[Cialug] postfix issue

david l goodrich dlg at dorkzilla.org
Fri Nov 17 11:58:16 CST 2006


On Fri, Nov 17, 2006 at 09:43:37AM -0600, Jeff Davis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I can't see anything particularly wrong with your implementation.
> 
> It's interesting to me that you're using a remote service to handle
> the amavis service.

the mail server has a whopping 200 MB ram, it's a xen domu at
panix.com.  it is entirely unsuited to running postfix,
cyrus-imapd AND amavisd-new.

> My suggestion would be to add some handling in your perl script to
> check that you
> can reach the service and return a defer_if_permit if the service is
> not available.

defer_if_permit is nice, but remember, the mail server has
already returned 2xx to the client.  i implemented this, but i
just send 'ok' if the amavisd-new server is down.  there's not
much else i can do at that point.

> 
> On a side note:
> Since you're already not passing large attachments
> this may not be an issue, but if you start having
> problems with some bigger messages you may want to add a time limit
> Change: $filter = 'smtp:sparky.dsrw.org:10024';
> to: $filter = 'smtp:sparky.dsrw.org:10024_time_limit = 3600';
> Postfix will by default kill a child process after 1000 seconds.

thanks, i didn't know about that one.
that may be the better route, actually, to knock the time down to
60 or something, and disregard the size checks.  if it's too big
it'll trip the timeout.  if it's set up as an smtpd_proxy_filter
instead of  via smtpd_end_of_data_restrictions it'll check to see
if the anti-spam server is up, and defer the message if it's not.

any thoughts on that approach?
  --waldo


> 
> - -Jeff
> 
> 
> 
> 
> david l goodrich wrote:
> > On Thu, Nov 16, 2006 at 11:44:37AM -0600, Jeff Davis wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Who had the postfix problem at the meeting last night?
> >>
> >> If you send me (off the list) the section of your config where you're
> >> performing that check I'll be glad to help.
> >>
> >> - -Jeff
> >>
> >
> > That was me.  I appreciate all your help.  I'll send it to the
> > list as well, maybe this'll be useful later.
> >
> > A little background on my setup.  My mail server is in NYC and
> > connected via a VPN to a server running amavisd-new and
> > spamassassin in Rochester, MN.  This link is not the fastest
> > thing in the world, and amavisd by default automatically passes
> > messages over 64k anyway, so I thought I would spare myself a lot
> > of trouble and just not send messages greater than 64k to the
> > anti-spam server in the first place.
> >
> > Through the reading I've done on the Internet, I determined the
> > only way to do that is to set up a policy filter at the
> > smtpd_end_of_data_restrictions level, since postfix only has an
> > idea of the size of the message after it has been accepted.  At
> > least, that's what Wietse Venema suggested[1].
> >
> > I am not doing my spam filtering quite like in the poster of the
> > message[2].  amavisd-new is listening on port 10024 of the
> > anti-spam server, and once it has filtered the message and added
> > headers, sends it back to the postfix server on port 10025.
> >
> > So my master.cf looks like this:
> > smtp      inet  n       -       n       -       -       smtpd
> >   -o
> smtpd_end_of_data_restrictions=check_policy_service,unix:private/filterlogic
> >
> > and then:
> > 10025     inet  n       -       n       -       -       smtpd
> >   -o smtpd_authorized_xforward_hosts=172.20.0.0/16
> >   -o smtpd_client_restrictions=
> >   -o smtpd_helo_restrictions=
> >   -o smtpd_sender_restrictions=
> >   -o smtpd_recipient_restrictions=permit_mynetworks,reject
> >   -o smtpd_data_restrictions=
> >   -o receive_override_options=no_unknown_recipient_checks
> >
> > and finally
> > filterlogic     unix  -       n       n       -       - spawn
> >      user=nobody argv=/usr/pkg/bin/perl /usr/local/bin/filterlogic.pl
> >
> > of course, all the usual bits for pickup, cleanup, discard, etc
> > are all still there.
> >
> > filterlogic.pl is just the greylist.pl that was included with the
> > distribution, but the smtpd_access_policy function was changed to
> > suit my needs.  this policy filter also checks to see if an
> > authenticated user (i.e. myself) sent the message, and if so will
> > not filter it.
> >
> >  sub smtpd_access_policy {
> >
> >     # Specify the location of the filter
> >     $filter = 'smtp:sparky.dsrw.org:10024';
> >     # and the message size to automatically pass
> >     $messagesize = 1024 * 64;
> >
> >     my $size;
> >     my $sender;
> >     $size = lc $attr{"size"};
> >     $sender = lc $attr{"sasl_username"};
> >   
> >     if ($size > $messagesize || length($sender) > 0)
> >         { return "ok"; }
> >     else
> >         { return "filter " . $filter; }
> >  }
> >
> >
> > The problem I have seen is that since postfix can't report a size
> > to the policy filter until after it has accepted the message,
> > postfix accepts the message from the client, sends a 2xx accept
> > code, and /then/ runs the filter.  If the link to the anti-spam
> > server is down, postfix seems to just drop the message, but the
> > sending server has no idea, since postfix returned a 2xx and the
> > sending server assumes everything is fine.  This seems broken to
> > me.
> >
> > More bits and pieces of master.cf and main.cf are available upon
> > request, of course.  Nothing much secret in them :]  Thanks again
> > for your help.
> >   --waldo
> >
> >
> > 1. http://archives.neohapsis.com/archives/postfix/2006-06/0430.html
> > 2. http://www.postfix.org/FILTER_README.html#advanced_filter
> >
> > ----------------------------------------------------------------------
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFFXdioUVPJ6ufy+vIRApnLAJ0RMIBItNORFiAmn8/K+T+KAXnKmACfQ8aK
> G0fJJz0nkOosHLAoPN2/lqQ=
> =qOZC
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20061117/80a5d8fc/attachment.pgp


More information about the Cialug mailing list