Tobias J. Kreidl skrev, on 13-10-2007 09:31: > I'm wondering about the view of having policyd deal with initial > conenctions up-front, so that things get rejected before they've even had > much processing via postfix. My question is, how does the efficiency of > policyd compare with the efficiency of postfix internals? Does > postfix do a "better" job of rejecting than policyd? As one experiment, I > have created a configuration with policyd way up front: > > smtpd_recipient_restrictions = > check_policy_service inet:127.0.0.1:10031 > check_client_access hash:/etc/postfix/bypass_amavis > permit_mynetworks > reject_unauth_destination > reject_unknown_recipient_domain > reject_non_fqdn_sender > reject_non_fqdn_recipient > reject_invalid_hostname > reject_non_fqdn_hostname > unverified_recipient_reject_code = 550 > reject_unverified_recipient > permit_auth_destination > permit_mx_backup > > so that the DB gets fully populated by anything and everything that comes > in. I can't really tell offhand that it makes that much difference, at > least as long as the total number of rejected messages is reltively small. > There are, of course, a number of other postfix configurations (content > filters, transport maps, alias maps, etc.). > > What are others' experiences with the positioning of policyd within the > postfix smtpd_recipient_retrictions configuration? Of course, it will > depend in part on how open your server needs to be, what type of mail it > deals with, whether it's firewalled, the percentage of illicit mail, the > origins of the email, etc. I think we're all interested in optimizing > efficiency, so details like this matter. In our case, we're talking > currently around 500k pieces of delivered email daily, so not exactly > small numbers, and that doesn't include a large additinal number of mail > containing spam, viruses, and are undeliberable or unacceptable for one > reason or another. These get weeded out in the process in various stages, > using amavisd, spamhaus, clamav, and spamassassin, as well as policyd. > The Hildebrandt/Koetter publication "The Book of Postfix" discusses > postfix configuration file optimization only briefly. Postings by Voytek > and others of their configuration options are very informative. Above > all, we often don't have the chance to experiment much with "live" systems > and probably tend to be more conservative in setting up and adjusting > configurations. Creating "fake" mailserver environments is a whole > separate topic... In any case, I really think discussions like these are > beneficial to a lot of us.
To my mind it should come last in smtpd_recipient_restrictions. What's the point of greylisting stuff that Postfix would reject anyway? -Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ policyd-users mailing list policyd-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/policyd-users
