njo...@megan.vbhcs.org wrote: On 11/9/2010 6:18 AM, Lima Union wrote: hi all! as the subject says I have two noob questions: (1) if I configure something like 'smtpd_milters = inet:localhost:10025 inet:localhost:10034' does Postfix respect the order? I mean, will it processs the mail in order, first milter then second milter or what? for example, in this case 10025 is the sid-milter and 10034 is the clamav-milter. Yes, milters are processed in the order specified. (2) currently I'm running postgrey (under the 'smtpd_recipient_restrictions' section) but in a new setup I'd like to have this basic order for an Internet relay server: mail from Internet - sid-milter - postgrey - clamav-milter, how can I achieve that? I don't know how Postfix will route internally the message in this case. The order of internal vs. milter processing is not configurable. You could switch to a greylist milter, there are several to choose from. -- Noel Jones Noel, thanks for your answers. Last doubt, as far as I understand from the documentation, the milter processing happends in smtpd(8) before the 'smtpd_recipient_restrictions' (cleanup(8)) check. Thus if I keep my current configuration for my new setup, using smtpd_milters and postgrey (under 'smtpd_recipient_restrictions') I'll have the following routing: mail from Internet - sid-milter - clamav-milter - all the smtpd_recipient _restrictions included postgrey, is this correct? I think that this isn't the optimal solution because the milter checks occur before smtpd_recipient_restrictions where a lot of client/envelope/rbl/etc cleanup is done. I'll be checking for viruses from clients that don't even send a proper ehlo, etc, thus consuming cpu resources. Thanks for any comment about this. Regards, LU
Re: couple of doubts about postfix milters
On 11/9/2010 6:18 AM, Lima Union wrote: hi all! as the subject says I have two noob questions: (1) if I configure something like 'smtpd_milters = inet:localhost:10025 inet:localhost:10034' does Postfix respect the order? I mean, will it processs the mail in order, first milter then second milter or what? for example, in this case 10025 is the sid-milter and 10034 is the clamav-milter. Yes, milters are processed in the order specified. (2) currently I'm running postgrey (under the 'smtpd_recipient_restrictions' section) but in a new setup I'd like to have this basic order for an Internet relay server: mail from Internet - sid-milter - postgrey - clamav-milter, how can I achieve that? I don't know how Postfix will route internally the message in this case. The order of internal vs. milter processing is not configurable. You could switch to a greylist milter, there are several to choose from. -- Noel Jones
couple of doubts about postfix milters
hi all! as the subject says I have two noob questions: (1) if I configure something like 'smtpd_milters = inet:localhost:10025 inet:localhost:10034' does Postfix respect the order? I mean, will it processs the mail in order, first milter then second milter or what? for example, in this case 10025 is the sid-milter and 10034 is the clamav-milter. (2) currently I'm running postgrey (under the 'smtpd_recipient_restrictions' section) but in a new setup I'd like to have this basic order for an Internet relay server: mail from Internet - sid-milter - postgrey - clamav-milter, how can I achieve that? I don't know how Postfix will route internally the message in this case. Thanks in advance. LU
Re: couple of doubts about postfix milters
On 11/9/2010 8:39 AM, Lima Union wrote: On Tue, Nov 9, 2010 at 10:19 AM, Noel Jonesnjo...@megan.vbhcs.org wrote: On 11/9/2010 6:18 AM, Lima Union wrote: hi all! as the subject says I have two noob questions: (1) if I configure something like 'smtpd_milters = inet:localhost:10025 inet:localhost:10034' does Postfix respect the order? I mean, will it processs the mail in order, first milter then second milter or what? for example, in this case 10025 is the sid-milter and 10034 is the clamav-milter. Yes, milters are processed in the order specified. (2) currently I'm running postgrey (under the 'smtpd_recipient_restrictions' section) but in a new setup I'd like to have this basic order for an Internet relay server: mail from Internet -sid-milter -postgrey -clamav-milter, how can I achieve that? I don't know how Postfix will route internally the message in this case. The order of internal vs. milter processing is not configurable. You could switch to a greylist milter, there are several to choose from. -- Noel Jones Noel, thanks for your answers. Last doubt, as far as I understand from the documentation, the milter processing happends in smtpd(8) before the 'smtpd_recipient_restrictions' (cleanup(8)) check. Thus if I keep my current configuration for my new setup, using smtpd_milters and postgrey (under 'smtpd_recipient_restrictions') I'll have the following routing: mail from Internet - sid-milter - clamav-milter - all the smtpd_recipient _restrictions included postgrey, is this correct? I think that this isn't the optimal solution because the milter checks occur before smtpd_recipient_restrictions where a lot of client/envelope/rbl/etc cleanup is done. clamav-milter operates on the message data, so all postfix smtpd_*_restrictions -- which operate on the envelope -- will get a chance to reject mail before the data is transmitted. sid-milter operates on the envelope. It will probably run before smtpd_recipient_restrictions, but that's not such a big deal since it's a fairly lightweight process (minimal CPU, but it does trigger a DNS lookup). Now that I've had more coffee and can think better, this modifies the answer I gave earlier -- even though you can't specify sid-miler greylist clamav-milter, that's how it will effectively run. -- Noel Jones I'll be checking for viruses from clients that don't even send a proper ehlo, etc, thus consuming cpu resources. Thanks for any comment about this. Regards, LU
