Performance
John Schmerold
john at katy.com
Fri Feb 2 03:10:24 CET 2007
This list becomes an important archive of useful information, so I want
to let everyone know we ended up eliminating the smtpd_helo_restrictions
section. Too many mail servers are mis-configured. Besides, the RFC,
states that the recipient server will accept the message regardless of
whether or not the HELO statement is proper.
John Schmerold
John Schmerold wrote:
> MailScanner -changed is a great help.
>
> I promised to let the group know how things are going. Very well is the
> answer. Messages are getting processed in 4 to 10 seconds.
>
> The main problem I have now is responding to mal-formed HELO
> announcements. I am having to write a lot of "your critical emails
> aren't getting through because your correspondent's mail server is
> mis-configured. Of course, I'm keeping "check_helo_access
> hash:/etc/postfix/helo_access" in my back-pocket.
>
> When things quiet down, I'll deal with the scatterback issue. For now,
> I'm dumping them off the face of the earth by specifying a non-existant
> relay host. /etc/postfix/transport takes care of getting legitimate mail
> where it needs to go. Yes, I know this isn't optimal way of dealing with
> the problem.
>
> Kept Pyzor, since things are under control. It will be on my short list
> of things to eliminate if we get back to 2-6 hour queue times.
> Kept cbl.abuseat.org and zen.spamhaus.org due to Spamhaus TOS, and the
> fact that RBL checks do not seem to be the bottleneck.
> Added ws.surbl.org to list of RBLs
> Added combined.njabl.org to list of RBLs
>
> /dev/shm & /var/spool/MailScanner/incoming was a tmpfs dir. Added
> following to /etc/cron.hourly/check_MailScanner
> if [ -d /dev/shm ]; then
> TMPDIR=/dev/shm
> export TMPDIR
> fi
>
> Changes to MailScanner.conf:
> Max Children = 5
> Max Unscanned Messages Per Scan = 30
> Max Unsafe Messages Per Scan = 30
>
> Changes to main.cf
> smtpd_delay_reject=no
>
> smtpd_helo_restrictions = permit_mynetworks,
> check_helo_access hash:/etc/postfix/helo_access
> reject_invalid_hostname
> reject_unknown_hostname
> reject_non_fqdn_hostname
> reject_unauth_pipelining
> permit
>
> PolicyD was already giving me GreatPause, so I didn't add
> smtpd_client_restrictions as recommended
>
> For the record, my current configuration is as follows:
> [root at mx1 ~]# MailScanner -changed
> Table of Changed Values:
>
> Option Name Default Current Value
> ===============================================================================
>
> alwaysincludespamassassinreport no yes
> archivemail RULESET:Default=
> highscoringspamactions deliver header "X-Spam-Status: Yes"
> store
> highspamassassinscore 10 7
> incomingqueuedir /var/spool/mqueue.in
> /var/spool/postfix/hold
> languagestrings /etc/MailScanner/reports/en/languages.conf
> logspam no yes
> logspeed no yes
> maxspamassassinsize 30000 20k
> mta sendmail postfix
> outgoingqueuedir /var/spool/mqueue
> /var/spool/postfix/incoming
> requiredspamassassinscore 6 4
> restartevery 14400 7200
> runasgroup 0 postfix
> runasuser 0 postfix
> signcleanmessages yes no
> spamactions deliver header "X-Spam-Status: Yes"
> deliver header "X-Spam-Status: Res"
> spamassassinsiterulesdir /etc/mail/spamassassin
> spamheader X-MailScanner-SpamCheck:
> X-Schmerold-MailScanner-SpamCheck:
> spamliststobespam 1 3
> spamliststoreachhighscore 3 7
> spamscoreheader X-MailScanner-SpamScore:
> X-Schmerold-MailScanner-SpamScore:
> virusscanners auto f-prot
> [root at mx1 ~]#
>
> [root at mx1 ~]# postconf -n
> canonical_maps = hash:/etc/postfix/canonical
> config_directory = /etc/postfix
> disable_vrfy_command = yes
> hash_queue_names = ""
> header_checks = regexp:/etc/postfix/header_checks
> masquerade_exceptions = root
> message_size_limit = 51200000
> mydomain = schmerold.com
> myhostname = mx1.schmerold.com
> mynetworks = 127.0.0.0/8 65.16.251.208/29
> relay_domains = katy.com katy.net katycomputer.com schmerold.com
> relayhost = [127.0.0.1]:8080
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_delay_reject = no
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, check_helo_access
> hash:/etc/postfix/helo_access reject_invalid_hostname
> reject_unknown_hostname reject_non_fqdn_hostname
> reject_unauth_pipelining permit
> smtpd_recipient_restrictions = check_helo_access
> hash:/etc/postfix/helo_access reject_invalid_hostname
> reject_non_fqdn_hostname reject_non_fqdn_sender
> reject_non_fqdn_recipient reject_unknown_sender_domain
> permit_mynetworks reject_unauth_destination check_sender_access
> hash:/etc/postfix/whitelist check_policy_service inet:127.0.0.1:10031
> reject_rbl_client combined.njabl.org reject_rbl_client cbl.abuseat.org
> reject_rbl_client ws.surbl.org reject_rbl_client zen.spamhaus.org permit
> smtpd_sender_restrictions = hash:/etc/postfix/access
> transport_maps = hash:/etc/postfix/transport
> virtual_alias_domains = hash:/etc/postfix/virtual
> virtual_alias_maps = hash:/etc/postfix/virtual
> [root at mx1 ~]#
>
>
>
> Julian Field wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Just a quick note of info:
>>
>> When asking users for settings like this, a very useful command is
>> MailScanner -changed
>> which will list all the configuration options that have been changed
>> from their supplied defaults.
>> You might want to do
>> MailScanner -changed | grep -v reports
>> to strip out all the report directories.
More information about the MailScanner
mailing list