|
|
|
|
|
|
| Author |
Message |
Robert Fitzpatrick
*nix forums addict
Joined: 03 May 2005
Posts: 50
|
 Posted: Tue Jul 18, 2006 4:22 pm Post subject:
Advise on load
|
|
|
I have a gateway that processes mail for about 50 domains. I haven't
checked lately, but I have a script that tells me how many are blocked.
That was over 100,000 (just blocked) in one day. There seem to be two
particular domains that get slammed mostly addressed to unknown users. I
am running 2.2.10 with amavsd-new 2.3.4 and SA 3.1.0. I had this issue
once before and it turned out to be the rules in SA I have, so I have
trimmed back some URI and HTML SARES rules, that makes a difference, but
still the queues continue to fill up and cause delays.
My question is about my configuration and if the server I have should
not be having a big problem, or does another gateway needs to be added
to split the load. It is a P4 2.8GHz dual-processor with 1GB of RAM and
RAID 5, should I be having this issue with filtering? I adjust the logs
in Amavis and it is definitely the amount of time filtering causing the
delays in mail. Here is my postconf below. Also, is there a way to
possibly have Postfix look at these big domains as local recipients
rejecting all the unknown users instead of filtering them and sending
them to the destination server to be rejected, but still forward the
mail to its destination as received?
esmtp# postconf -n
body_checks = regexp:/usr/local/etc/postfix/body_checks
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
default_process_limit = 50
delay_warning_time = 2
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
html_directory = no
local_recipient_maps = $alias_maps unix:passwd.byname
mail_name = Postfix Internet Mail Gateway
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = cyrus
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 1000s
maximal_queue_lifetime = 1d
message_size_limit = 51200000
mynetworks = 127.0.0.0/8, <snip>
newaliases_path = /usr/local/bin/newaliases
parent_domain_matches_subdomains = hash:/usr/local/etc/postfix/transport.map,debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = hash:/usr/local/etc/postfix/transport.map
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ($mail_name)
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_restrictions = permit_mynetworks, check_client_access hash:/usr/local/etc/postfix/helo_whitelist, reject_invalid_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_sender_mx_access hash:/usr/local/etc/postfix/mx_access, check_recipient_mx_access hash:/usr/local/etc/postfix/mx_access, reject_unauth_destination, check_recipient_access pcre:/usr/local/etc/postfix/recipient_checks.pcre, check_helo_access hash:/usr/local/etc/postfix/helo_checks, check_sender_access hash:/usr/local/etc/postfix/sender_checks, check_client_access hash:/usr/local/etc/postfix/client_checks, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, permit
smtpd_restriction_classes = from_freemail_host
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = hash:/usr/local/etc/postfix/sender_login_maps
transport_maps = hash:/usr/local/etc/postfix/transport.map
unknown_local_recipient_reject_code = 550
virtual_alias_domains = ldap:/usr/local/etc/postfix/ldap/virtual_domains.cf
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap/virtual_maps.cf
Thanks in advance for any advise on dealing with my issue.
--
Robert |
|
| Back to top |
|
 |
Coffey, Neal
*nix forums beginner
Joined: 18 Jul 2006
Posts: 4
|
| Posted: Tue Jul 18, 2006 4:45 pm Post subject:
RE: Advise on load
|
|
|
Robert Fitzpatrick wrote:
| Quote: | Also, is there a way to
possibly have Postfix look at these big domains as local recipients
rejecting all the unknown users instead of filtering them and sending
them to the destination server to be rejected, but still forward the
mail to its destination as received?
|
http://www.postfix.org/postconf.5.html#relay_recipient_maps
http://www.postfix.org/ADDRESS_VERIFICATION_README.html
One of those two should do it for you. Read this too:
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
Your goal should be to block as much spam as possible before
SpamAssassin and your other "expensive" tests ever hit. The easiest way
to get your load down is to kill all email sent to invalid recipients.
DO NOT accept it and bounce, get Postfix to reject it during the SMTP
transaction. If address verification doesn't work, use the recipient
maps, which can be a DB file, LDAP lookup, SQL lookup, whatever you
need. Heck, you can even write it as a policy server. But do it! Your
server will thank you. |
|
| Back to top |
|
|
Wietse Venema
*nix forums Guru
Joined: 27 Feb 2005
Posts: 2697
|
| Posted: Tue Jul 18, 2006 4:51 pm Post subject:
Re: Advise on load
|
|
|
Robert Fitzpatrick:
| Quote: | I have a gateway that processes mail for about 50 domains. I haven't
checked lately, but I have a script that tells me how many are blocked.
That was over 100,000 (just blocked) in one day. There seem to be two
particular domains that get slammed mostly addressed to unknown users. I
am running 2.2.10 with amavsd-new 2.3.4 and SA 3.1.0. I had this issue
once before and it turned out to be the rules in SA I have, so I have
trimmed back some URI and HTML SARES rules, that makes a difference, but
still the queues continue to fill up and cause delays.
My question is about my configuration and if the server I have should
not be having a big problem, or does another gateway needs to be added
to split the load. It is a P4 2.8GHz dual-processor with 1GB of RAM and
RAID 5, should I be having this issue with filtering? I adjust the logs
in Amavis and it is definitely the amount of time filtering causing the
delays in mail. Here is my postconf below. Also, is there a way to
possibly have Postfix look at these big domains as local recipients
rejecting all the unknown users instead of filtering them and sending
them to the destination server to be rejected, but still forward the
mail to its destination as received?
|
You need to block non-existent recipients at the internet gateway.
If you don't have a valid recipient list, use "reject_unverified_recipient"
to reject invalid recipients, and use "address_verify_map" to save
the probe results. See ADDRESS_VERIFICATION_README for details.
