[Cialug] postfix issue

Jeff Davis jdavis at geolearning.com
Fri Nov 17 09:43:37 CST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can't see anything particularly wrong with your implementation.

It's interesting to me that you're using a remote service to handle
the amavis service.
My suggestion would be to add some handling in your perl script to
check that you
can reach the service and return a defer_if_permit if the service is
not available.

On a side note:
Since you're already not passing large attachments
this may not be an issue, but if you start having
problems with some bigger messages you may want to add a time limit
Change: $filter = 'smtp:sparky.dsrw.org:10024';
to: $filter = 'smtp:sparky.dsrw.org:10024_time_limit = 3600';
Postfix will by default kill a child process after 1000 seconds.

- -Jeff




david l goodrich wrote:
> On Thu, Nov 16, 2006 at 11:44:37AM -0600, Jeff Davis wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Who had the postfix problem at the meeting last night?
>>
>> If you send me (off the list) the section of your config where you're
>> performing that check I'll be glad to help.
>>
>> - -Jeff
>>
>
> That was me.  I appreciate all your help.  I'll send it to the
> list as well, maybe this'll be useful later.
>
> A little background on my setup.  My mail server is in NYC and
> connected via a VPN to a server running amavisd-new and
> spamassassin in Rochester, MN.  This link is not the fastest
> thing in the world, and amavisd by default automatically passes
> messages over 64k anyway, so I thought I would spare myself a lot
> of trouble and just not send messages greater than 64k to the
> anti-spam server in the first place.
>
> Through the reading I've done on the Internet, I determined the
> only way to do that is to set up a policy filter at the
> smtpd_end_of_data_restrictions level, since postfix only has an
> idea of the size of the message after it has been accepted.  At
> least, that's what Wietse Venema suggested[1].
>
> I am not doing my spam filtering quite like in the poster of the
> message[2].  amavisd-new is listening on port 10024 of the
> anti-spam server, and once it has filtered the message and added
> headers, sends it back to the postfix server on port 10025.
>
> So my master.cf looks like this:
> smtp      inet  n       -       n       -       -       smtpd
>   -o
smtpd_end_of_data_restrictions=check_policy_service,unix:private/filterlogic
>
> and then:
> 10025     inet  n       -       n       -       -       smtpd
>   -o smtpd_authorized_xforward_hosts=172.20.0.0/16
>   -o smtpd_client_restrictions=
>   -o smtpd_helo_restrictions=
>   -o smtpd_sender_restrictions=
>   -o smtpd_recipient_restrictions=permit_mynetworks,reject
>   -o smtpd_data_restrictions=
>   -o receive_override_options=no_unknown_recipient_checks
>
> and finally
> filterlogic     unix  -       n       n       -       - spawn
>      user=nobody argv=/usr/pkg/bin/perl /usr/local/bin/filterlogic.pl
>
> of course, all the usual bits for pickup, cleanup, discard, etc
> are all still there.
>
> filterlogic.pl is just the greylist.pl that was included with the
> distribution, but the smtpd_access_policy function was changed to
> suit my needs.  this policy filter also checks to see if an
> authenticated user (i.e. myself) sent the message, and if so will
> not filter it.
>
>  sub smtpd_access_policy {
>
>     # Specify the location of the filter
>     $filter = 'smtp:sparky.dsrw.org:10024';
>     # and the message size to automatically pass
>     $messagesize = 1024 * 64;
>
>     my $size;
>     my $sender;
>     $size = lc $attr{"size"};
>     $sender = lc $attr{"sasl_username"};
>   
>     if ($size > $messagesize || length($sender) > 0)
>         { return "ok"; }
>     else
>         { return "filter " . $filter; }
>  }
>
>
> The problem I have seen is that since postfix can't report a size
> to the policy filter until after it has accepted the message,
> postfix accepts the message from the client, sends a 2xx accept
> code, and /then/ runs the filter.  If the link to the anti-spam
> server is down, postfix seems to just drop the message, but the
> sending server has no idea, since postfix returned a 2xx and the
> sending server assumes everything is fine.  This seems broken to
> me.
>
> More bits and pieces of master.cf and main.cf are available upon
> request, of course.  Nothing much secret in them :]  Thanks again
> for your help.
>   --waldo
>
>
> 1. http://archives.neohapsis.com/archives/postfix/2006-06/0430.html
> 2. http://www.postfix.org/FILTER_README.html#advanced_filter
>
> ----------------------------------------------------------------------
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXdioUVPJ6ufy+vIRApnLAJ0RMIBItNORFiAmn8/K+T+KAXnKmACfQ8aK
G0fJJz0nkOosHLAoPN2/lqQ=
=qOZC
-----END PGP SIGNATURE-----

More information about the Cialug mailing list