Performance

Glenn Steen glenn.steen at gmail.com
Tue Feb 6 13:12:15 CET 2007 

Somewhat off-topic, but interresting for those willing to explore
pflogsumm (and want to use the cron snippets I showed earlier).
So, mainly for Postfix admins...:-).

On 01/02/07, Glenn Steen <glenn.steen at gmail.com> wrote:
> On 01/02/07, Peter Russell <pete at enitech.com.au> wrote:
> >
> >
> > Glenn Steen wrote:
> > > On 31/01/07, Peter Russell <pete at enitech.com.au> wrote:
> (snip even more)
> > >> >> relay_domains = katy.com katy.net katycomputer.com  schmerold.com
> > >> > Why is there no "companion" relay_recipient_maps? You should reject
> > >> > unknown recipients.
> > >> >
> > >> >> smtpd_data_restrictions = reject_unauth_pipelining, permit
> > >> >> smtpd_helo_required = yes
> > >> > Here you should perhaps have a
> > >> > smtpd_helo_restrictions = permit_mynetworks, check_helo_access
> > >> > hash:/etc/postfix/deny_domain_spoof
> > >> > Where the deny_domain_spoof is simply an access file detailing the
> > >> > domains and IP addresses you relay for like "katy.com REJECT". Will be
> > >> > perfectly safe to use.
> > >>
> > >> Glenn - should he have REJECT for domains he relays for?
> > > Yes. The thinking here is to REJECT anyone pretending to be either
> > > your domain (your MX) or any of the "internal/trusted" IP addresses,
> > > unless they really are... The permit_mynetworks take care of not
> > > rejecting things that shouldn't be rejected:).
> > > As said, perfectly safe;-).
> > > This one rejects a few every day.
> >
> > Sorry for the questions, but i am trying to stop some of the low scoring
> > spam i keep getting through - i am sure some tweaking will get it.
> Quite OK.
> > How do you check if these have blocked some spam? grep the maillog?
> Well more or less:-). It's the beauty of pflogsumm ... It'll summarize
> all rejections by at what stage and "reason"... like this (this is for
> yesterday):
> message reject detail
> ---------------------
>   RCPT
>     Helo command rejected: Access denied (total: 50)
>            3   83.173.153.170  (clients-865241583854se at nordea.se)
>            3   83.239.72.30  (wkihudxroacna at dirtydavid.every1.net)
> ...
> (The first one there is a Nordea Phish, or rather three... that I
> spend no more resources on;-)
> These "Access denied at helo" are the ones trying to pretend they are
> us. Similarily you'll get
>     Helo command rejected: Invalid name (total: 9)
>     Helo command rejected: need fully-qualified hostname (total: 374)
>     Recipient address rejected: User unknown in relay recipient table
> (total: 233)
>     Relay access denied (total: 41)
>     Sender address rejected: Access denied (total: 35)
> ... All those 700-odd rejections on a total incoming of 3800. Most of
> teh above are pretty obviously from "reject_invalid_hostname,
> reject_non_fqdn_hostname, reject_non_fqdn_sender,
> reject_non_fqdn_recipient", and I also apply the deny_domain_spoof in
> the sender_restrictions, which accounts for those 35 rejections.
>
> To keep "on top of things" I've cron'd a couple of pflogsumm runs like this:
> 3 0 * * * /usr/local/bin/pflsum_yday
> 10 4 * * 0 /usr/local/bin/pflsum_week
> # cat /usr/local/bin/pflsum_yday
> #!/bin/bash
> # Postfix log summary analysis per yesterday
> /bin/cat /var/log/syslog | /usr/local/bin/pflogsumm -i -d yesterday
> --problems_first --rej_add_from --zero_fill >
> /var/www/html/pflogsumm/pflogsumm-$(date +%Y%m%d).txt 2>&1
> # cat /usr/local/bin/pflsum_week
> #!/bin/bash
> # Postfix log summary analysis per last week
> /bin/zcat /var/log/syslog.1.gz | /usr/local/bin/pflogsumm -i
> --problems_first --rej_add_from --zero_fill >
> /var/www/html/pflogsumm/pflogsumm-week-$(date +%Y%m%d).txt 2>&1
> #
> And I then have a small PHP script to present those on a webpage...
> For my disabled-by-windoze colleagues:-).
>

Just for completeness (and since Pete bugged me to actually look at
it:-), here is the exceptionally Q&D (not horrid, but then... not
beautiful either... I'm sure it depends on how my php.ini is set:) PHP
script I use to present those logfile summaries... I've got it linked
from the tools page of MailWatch too for easy access, but it is
standalone.

The colourscheme is due to it being part of a set of "webified admin
tools" (and me being colourblind:), but it should be easy enough to
change. The CONF_pfls_dir is the only variable one should need touch
if one moves things elsewhere.

Enhoy:-)
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
-------------- next part --------------
A non-text attachment was scrubbed...
Name: index.php
Type: application/x-php
Size: 2234 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070206/4c67d160/index.bin

More information about the MailScanner mailing list