Another improvement would be to implement DKIM and SPF checking in the MTA (postfix usually) that runs the domain. This instantly drops off a decent amount of spam, and would save hits to maildaemon.php.
To be fully effective, the domain should use DKIM for outgoing mail, and have SPF configured. http://laconi.ca/trac/ticket/488 http://laconi.ca/trac/ticket/487 http://laconi.ca/trac/ticket/490 http://laconi.ca/trac/ticket/489 ~Craig > Hi all, just posted this to trac, but thought I would send to the > list, apologies if it has already been addressed or implemented. > > I did see > http://mail.laconi.ca/pipermail/laconica-dev/2009-March/001046.html > but it seems to me that relying on the checks in maildaemon.php, > rather than dropping invalid recipient mail on the floor first, is > unnecessarily expensive. I understand that the idea is simply to > validate posts, but from a system usage and architecture viewpoint, > this should get done only after the MTA handles the email correctly. > > Accepting all email for a domain has to be seen as something that will > affect availability, performance and security. Wildcarding all mail > for a domain and running it through a script will create performance > and availability issues, and will expose the system to attack. I think > the maildaemon.php script works well, but every mail sent to a > laconica server hits it with the commonly found *|maildaemon.php > /etc/aliases setup. > > MTAs like postfix have very robust solutions to this if allowed to > work the way they are supposed to, by checking if we want to accept > mail for a recipient address, i.e. the made up email address. > > Even with an average amount of spam, let alone an attack, performance > has to be affected. > > I have a draft howto http://pbj.ca/postfix.html that properly rejects > invalid mails before they hit maildaemon.php, using postfix. > > Example output from mail on my laconica instance: > > $ telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost.shellfusion.net. > Escape character is '^]'. > 220 aurora.nearsourceit.com ESMTP Postfix > helo localhost > 250 aurora.nearsourceit.com > mail from: [email protected] > 250 2.1.0 Ok > rcpt to: [email protected] > 250 2.1.5 Ok > data > 354 End data with <CR><LF>.<CR><LF> > telnet post ;) > . > 250 2.0.0 Ok: queued as 2420613C41A > quit > 221 2.0.0 Bye > Connection closed by foreign host. > $ telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost.shellfusion.net. > Escape character is '^]'. > 220 aurora.nearsourceit.com ESMTP Postfix > mail from: [email protected] > 250 2.1.0 Ok > rcpt to: [email protected] > 550 5.1.1 <[email protected]>: Recipient address rejected: User > unknown in virtual mailbox table > > I advise everyone to implement proper recipient checking using the > incomingemail data in their database with an MTA; maildaemon.php is > not a substitute for recipient checking. > > Regards, > > Stef > > Stefan Caunter > _______________________________________________ > Laconica-dev mailing list > [email protected] > http://mail.laconi.ca/mailman/listinfo/laconica-dev > _______________________________________________ Laconica-dev mailing list [email protected] http://mail.laconi.ca/mailman/listinfo/laconica-dev
