Re: RBL-based greylisting using Policyd-weight and Postgrey
On Wed, Jan 16, 2008 at 06:09:20PM +0100, fili wrote: > > > >Ok, a bug. Fixing appears troublesome (breaks lowest-resource-usage-policy). > >Not certain whether requests which will be answered with 'rc:' should > >generally not be cached (this wouldn't break > >cache-resources). > > > >$CACHESIZE=0; > > > > Thanks Rovert, I've got it up and running now using $CACHESIZE=0; > Do you think that no-caching might result in higher loads on a mail-heavy > server? Not load, but more smtpd processes waiting for a polw reply. > I've read the release info of 0.1.14 beta-14, specificly: > >results with 'rc:' as action are not cached > Is it useful for my current setup to update? Useful yes, required, not really. > And should I then change $CACHESIZE back to the default value? You can delete it (with the latest version). > On a different note, wouldn't it be a good idea to introduce a variable like: > $BLOCK_RETRY_TTL = 30; > > 30 being the seconds in which retries will be temporarily blocked. > If this value is set to 0, then Policyd-weight won't block retries at all. This is the job of $NTTL and $NTIME in concert $NTTL (default: 1) The client is penalized for that many retries. $NTIME (default: 30) The $NTTL counter will only be decremented if the client waits at least $NTIME seconds. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
Ok, a bug. Fixing appears troublesome (breaks lowest-resource-usage-policy). Not certain whether requests which will be answered with 'rc:' should generally not be cached (this wouldn't break cache-resources). $CACHESIZE=0; Thanks Rovert, I've got it up and running now using $CACHESIZE=0; Do you think that no-caching might result in higher loads on a mail-heavy server? I've read the release info of 0.1.14 beta-14, specificly: results with 'rc:' as action are not cached Is it useful for my current setup to update? And should I then change $CACHESIZE back to the default value? On a different note, wouldn't it be a good idea to introduce a variable like: $BLOCK_RETRY_TTL = 30; 30 being the seconds in which retries will be temporarily blocked. If this value is set to 0, then Policyd-weight won't block retries at all. Regards and keep up the good work! Fili Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
On Mon, Jan 14, 2008 at 05:37:52PM +0100, fili wrote: > > Okay, I've installed the testing version of Policyd-weight from the Debian > repository's. > > #/usr/sbin/policyd-weight -v > policyd-weight version: 0.1.14 beta-5, CacheVer: 5 > Perl version: 5.008008 > Net::DNS version: 0.59 > OS: Linux 2.6.18-5-686 > > The RC: restriction class feature now works like a charm. > However, there seems to be a problem with the thing I'm trying to do. > > Let me try and explain: > - A client connects to port 25 > - Policyd-weight determines that this client appears on too many RBLs and > returns 'rc:greylist' > - Postgrey takes over and will greylist the client > > So far so good, but then: > - Client appears to be legitimate and retries the connection after a waiting > period > - Policyd-weight recognizes this client as one it rejected a while back and > returns '550 temporarily blocked because of > previous errors - retrying too fast' Ok, a bug. Fixing appears troublesome (breaks lowest-resource-usage-policy). Not certain whether requests which will be answered with 'rc:' should generally not be cached (this wouldn't break cache-resources). > Does anybody know how to completly disable the built-in cache of > Policyd-weight? > I've already set $NTIME = 0; without luck. $CACHESIZE=0; -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
Okay, I've installed the testing version of Policyd-weight from the Debian repository's. #/usr/sbin/policyd-weight -v policyd-weight version: 0.1.14 beta-5, CacheVer: 5 Perl version: 5.008008 Net::DNS version: 0.59 OS: Linux 2.6.18-5-686 The RC: restriction class feature now works like a charm. However, there seems to be a problem with the thing I'm trying to do. Let me try and explain: - A client connects to port 25 - Policyd-weight determines that this client appears on too many RBLs and returns 'rc:greylist' - Postgrey takes over and will greylist the client So far so good, but then: - Client appears to be legitimate and retries the connection after a waiting period - Policyd-weight recognizes this client as one it rejected a while back and returns '550 temporarily blocked because of previous errors - retrying too fast' Does anybody know how to completly disable the built-in cache of Policyd-weight? I've already set $NTIME = 0; without luck. Regards, Fili Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
* fili <[EMAIL PROTECTED]> [2008-01-13 23:13:59 +0100]: > So if I understand correctly, updating to the lastest version from the > official website should fix the "rc:" feature? Correct. -- Sahil Tandon <[EMAIL PROTECTED]> Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
Sahil Tandon wrote: Get policyd-weight to return just 'greylist' which, I presume is a defined restriction class within your main.cf. The extra stuff after 'greylist' is causing the problem. Robert Felber wrote: Make sure you are running 0.1.14.6 by issuing: /path/to/policyd-weight -v There was a debian-package called 0.1.14 beta-6 which is a 0.1.14 If that's not the case, use 0.1.14 beta-12 from the official page. The extra stuff is automagically added by (this version of) Policyd-weight. #/usr/sbin/policyd-weight -v policyd-weight version: 0.1.14 beta, CacheVer: 3 So if I understand correctly, updating to the lastest version from the official website should fix the "rc:" feature? Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