Address probes aren't subject to "content_filter" settings. They
are subject to transport_maps and relayhost settings, but you can
override these for address probe (the parameters are called
address_verify_transport_maps and address_verify_relayhost).
Wietse |
|
| Back to top |
|
|
<vg_us@hotmail.com>
*nix forums beginner
Joined: 15 Oct 2005
Posts: 13
|
| Posted: Tue Jul 18, 2006 5:00 pm Post subject:
Re: Advise on load
|
|
|
----- Original Message -----
From: "Robert Fitzpatrick" <lists@webtent.net>
To: "Postfix" <postfix-users@postfix.org>
Sent: Tuesday, July 18, 2006 12:22 PM
Subject: Advise on load
| Quote: | I have a gateway that processes mail for about 50 domains. I haven't
checked lately, but I have a script that tells me how many are blocked.
That was over 100,000 (just blocked) in one day. There seem to be two
particular domains that get slammed mostly addressed to unknown users. I
am running 2.2.10 with amavsd-new 2.3.4 and SA 3.1.0. I had this issue
once before and it turned out to be the rules in SA I have, so I have
trimmed back some URI and HTML SARES rules, that makes a difference, but
still the queues continue to fill up and cause delays.
My question is about my configuration and if the server I have should
not be having a big problem, or does another gateway needs to be added
to split the load. It is a P4 2.8GHz dual-processor with 1GB of RAM and
RAID 5, should I be having this issue with filtering? I adjust the logs
in Amavis and it is definitely the amount of time filtering causing the
delays in mail. Here is my postconf below. Also, is there a way to
possibly have Postfix look at these big domains as local recipients
rejecting all the unknown users instead of filtering them and sending
them to the destination server to be rejected, but still forward the
mail to its destination as received?
esmtp# postconf -n
body_checks = regexp:/usr/local/etc/postfix/body_checks
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
default_process_limit = 50
delay_warning_time = 2
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
html_directory = no
local_recipient_maps = $alias_maps unix:passwd.byname
mail_name = Postfix Internet Mail Gateway
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = cyrus
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 1000s
maximal_queue_lifetime = 1d
message_size_limit = 51200000
mynetworks = 127.0.0.0/8, <snip
newaliases_path = /usr/local/bin/newaliases
parent_domain_matches_subdomains =
hash:/usr/local/etc/postfix/transport.map,debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = hash:/usr/local/etc/postfix/transport.map
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ($mail_name)
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_restrictions = permit_mynetworks, check_client_access
hash:/usr/local/etc/postfix/helo_whitelist, reject_invalid_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
check_sender_mx_access hash:/usr/local/etc/postfix/mx_access,
check_recipient_mx_access hash:/usr/local/etc/postfix/mx_access,
reject_unauth_destination, check_recipient_access
pcre:/usr/local/etc/postfix/recipient_checks.pcre, check_helo_access
hash:/usr/local/etc/postfix/helo_checks, check_sender_access
hash:/usr/local/etc/postfix/sender_checks, check_client_access
hash:/usr/local/etc/postfix/client_checks, reject_rbl_client
relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client
list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client
cbl.abuseat.org, permit
smtpd_restriction_classes = from_freemail_host
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = hash:/usr/local/etc/postfix/sender_login_maps
transport_maps = hash:/usr/local/etc/postfix/transport.map
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
ldap:/usr/local/etc/postfix/ldap/virtual_domains.cf
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap/virtual_maps.cf
Thanks in advance for any advise on dealing with my issue.
--
Robert
|
My guess - too many DNS lookups. You have a lot of RBLs. Make sure you're
running caching DNS server locally. Also - CPU is not an issue in your case
(at least i don't think so), but more RAM will cut down on swap usage (i bet
it's high) and let you inscrease default_process_limit which can be what
gives you trouble.
vadim |
|
| Back to top |
|
|
Robert Fitzpatrick
*nix forums addict
Joined: 03 May 2005
Posts: 50
|
| Posted: Tue Jul 18, 2006 5:42 pm Post subject:
Re: Advise on load
|
|
|
On Tue, 2006-07-18 at 12:51 -0400, Wietse Venema wrote:
| Quote: | Robert Fitzpatrick:
You need to block non-existent recipients at the internet gateway.
If you don't have a valid recipient list, use "reject_unverified_recipient"
to reject invalid recipients, and use "address_verify_map" to save
the probe results. See ADDRESS_VERIFICATION_README for details.
Address probes aren't subject to "content_filter" settings. They
are subject to transport_maps and relayhost settings, but you can
override these for address probe (the parameters are called
address_verify_transport_maps and address_verify_relayhost).
Wietse
|
Man, I love Postfix! I had no idea those things came about on 2.1, I
will have to keep up with my reading....thanks a million, works like a
charm!
--
Robert |
|
| Back to top |
|
|
Brian Collins
*nix forums addict
Joined: 06 May 2005
Posts: 82
|
| Posted: Tue Jul 18, 2006 6:02 pm Post subject:
RE: Advise on load
|
|
|
| Quote: | My question is about my configuration and if the server I have should
not be having a big problem, or does another gateway needs to be added
to split the load. It is a P4 2.8GHz dual-processor with 1GB of RAM and
RAID 5, should I be having this issue with filtering?
|
Your hardware is fine. Many people filter more mail with less hardware.
As others suggested, make sure you reject unknown recipients. Also, in
regards to your script that tells you the number of rejects, try also
installing mailgraph (Google for it). It's great for a filtering mail
server.
--Brian |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Thu Jan 08, 2009 6:44 am | All times are GMT
|
|
Bad Credit Credit Cards | Loans | Credit Card | Credit Cards | Debt Consolidation
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Postfix
