[Cialug] postfix issue
Jeff Davis
jdavis at geolearning.com
Fri Nov 17 09:43:37 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I can't see anything particularly wrong with your implementation.
It's interesting to me that you're using a remote service to handle
the amavis service.
My suggestion would be to add some handling in your perl script to
check that you
can reach the service and return a defer_if_permit if the service is
not available.
On a side note:
Since you're already not passing large attachments
this may not be an issue, but if you start having
problems with some bigger messages you may want to add a time limit
Change: $filter = 'smtp:sparky.dsrw.org:10024';
to: $filter = 'smtp:sparky.dsrw.org:10024_time_limit = 3600';
Postfix will by default kill a child process after 1000 seconds.
- -Jeff
david l goodrich wrote:
> On Thu, Nov 16, 2006 at 11:44:37AM -0600, Jeff Davis wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Who had the postfix problem at the meeting last night?
>>
>> If you send me (off the list) the section of your config where you're
>> performing that check I'll be glad to help.
>>
>> - -Jeff
>>
>
> That was me. I appreciate all your help. I'll send it to the
> list as well, maybe this'll be useful later.
>
> A little background on my setup. My mail server is in NYC and
> connected via a VPN to a server running amavisd-new and
> spamassassin in Rochester, MN. This link is not the fastest
> thing in the world, and amavisd by default automatically passes
> messages over 64k anyway, so I thought I would spare myself a lot
> of trouble and just not send messages greater than 64k to the
> anti-spam server in the first place.
>
> Through the reading I've done on the Internet, I determined the
> only way to do that is to set up a policy filter at the
> smtpd_end_of_data_restrictions level, since postfix only has an
> idea of the size of the message after it has been accepted. At
> least, that's what Wietse Venema suggested[1].
>
> I am not doing my spam filtering quite like in the poster of the
> message[2]. amavisd-new is listening on port 10024 of the
> anti-spam server, and once it has filtered the message and added
> headers, sends it back to the postfix server on port 10025.
>
> So my master.cf looks like this:
> smtp inet n - n - - smtpd
> -o
smtpd_end_of_data_restrictions=check_policy_service,unix:private/filterlogic
>
> and then:
> 10025 inet n - n - - smtpd
> -o smtpd_authorized_xforward_hosts=172.20.0.0/16
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=
> -o receive_override_options=no_unknown_recipient_checks
>
> and finally
> filterlogic unix - n n - - spawn
> user=nobody argv=/usr/pkg/bin/perl /usr/local/bin/filterlogic.pl
>
> of course, all the usual bits for pickup, cleanup, discard, etc
> are all still there.
>
> filterlogic.pl is just the greylist.pl that was included with the
> distribution, but the smtpd_access_policy function was changed to
> suit my needs. this policy filter also checks to see if an
> authenticated user (i.e. myself) sent the message, and if so will
> not filter it.
>
> sub smtpd_access_policy {
>
> # Specify the location of the filter
> $filter = 'smtp:sparky.dsrw.org:10024';
> # and the message size to automatically pass
> $messagesize = 1024 * 64;
>
> my $size;
> my $sender;
> $size = lc $attr{"size"};
> $sender = lc $attr{"sasl_username"};
>
> if ($size > $messagesize || length($sender) > 0)
> { return "ok"; }
> else
> { return "filter " . $filter; }
> }
>
>
> The problem I have seen is that since postfix can't report a size
> to the policy filter until after it has accepted the message,
> postfix accepts the message from the client, sends a 2xx accept
> code, and /then/ runs the filter. If the link to the anti-spam
> server is down, postfix seems to just drop the message, but the
> sending server has no idea, since postfix returned a 2xx and the
> sending server assumes everything is fine. This seems broken to
> me.
>
> More bits and pieces of master.cf and main.cf are available upon
> request, of course. Nothing much secret in them :] Thanks again
> for your help.
> --waldo
>
>
> 1. http://archives.neohapsis.com/archives/postfix/2006-06/0430.html
> 2. http://www.postfix.org/FILTER_README.html#advanced_filter
>
> ----------------------------------------------------------------------
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFXdioUVPJ6ufy+vIRApnLAJ0RMIBItNORFiAmn8/K+T+KAXnKmACfQ8aK
G0fJJz0nkOosHLAoPN2/lqQ=
=qOZC
-----END PGP SIGNATURE-----
More information about the Cialug
mailing list