Performance

uxbod uxbod at splatnix.net
Tue Feb 6 13:32:49 CET 2007


In a similar vain I modified the mailgraph tool by David Schweikert and came up with the following :-

Regards,

On Tue, 6 Feb 2007 13:12:15 +0100, "Glenn Steen" <glenn.steen at gmail.com> wrote:
> Somewhat off-topic, but interresting for those willing to explore
> pflogsumm (and want to use the cron snippets I showed earlier).
> So, mainly for Postfix admins...:-).
> 
> On 01/02/07, Glenn Steen <glenn.steen at gmail.com> wrote:
>> On 01/02/07, Peter Russell <pete at enitech.com.au> wrote:
>> >
>> >
>> > Glenn Steen wrote:
>> > > On 31/01/07, Peter Russell <pete at enitech.com.au> wrote:
>> (snip even more)
>> > >> >> relay_domains = katy.com katy.net katycomputer.com 
> schmerold.com
>> > >> > Why is there no "companion" relay_recipient_maps? You should
> reject
>> > >> > unknown recipients.
>> > >> >
>> > >> >> smtpd_data_restrictions = reject_unauth_pipelining, permit
>> > >> >> smtpd_helo_required = yes
>> > >> > Here you should perhaps have a
>> > >> > smtpd_helo_restrictions = permit_mynetworks, check_helo_access
>> > >> > hash:/etc/postfix/deny_domain_spoof
>> > >> > Where the deny_domain_spoof is simply an access file detailing
> the
>> > >> > domains and IP addresses you relay for like "katy.com REJECT".
> Will be
>> > >> > perfectly safe to use.
>> > >>
>> > >> Glenn - should he have REJECT for domains he relays for?
>> > > Yes. The thinking here is to REJECT anyone pretending to be either
>> > > your domain (your MX) or any of the "internal/trusted" IP addresses,
>> > > unless they really are... The permit_mynetworks take care of not
>> > > rejecting things that shouldn't be rejected:).
>> > > As said, perfectly safe;-).
>> > > This one rejects a few every day.
>> >
>> > Sorry for the questions, but i am trying to stop some of the low
> scoring
>> > spam i keep getting through - i am sure some tweaking will get it.
>> Quite OK.
>> > How do you check if these have blocked some spam? grep the maillog?
>> Well more or less:-). It's the beauty of pflogsumm ... It'll summarize
>> all rejections by at what stage and "reason"... like this (this is for
>> yesterday):
>> message reject detail
>> ---------------------
>>   RCPT
>>     Helo command rejected: Access denied (total: 50)
>>            3   83.173.153.170  (clients-865241583854se at nordea.se)
>>            3   83.239.72.30  (wkihudxroacna at dirtydavid.every1.net)
>> ...
>> (The first one there is a Nordea Phish, or rather three... that I
>> spend no more resources on;-)
>> These "Access denied at helo" are the ones trying to pretend they are
>> us. Similarily you'll get
>>     Helo command rejected: Invalid name (total: 9)
>>     Helo command rejected: need fully-qualified hostname (total: 374)
>>     Recipient address rejected: User unknown in relay recipient table
>> (total: 233)
>>     Relay access denied (total: 41)
>>     Sender address rejected: Access denied (total: 35)
>> ... All those 700-odd rejections on a total incoming of 3800. Most of
>> teh above are pretty obviously from "reject_invalid_hostname,
>> reject_non_fqdn_hostname, reject_non_fqdn_sender,
>> reject_non_fqdn_recipient", and I also apply the deny_domain_spoof in
>> the sender_restrictions, which accounts for those 35 rejections.
>>
>> To keep "on top of things" I've cron'd a couple of pflogsumm runs like
> this:
>> 3 0 * * * /usr/local/bin/pflsum_yday
>> 10 4 * * 0 /usr/local/bin/pflsum_week
>> # cat /usr/local/bin/pflsum_yday
>> #!/bin/bash
>> # Postfix log summary analysis per yesterday
>> /bin/cat /var/log/syslog | /usr/local/bin/pflogsumm -i -d yesterday
>> --problems_first --rej_add_from --zero_fill >
>> /var/www/html/pflogsumm/pflogsumm-$(date +%Y%m%d).txt 2>&1
>> # cat /usr/local/bin/pflsum_week
>> #!/bin/bash
>> # Postfix log summary analysis per last week
>> /bin/zcat /var/log/syslog.1.gz | /usr/local/bin/pflogsumm -i
>> --problems_first --rej_add_from --zero_fill >
>> /var/www/html/pflogsumm/pflogsumm-week-$(date +%Y%m%d).txt 2>&1
>> #
>> And I then have a small PHP script to present those on a webpage...
>> For my disabled-by-windoze colleagues:-).
>>
> 
> Just for completeness (and since Pete bugged me to actually look at
> it:-), here is the exceptionally Q&D (not horrid, but then... not
> beautiful either... I'm sure it depends on how my php.ini is set:) PHP
> script I use to present those logfile summaries... I've got it linked
> from the tools page of MailWatch too for easy access, but it is
> standalone.
> 
> The colourscheme is due to it being part of a set of "webified admin
> tools" (and me being colourblind:), but it should be easy enough to
> change. The CONF_pfls_dir is the only variable one should need touch
> if one moves things elsewhere.
> 
> Enhoy:-)
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is
> believed to be clean.
-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
-- 
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: mailgraph.png
Type: image/png
Size: 70006 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070206/483928e9/mailgraph-0001.png


More information about the MailScanner mailing list