Too messages in Hold folder when spamassassin is activated in MailScanner

Glenn Steen glenn.steen at gmail.com
Wed Nov 28 10:12:02 GMT 2007


On 27/11/2007, Israel Garcia <igalvarez at gmail.com> wrote:
> On Nov 27, 2007 4:36 PM, Glenn Steen <glenn.steen at gmail.com> wrote:
>
> >
> > On 27/11/2007, Israel Garcia <igalvarez at gmail.com> wrote:
> > > On Nov 27, 2007 4:01 PM, UxBoD <uxbod at splatnix.net > wrote:
> > >
> > > > So when disabling RBLs the problem disappears.
> > >
> > > No, the problem disapear when I turn off spamassassin completily in
> > > mailscanner config file. Sometimes I enable Spamassassin check but
> disable
> > > razor2, DCC and pyzor in spam.assassin.prefs.conf and it work better..
> BUT,
> > > if I fully enalbe spamassassin with DCC, razor2 and pyzor the load
> average
> > > begins to increase and thousands of mails begins comes to HOLD folder ..
> Do
> > > you think it's time to split the load in two servers? I mean something
> like
> > > this:
> > >                                  Router
> > >                       NAT rules to SMTP farm serves.
> > >                                        I
> > >                                        I
> > >        ______________________________
> > >                 I                                   I
> > >        Server2 SMTP                 Server1 SMTP
> > >        Mailscanner/sa                Mailscanner/sa
> >
> > If the bottleneck is network-related/lookups.... this will buy you
> > nothing, unfortunately.
> I know, but how am I sure this is the cause of my problem?
>
:-) .... when you remove some load and the problem goes away:-):-).

> >
> >
> >
> > > I think I have two problems, to much spam (80% of total emails --> from
> > > vispan) and my the line 256k/frame relay is FULL.
> > >
> > > Any other ideas?
> > > Israel
> > >
> >
> > Since the load climbs, you likely have a lot of processes in state D
> > (count them with a ps.... might give a clue:-)... Which might indicate
> > slow lookup responses, sure.
> >
> The loads climbs when comes a lot of mail to hold folder
Yes, exactly.

> >
> > You do reject mail for unknown recipients, right? If not, start doing
> > that... It will ease things;).
> yes, I do..
> from main.cf:
> local_recipient_maps = unix:passwd.byname $alias_maps
> smtpd_helo_required = yes
> disable_vrfy_command = yes
> strict_rfc821_envelopes = yes
> invalid_hostname_reject_code = 554
> multi_recipient_bounce_reject_code = 554
> non_fqdn_reject_code = 554
> relay_domains_reject_code = 554
> unknown_address_reject_code = 554
> unknown_client_reject_code = 554
>  unknown_hostname_reject_code = 554
> unknown_local_recipient_reject_code = 554
> unknown_relay_recipient_reject_code = 554
> unknown_sender_reject_code = 554
> unknown_virtual_alias_reject_code = 554
> unknown_virtual_mailbox_reject_code = 554
> unverified_recipient_reject_code = 554
> unverified_sender_reject_code = 554
> #
> smtpd_sender_restrictions =
>       check_sender_access hash:/etc/postfix/listanegra
>         reject_non_fqdn_sender
>         reject_unknown_sender_domain permit
>
> smtpd_recipient_restrictions =
>                 permit_auth_destination
>                 permit_mynetworks
>                 reject_non_fqdn_recipient
>                 reject_unknown_recipient_domain
>                 reject_unauth_destination
>             reject_invalid_hostname,
>             reject_unknown_recipient_domain,
>             reject_unauth_pipelining,
>             permit_sasl_authenticated,
>             reject_unauth_destination,
>
>
Good.

> >
> > You might also consider using a few RBLs at the MTA level, so that you
> > reject messages that hit them. If you go for that, choose
> > wisely...:-).
> > And look over what ... "RFC strictness" you can enable... and use to
> > reject junk.
> What is RFC stricness?
Pretty much what you do. Instead of blithely accepting malformed SMTP
conversations, just reject them (being ... strict... about it:-).
I don't see what helo_rextrictions you have... You might want to do
something there too... Like
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/deny_domain_spoof
 ... where the hash to deny domain spoofing contains your domains details:
example.net REJECT
123.456.789.123 REJECT
...
Some will argue that this violates the RFCs, but it really doesn't... AFAICS:-).
Doing this on HELO/EHLO will help a bit more.

> thanks in advance
> Israel
>

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list