How can MailScanner "push back"?

Hugo van der Kooij hvdkooij at vanderkooij.org
Sat Aug 25 11:13:23 IST 2007 

On Thu, 23 Aug 2007, Leland J. Steinke wrote:

> Has anybody set up a scheme where MailScanner tells the MTA to stop or slow 
> message acceptance, short of blocking inbound port 25, when message scanning 
> gets too far behind?
>
> We use postfix (so I will try not to reply to my own message).  I have been 
> playing with the idea of tuning the number of inbound smtpd processes in 
> master.cf to match the capacity of the MailScanner instance running on the 
> underlying hardware.  The initial results are not particularly encouraging. 
> Even with in-house RBLs and reduced spam-score thresholds for RBL addition, 
> some of our servers are being overrun with apparent StormWorm emails from IPs 
> all over the map, reducing the RBL's effectiveness.
>
> As another way to slow the onslaught in postfix, I added extra client and 
> HELO restrictions, adding reject_unknown_client and reject_unknown_hostname 
> to smtpd_{client,helo}_restrictions, respectively.  It looks like the HELO 
> restriction is blocking almost as much legitimate mail as illegitimate.

Here is one I find very usefull. It blocks a significant of user 
connections from networks I have nothing to do with. Adjust to your own 
needs.

/etc/postfix/dynamic_networks:
#
#       Dynamic Networks
#
/^adsl.*$/                              reject_dynamic
/^dhcp.*$/                              reject_dynamic
/^cable.*$/                             reject_dynamic
/^dialup.*$/                            reject_dynamic
/^dsl-.*$/                              reject_dynamic
/^dslnet.*$/                            reject_dynamic
/^dyn-.*$/                              reject_dynamic
/^dynamic-.*$/                          reject_dynamic
/^host.*$/                              reject_dynamic
/^ip-.*$/                               reject_dynamic
/^netblock-.*$/                         reject_dynamic
/^ppp.*$/                               reject_dynamic
/^static.*$/                            reject_dynamic

in /etc/postfix/main.cf:
smtpd_restriction_classes =
         reject_RFC,
         reject_auto,
         reject_auto_virus,
         reject_domain,
         reject_dynamic,
         reject_infected,
         reject_spam,
         reject_user
reject_RFC = check_client_access regexp:/etc/postfix/class/reject_RFC
reject_auto = check_client_access regexp:/etc/postfix/class/reject_auto
reject_auto_virus = check_client_access regexp:/etc/postfix/class/reject_auto_virus
reject_domain = check_client_access regexp:/etc/postfix/class/reject_domain
reject_dynamic = check_client_access regexp:/etc/postfix/class/reject_dynamic
reject_infected = check_client_access regexp:/etc/postfix/class/reject_infected
reject_spam = check_client_access regexp:/etc/postfix/class/reject_spam
reject_user = check_client_access regexp:/etc/postfix/class/reject_user

mtpd_client_restrictions =
 	......
         regexp:/etc/postfix/dynamic_networks,
 	......

in /etc/postfix/class/reject_dynamic:
/./     REJECT  Dynamic (Cable, Dialup or DSL) network access denied; Use a smarthost instead (http://en.wikipedia.org/wiki/Smart_host)


Combine it with other entries and it got me a significant decrease of 
messages I actually have to scan.

For example any host ending with abo.wanadoo.fr has nothing to do with 
SMTP here either.

While not a perfect solutions tricks like these may reduce the amount of 
messages you have to scan from unworkable to managable.

Hugo.


-- 
 	hvdkooij at vanderkooij.org	http://hugo.vanderkooij.org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say "Windows"
 	I use computers with Linux and say "Why Windows?"
 	(Thanks JFK, for this quote of George Bernard Shaw.)

More information about the MailScanner mailing list