On Wed, Oct 25, 2006 at 03:34:07PM +0200, Urban Hillebrand wrote:
> Hello list,
>
> we are trying to implement policyd-weight (0.1.13 beta-14) on 2
> medium-sized mailgateways (~150.000 Mails / day). Please allow me some
> newbie questions:
>
>
> (1) We only want to use RBLs for the time being, so we set
> $dnsbl_checks_only = 1 in the conffile. We see lots of blocked hosts
> ("Your MTA is listed in too many DNSBLs; check http://...";), but from time
> to time we also reject mails with this message:
>
> "Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to
> correct HELO and DNS MX settings or to get removed from DNSBLs
> (multirecipient mail)"
Note the multirecipient mail.
Policyd-weight checks before RBL checks whether the multirecipient mail has
already been reject.
i.e.: > RCPT TO: [EMAIL PROTECTED]
< 5xx too many rbls
> RCPT TO: [EMAIL PROTECTED]
< 5xx $REJECTMSG with multirecipient statement
> (2) Probably related: Which scores are computed for $REJECTLEVEL? HELO +
> RHSBL?
Too many to name:
SENDER (and subdomain) A/MX records vs client IP (subnets)
HELO (and subdomain) A/MX records vs client IP (subnets) if SENDER failed
Client PTR vs SENDER/HELO domains (and parent domains) if HELO and SENDER failed
(alone this made up 36 possibilities of verification the last time I tried to
form some evaluation scenario)
Numeric HELO
Random Sender localpart
Bogus Sender MX records (empty, private networks)
Anonymous Sender localpart (nobody|anonymous)
RHSBL influenced by previous checks
And more (this is a quick answer, more remains for the documentation)
> (3) This is probably to early to report, as I have not yet been able to
> reproduce this problem. Has anyone had problems with policyd-weight and
> perl taint checking?
DO _NOT_ use taint (yet), DO _NOT_ use -w
Perl is too chatty on STDERR. Postfix reads also STDERR messages (at least this
goes for the master.cf mode). Thus we have to be very strict on what we output
to STDERR|STDOUT or manage without ill module hacks that STDERR gets
redirected to mylog().
And taint leads to unexpected exits.
(NOTE: personally I avoid modules as much as possible for single point of
failure reasons.)
> Some (intermittent) errors we saw:
>
> postfix/policyd-weight[20585]: child: err: Bad file descriptor Insecure
> dependency in eval while running with -T switch at
> /usr/libexec/postfix/policyd-weight line 2754, <GEN5000> line 540.
This is when read in the config file. The code is supposed to be perl code
and must be executed - taint breaks this of course.
Thus the config file must be writeable only by root - which policyd-weight
checks.
> or
>
> postfix/policyd-weight[20340]: cache: err: Insecure dependency in eval
> while running with -T switch at /usr/libexec/postfix/policyd-weight line
> 2754, <GEN6> line 1
Same thing as above.
> After that:
> postfix/smtpd[31437]: warning: premature end-of-input on 127.0.0.1:12525
> while reading input attribute name
> postfix/smtpd[31437]: warning: problem talking to server 127.0.0.1:12525:
> Success
>
> All Mails were bounced with "450 Server configuration problem" from that
> point on :(
Perl warnings and taints are nice sometimes. Sometimes they break things.
I will try to make policyd-weight -t compatible in 0.1.15 devel - but I do
not have good feelings.
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/