On Sun, Jan 13, 2008 at 06:59:32PM +0100, fili wrote: > fili wrote: > >>Then your setup "should" work. Maybe you should set REJECTLEVEL to an insane > >>high value like 100 or so. > > > >Thanks for the information! > >BTW. is $rejectlevel even used when $dnsbl_checks_only equals true? > > > > > >Policyd-weight Mailinglist - http://www.policyd-weight.org/ > > > > Hmm, $MAXDNSBLMSG probably isn't the way to tell postfix to execute the > 'greylist' restriction class. > I've tried the following in the policyd-weight.conf: > > $MAXDNSBLMSG = 'rc:greylist'; Correkt > $MAXDNSBLMSG = 'greylist'; Wrong. > Both lead to this error in the mail.log: > > Jan 13 18:48:34 megatron postfix/policyd-weight[26327]: decided > action=greylist; check http://rbls.org/?q=78.144.239.xxx > Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: access table > inet:127.0.0.1:12525 has entry with lookup table: > greylist; check http://rbls.org > /?q=78.144.239.xxx > Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: do not specify lookup > tables inside SMTPD access maps > Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: define a restriction > class and specify its name instead. > Jan 13 18:48:34 megatron postfix/smtpd[30664]: NOQUEUE: reject: RCPT from > unknown[78.144.239.xxx]: 451 4.3.5 Server > configuration error; from= [EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo=<[78.144.239.xxx]> > > > Do you have any idea of what is going wrong? Make sure you are running 0.1.14.6 by issuing: /path/to/policyd-weight -v There was a debian-package called 0.1.14 beta-6 which is a 0.1.14 If that's not the case, use 0.1.14 beta-12 from the official page. >From the other post, you are right, if you use $dnsbl_checks_only then $REJECTLEVEL shouldn't come into play. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
* fili <[EMAIL PROTECTED]> [2008-01-13 18:59:55 +0100]: > inet:127.0.0.1:12525 has entry with lookup table: greylist; check > http://rbls.org Get policyd-weight to return just 'greylist' which, I presume is a defined restriction class within your main.cf. The extra stuff after 'greylist' is causing the problem. -- Sahil Tandon <[EMAIL PROTECTED]> Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
fili wrote: Then your setup "should" work. Maybe you should set REJECTLEVEL to an insane high value like 100 or so. Thanks for the information! BTW. is $rejectlevel even used when $dnsbl_checks_only equals true? Policyd-weight Mailinglist - http://www.policyd-weight.org/ Hmm, $MAXDNSBLMSG probably isn't the way to tell postfix to execute the 'greylist' restriction class. I've tried the following in the policyd-weight.conf: $MAXDNSBLMSG = 'rc:greylist'; $MAXDNSBLMSG = 'greylist'; Both lead to this error in the mail.log: Jan 13 18:48:34 megatron postfix/policyd-weight[26327]: decided action=greylist; check http://rbls.org/?q=78.144.239.xxx Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: access table inet:127.0.0.1:12525 has entry with lookup table: greylist; check http://rbls.org /?q=78.144.239.xxx Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: do not specify lookup tables inside SMTPD access maps Jan 13 18:48:34 megatron postfix/smtpd[30664]: warning: define a restriction class and specify its name instead. Jan 13 18:48:34 megatron postfix/smtpd[30664]: NOQUEUE: reject: RCPT from unknown[78.144.239.xxx]: 451 4.3.5 Server configuration error; from= [EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo=<[78.144.239.xxx]> Do you have any idea of what is going wrong? Regards, Fili Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
Then your setup "should" work. Maybe you should set REJECTLEVEL to an insane high value like 100 or so. Thanks for the information! BTW. is $rejectlevel even used when $dnsbl_checks_only equals true? Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: Re: RBL-based greylisting using Policyd-weight and Postgrey
On Thu, Jan 10, 2008 at 07:42:10PM +0100, fili wrote: > > > > Should work. Depending on what you want to achieve. > > > > greylist clients which are on at least one RBL > > reject clients which are on too many rbls > > > > If possible, I would like to use greylisting -only- if client appears on too > many RBLs. > In all other situations clients should pass thru (no 550 reject, no > greylisting). Then your setup "should" work. Maybe you should set REJECTLEVEL to an insane high value like 100 or so. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: Re: RBL-based greylisting using Policyd-weight and Postgrey
> > Should work. Depending on what you want to achieve. > > greylist clients which are on at least one RBL > reject clients which are on too many rbls > If possible, I would like to use greylisting -only- if client appears on too many RBLs. In all other situations clients should pass thru (no 550 reject, no greylisting). With this I'm hoping to combine the best of two worlds without rejecting or slowing down HAM (as much as possible). What configuration would you suggest to achieve this? Regards, Fili Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: RBL-based greylisting using Policyd-weight and Postgrey
On Thu, Jan 10, 2008 at 04:51:52PM +0100, Fili wrote: > > Hello Policyd List, > > I'm trying to set up RBL-based greylisting using Policyd-weight and Postgrey > on Debian Etch. > After some intensive Google-ing I came to the conclusion that it should be > possible. > However, I couldn't find any concrete configuration examples. > > Would the following configuration work? > > --postfix: main.cf-- > smtpd_restriction_classes = greylist > greylist = check_policy_service inet:127.0.0.1:6 > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, > check_policy_service > inet:127.0.0.1:12525 > > --policyd-weight.conf-- >$REJECTLEVEL = 4.25; >$dnsbl_checks_only = 1; >$MAXDNSBLHITS = 4; >$MAXDNSBLMSG = 'rc:greylist'; >$BIND_ADDRESS= 'all'; Should work. Depending on what you want to achieve. greylist clients which are on at least one RBL reject clients which are on too many rbls > > It is unclear to me if the 'rc:greylist' is supported on the Debian packaged > version: 0.1.14-beta-6. It contains handling for rc: messages. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
