Performance

John Schmerold john at katy.com
Thu Feb 1 22:50:26 CET 2007 

MailScanner -changed is a great help.

I promised to let the group know how things are going. Very well is the 
answer. Messages are getting processed in 4 to 10 seconds.

The main problem I have now is responding to mal-formed HELO 
announcements. I am having to write a lot of "your critical emails 
aren't getting through because your correspondent's mail server is 
mis-configured. Of course, I'm keeping "check_helo_access 
hash:/etc/postfix/helo_access" in my back-pocket.

When things quiet down, I'll deal with the scatterback issue. For now, 
I'm dumping them off the face of the earth by specifying a non-existant 
relay host. /etc/postfix/transport takes care of getting legitimate mail 
where it needs to go. Yes, I know this isn't optimal way of dealing with 
the problem.

Kept Pyzor, since things are under control. It will be on my short list 
of things to eliminate if we get back to  2-6 hour queue times.
Kept cbl.abuseat.org and zen.spamhaus.org due to Spamhaus TOS, and the 
fact that RBL checks do not seem to be the bottleneck.
Added ws.surbl.org to list of RBLs
Added combined.njabl.org to list of RBLs

/dev/shm & /var/spool/MailScanner/incoming was a tmpfs dir. Added 
following to /etc/cron.hourly/check_MailScanner
if [ -d /dev/shm ]; then
    TMPDIR=/dev/shm
    export TMPDIR
fi

Changes to MailScanner.conf:
Max Children = 5
Max Unscanned Messages Per Scan = 30
Max Unsafe Messages Per Scan = 30

Changes to main.cf
smtpd_delay_reject=no

smtpd_helo_restrictions = permit_mynetworks,
  check_helo_access hash:/etc/postfix/helo_access
  reject_invalid_hostname
  reject_unknown_hostname
  reject_non_fqdn_hostname
  reject_unauth_pipelining
  permit

PolicyD was already giving me GreatPause, so I didn't add 
smtpd_client_restrictions as recommended

For the record, my current configuration is as follows:
[root at mx1 ~]# MailScanner -changed
Table of Changed Values:

Option Name                        Default        Current Value
===============================================================================
alwaysincludespamassassinreport    no             yes
archivemail                                       RULESET:Default=
highscoringspamactions             deliver header "X-Spam-Status: Yes" store
highspamassassinscore              10             7
incomingqueuedir                   /var/spool/mqueue.in 
/var/spool/postfix/hold
languagestrings 
/etc/MailScanner/reports/en/languages.conf
logspam                            no             yes
logspeed                           no             yes
maxspamassassinsize                30000          20k
mta                                sendmail       postfix
outgoingqueuedir                   /var/spool/mqueue 
/var/spool/postfix/incoming
requiredspamassassinscore          6              4
restartevery                       14400          7200
runasgroup                         0              postfix
runasuser                          0              postfix
signcleanmessages                  yes            no
spamactions                        deliver header "X-Spam-Status: Yes" 
deliver header "X-Spam-Status: Res"
spamassassinsiterulesdir                          /etc/mail/spamassassin
spamheader                         X-MailScanner-SpamCheck: 
X-Schmerold-MailScanner-SpamCheck:
spamliststobespam                  1              3
spamliststoreachhighscore          3              7
spamscoreheader                    X-MailScanner-SpamScore: 
X-Schmerold-MailScanner-SpamScore:
virusscanners                      auto           f-prot
[root at mx1 ~]#

[root at mx1 ~]# postconf -n
canonical_maps = hash:/etc/postfix/canonical
config_directory = /etc/postfix
disable_vrfy_command = yes
hash_queue_names = ""
header_checks = regexp:/etc/postfix/header_checks
masquerade_exceptions = root
message_size_limit = 51200000
mydomain = schmerold.com
myhostname = mx1.schmerold.com
mynetworks = 127.0.0.0/8 65.16.251.208/29
relay_domains = katy.com katy.net katycomputer.com schmerold.com 
relayhost = [127.0.0.1]:8080
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,   check_helo_access 
hash:/etc/postfix/helo_access  reject_invalid_hostname 
reject_unknown_hostname  reject_non_fqdn_hostname 
reject_unauth_pipelining  permit
smtpd_recipient_restrictions = check_helo_access 
hash:/etc/postfix/helo_access reject_invalid_hostname 
reject_non_fqdn_hostname reject_non_fqdn_sender 
reject_non_fqdn_recipient  reject_unknown_sender_domain 
permit_mynetworks reject_unauth_destination check_sender_access 
hash:/etc/postfix/whitelist check_policy_service inet:127.0.0.1:10031 
reject_rbl_client combined.njabl.org reject_rbl_client cbl.abuseat.org 
reject_rbl_client ws.surbl.org reject_rbl_client zen.spamhaus.org permit
smtpd_sender_restrictions = hash:/etc/postfix/access
transport_maps = hash:/etc/postfix/transport
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
[root at mx1 ~]#



Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Just a quick note of info:
> 
> When asking users for settings like this, a very useful command is
> MailScanner -changed
> which will list all the configuration options that have been changed 
> from their supplied defaults.
> You might want to do
> MailScanner -changed | grep -v reports
> to strip out all the report directories.

More information about the MailScanner mailing list