David C. Rankin wrote:
Listmates (Sandy),
I have built a fresh 10.3 server, but smtp performance seems slow. Are
there any tips or tricks to improve the mail sending performance. Here
There are two sides to performant smtp delivery:
- make sure to configure the server to utilize available hardware and
bandwidth as best as possible
+ avoid network saturation, that will hinder answer packages to
get through, if necessary, use traffic shaping
+ avoid smtp process exhaustion for internal and incoming transports
- make sure to accomodate the expectations of the receiving servers as
best as possible
+ squeaky clean dns records: matching forward and reverse dns
+ helo matches existing dns records
+ spf entry if you send a lot to microsoft accounts
+ domainkeys/dkim
+ register as postmaster to high-level destinations, most big providers
have such a procedure to whitelist your server and for you to receive
trouble tickets etc.
+ monitor bounces/rejects carefully, some destinations blacklist you
temporarily if you cause too many rejections. Your database of
addresses will be outdated faster than you can watch.
+ don't saturate the receiving servers, set appropriate limits for
simultaneous parallel delivery. Configure a slow transport that only
uses a few smtp processes for small sites.
Most of the usual suggestions are the reversal of antispam settings. Using
your own dns server or at least caching slave server has also been
suggested. For high level mailservers a local dns server could speed up
dns resolution a lot.
The rest is your task to figure out for your local circomstances. Do you
send newsletters (many mails occuring during a short time) or do you need
to send continuously at a high level? Lots of big mails, varying sizes or
only lots of small mail?
Look at your log to find out if your server doesn't send as fast as
possible of if the receiving servers delay delivery.
are the current settings:
[EMAIL PROTECTED]:/home/david # postconf -n
alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain, $mydomain,
guillorylaw.com, rankinlawfirm.com, drrankin.com, txuovercharges.com,
bertinlawoffice.com, darrenbertin.com, tannergarth.com
myhostname = bonza.rbpllc.com
The problem starts here:
dig bonza.rbpllc.com
; <<>> DiG 9.4.1-P1 <<>> bonza.rbpllc.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42966
^^^^^^^^
postconf -d smtp_helo_name
smtp_helo_name = $myhostname
So you are using an invalid helo name.
mynetworks_style = subnet
Better set this manually. If the Server has an official ip address you
will invite your neighbor servers to use you as relay.
If you don't have correct dns records, receiving servers may reject you,
place additional restrictions like greylisting or in best case waste time
on additional dns queries for blacklists, helo etc.
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Rankin Law
Firm, PLLC)
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/client_check.cidr, reject_rbl_client relays.ordb.org,
reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client list.dsbl.org
Several problems:
You don't exclude authenticated clients or clients in mynetworks.
You are using a dead RBL (relays.ordb.org has gone the way of the dinosaurs).
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, check_recipient_access
pcre:/etc/postfix/recipient_check.pcre
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
Do you use /etc/postfix/access? If not, drop it from your config. In this
case it would be a check_sender_access because it is placed in
sender_restrictions.
Pet peeve #1: don't use short cuts, always use the complete form. If you
decide one day to move the check to smtpd_recipient_restrictions, it would
suddenly become a check_recipient_access instead of a check_sender_access.
Better to set up all checks in one class and disable the rest, it's much
more transparent that way.
smtpd_client_restrictions =
smtpd_sender_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_unlisted_recipient
# check_client_access hash:/etc/postfix/client_whitelist
cidr:/etc/postfix/client_check.cidr
check_recipient_access pcre:/etc/postfix/recipient_check.pcre
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
# consider using zen.spamhaus.org!
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client list.dsbl.org
Pet peeve #2:
cidr:/etc/postfix/client_check.cidr
check_recipient_access pcre:/etc/postfix/recipient_check.pcre
Can you tell me what kind of checks are in these files?
Will you be able to tell me in half a year as well?
Let's say, you only use it for blacklisting now, but some day you decide
to whitelist someone and say "OK", and suddenly you enable him to use your
server as relay, because you might have put the check before
reject_unauth_destination. As long as you were only using it to reject
clients it wouldn't matter, but whitelist a client and suddenly he can use
you as relay. Whitelist a client before you check for valid recipients,
and you risk to turn into a backscatter source.
Consider using telling names for the checks:
cidr:/etc/postfix/client_blacklist.cidr
pcre:/etc/postfix/recipient_greylisting_enabled.pcre
pcre:/etc/postfix/recipient_internal_only.pcre
If necessary split the checks and create separate files for separate
purposes (blacklisting/rejecting, whitelisting, filtering etc.), then you
can easily place them at the correct place in the order of checks. The
policy of your mail system is much more maintainable that way.
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_client_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
Which of these would affect or help smtp response time? Any tips would
be appreciated.
After you have fixed your dns settings,
--
Sandy
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]