Re: couple of doubts about postfix milters
Last doubt, as far as I understand from the documentation, the milter processing happends in smtpd(8) before the 'smtpd_recipient_restrictions' (cleanup(8)) check. Thus if I keep my current configuration for my new setup, using smtpd_milters and postgrey (under 'smtpd_recipient_restrictions') I'll have the following routing: mail from Internet - sid-milter - clamav-milter - all the smtpd_recipient _restrictions included postgrey, is this correct? I think that this isn't the optimal solution because the milter checks occur before smtpd_recipient_restrictions where a lot of client/envelope/rbl/etc cleanup is done. clamav-milter operates on the message data, so all postfix smtpd_*_restrictions -- which operate on the envelope -- will get a chance to reject mail before the data is transmitted. sid-milter operates on the envelope. It will probably run before smtpd_recipient_restrictions, but that's not such a big deal since it's a fairly lightweight process (minimal CPU, but it does trigger a DNS lookup). Now that I've had more coffee and can think better, this modifies the answer I gave earlier -- even though you can't specify sid-miler greylist clamav-milter, that's how it will effectively run. -- Noel Jones I'll be checking for viruses from clients that don't even send a proper ehlo, etc, thus consuming cpu resources. Thanks for any comment about this. Regards, LU Thanks Noel for your explanation, now it's clear. Best regards, LU.
Re: couple of doubts about postfix milters
Noel Jones wrote: On 11/9/2010 8:39 AM, Lima Union wrote: clamav-milter operates on the message data, so all postfix smtpd_*_restrictions -- which operate on the envelope -- will get a chance to reject mail before the data is transmitted. sid-milter operates on the envelope. It will probably run before smtpd_recipient_restrictions, but that's not such a big deal since it's a fairly lightweight process (minimal CPU, but it does trigger a DNS lookup). Not sure. The MTA sequentially calls each milter at each SMTP step. See : https://www.milter.org/developers/overview#ControlFlow So, e.g., for each recipient, postfix will call each milter one after the other. However, I don't know if postfix checks smtpd_recipient_restrictions before calling milters or after. I suppose before, but I'm not sure. Wietse ??? José-Marcio Now that I've had more coffee and can think better, this modifies the answer I gave earlier -- even though you can't specify sid-miler greylist clamav-milter, that's how it will effectively run.
Re: couple of doubts about postfix milters
Jose-Marcio Martins da Cruz jose-marcio.mart...@ensmp.fr wrote: Noel Jones wrote: On 11/9/2010 8:39 AM, Lima Union wrote: clamav-milter operates on the message data, so all postfix smtpd_*_restrictions -- which operate on the envelope -- will get a chance to reject mail before the data is transmitted. sid-milter operates on the envelope. It will probably run before smtpd_recipient_restrictions, but that's not such a big deal since it's a fairly lightweight process (minimal CPU, but it does trigger a DNS lookup). Not sure. The MTA sequentially calls each milter at each SMTP step. See : https://www.milter.org/developers/overview#ControlFlow So, e.g., for each recipient, postfix will call each milter one after the other. However, I don't know if postfix checks smtpd_recipient_restrictions before calling milters or after. I suppose before, but I'm not sure. Wietse ??? José-Marcio Now that I've had more coffee and can think better, this modifies the answer I gave earlier -- even though you can't specify sid-miler greylist clamav-milter, that's how it will effectively run. On a related note, I think sid-milter does Sender ID normally and that needs the body of the message as it doesn't operate on the envelope. Scott K
Re: couple of doubts about postfix milters
Victor Duchovni wrote: However, I don't know if postfix checks smtpd_recipient_restrictions before calling milters or after. I suppose before, but I'm not sure. Wietse ??? The RCPT TO command is passed to the milter after Postfix restriction processing. Even rejected commands are are passed to milters, but the milter is informed that the command (recipient) is rejected. Thanks for confirming this. Yes, this is something I asked for. This allows me to count, inside the milter, how many errors the client did. --