This is an interesting thread.
I'm wondering about the view of having policyd deal with initial
conenctions up-front, so that things get rejected before they've even had
much processing via postfix. My question is, how does the efficiency of
policyd compare with the efficiency of postfix internals? Does
postfix do a "better" job of rejecting than policyd? As one experiment, I
have created a configuration with policyd way up front:
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031
check_client_access hash:/etc/postfix/bypass_amavis
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_invalid_hostname
reject_non_fqdn_hostname
unverified_recipient_reject_code = 550
reject_unverified_recipient
permit_auth_destination
permit_mx_backup
so that the DB gets fully populated by anything and everything that comes
in. I can't really tell offhand that it makes that much difference, at
least as long as the total number of rejected messages is reltively small.
There are, of course, a number of other postfix configurations (content
filters, transport maps, alias maps, etc.).
What are others' experiences with the positioning of policyd within the
postfix smtpd_recipient_retrictions configuration? Of course, it will
depend in part on how open your server needs to be, what type of mail it
deals with, whether it's firewalled, the percentage of illicit mail, the
origins of the email, etc. I think we're all interested in optimizing
efficiency, so details like this matter. In our case, we're talking
currently around 500k pieces of delivered email daily, so not exactly
small numbers, and that doesn't include a large additinal number of mail
containing spam, viruses, and are undeliberable or unacceptable for one
reason or another. These get weeded out in the process in various stages,
using amavisd, spamhaus, clamav, and spamassassin, as well as policyd.
The Hildebrandt/Koetter publication "The Book of Postfix" discusses
postfix configuration file optimization only briefly. Postings by Voytek
and others of their configuration options are very informative. Above
all, we often don't have the chance to experiment much with "live" systems
and probably tend to be more conservative in setting up and adjusting
configurations. Creating "fake" mailserver environments is a whole
separate topic... In any case, I really think discussions like these are
beneficial to a lot of us.
--Tobias
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
policyd-users mailing list
policyd-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/policyd-users
