[pfx] Re: secure the email system
On Thu, Jun 13, 2024 at 08:51:38AM +0800, Jeff Peng via Postfix-users wrote: > 8. have reject_unknown_client_hostname, reject_unknown_sender_domain options > for smtpd_sender_restrictions. You may find "reject_unknown_client_hostname" to be too "aggressive", in which case "reject_unknown_reverse_client_hostname" is generally safer. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] secure the email system
Hello friends, I am trying to make my email system on tls-mail.com more secure and solid. I have taken the following deployments. 1. close port 587 and 143, use port 993 and 465 with ssl only. 2. disable sasl auth on port 25. 3. use policyd-rate-limit to limit sending rate. 4. use postscreen for anti-bot and RBL scoring. 5. use policyd-spf to check sender IP's SPF and reject the failed one. 6. use opendmarc to check sender domain's DMARC and reject the failed one. 7. opendkim is also deployed for either incoming messages (check signatures) or outgoing messages (add signatures). 8. have reject_unknown_client_hostname, reject_unknown_sender_domain options for smtpd_sender_restrictions. 9. rspamd for email content security (not deployed yet). can you give suggestions on these or is there any other options? Thanks & regards. Jeff. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: milter round robin
Christian Zoffoli via Postfix-users: > Using a load balancer like HAProxy for MySQL connections allows > balancing only on servers that are synchronized. Direct use of multiple > MySQL hosts in Postfix does not allow for any checks. If you want to load balance N mysql servers behind 1 load balancer, you can specify that server N times in the Postfix's "hosts" drective. That will end the "mysterious delays". The alternative, retry immediately on a single IP address, would require configuration changes (it cannot be the default) and some code to implement that. > Given this, the > example of MySQL, which could also be the balancing of multiple LMTP > connections to IMAP servers, If you present only one server IP address to the Postfix LMTP client, then that client will not immediately retry that IP address after error, because that would normally be rude behavior. Thus there will be delays. If you present multiple IP addresses to the Postfix LMTP client, then it will try them in random order until delivery succeeds. There will be no delays. I'm not sure if the client deduplicates IP addresses; a quick code search suggests it does not. As with mysql, making the Postfix LMTP client retry immediately on a single IP address would require configuration changes (it cannot be the default) and some code to implement that. It gets messy if we want to do this with every network dependency. > occur with the use of the balancer under some load conditions. I am > looking for information to address the problem since Postfix does not > natively support clustered milters. Clustered or otherwise, the Postfix Milter client isn't going to retry after a failure mid-session. There is no way to 'replay' the Postfix-to-Milter conversation. The SMTP server does not control what happens, it has to respond in real time to events from a remote SMTP client and relay any responses from the Milter. The SMTP and LMTP clients can handle mid-session failures because they are in complete control. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: milter round robin
Using a load balancer like HAProxy for MySQL connections allows balancing only on servers that are synchronized. Direct use of multiple MySQL hosts in Postfix does not allow for any checks. Given this, the example of MySQL, which could also be the balancing of multiple LMTP connections to IMAP servers, was to illustrate the timeout issues that occur with the use of the balancer under some load conditions. I am looking for information to address the problem since Postfix does not natively support clustered milters. On 6/12/24 19:40, Wietse Venema wrote: Christian Zoffoli via Postfix-users: I'm asking because I was using it with HAProxy, and with the load balancer between Postfix and the two Rspamd machines, I often have unexplainable timeouts. In general, I see that Postfix does not like interacting with load balancers; I've had similar issues with MySQL connections always balanced with HAProxy By design Postfix DOES NOT immediately retry connecting to the same host. In many contexts that would be considered rude. That of course has consequences when a service "host" is in fact a load balancer. If you MUST use a load balancer for the MySQL service, specify the "host" multiple times in the Postfix MySQL client configuration. Or stop playing load balancer games and specify the real server hosts in the Postfix MySQL client configuration. That is how it is supposed to be used. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: milter round robin
Christian Zoffoli via Postfix-users: > I'm asking because I was using it with HAProxy, and with the load > balancer between Postfix and the two Rspamd machines, I often have > unexplainable timeouts. In general, I see that Postfix does not like > interacting with load balancers; I've had similar issues with MySQL > connections always balanced with HAProxy By design Postfix DOES NOT immediately retry connecting to the same host. In many contexts that would be considered rude. That of course has consequences when a service "host" is in fact a load balancer. If you MUST use a load balancer for the MySQL service, specify the "host" multiple times in the Postfix MySQL client configuration. Or stop playing load balancer games and specify the real server hosts in the Postfix MySQL client configuration. That is how it is supposed to be used. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: milter round robin
I'm a long-time sendmail users about to deploy my first Postfix server and will be moving my MIMEDefang/MailMunge milter to it. They provide their own multiplexor. (MailMunge is a fork of MIMEDefang. Both allow one to write filters in Perl and provide a sample filter script that invokes ClamD, SpamAssassin, and other common mail filters.) I've seen no mystery timeouts with them when using them with sendmail. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: milter round robin
I'm asking because I was using it with HAProxy, and with the load balancer between Postfix and the two Rspamd machines, I often have unexplainable timeouts. In general, I see that Postfix does not like interacting with load balancers; I've had similar issues with MySQL connections always balanced with HAProxy Christian ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: milter round robin
Christian Zoffoli via Postfix-users: > Hello, > is there a way to use multiple milters in round-robin without using a > load balancer? From what I can see in version 3.9, using multiple > milters separated by commas results in them being used in sequence. This is not built into Postfix. If you specify a hostname that has multiple IP addresses, then Postfix will try the IP addresses in the order returned by the getaddrinfo() system library function. If the order is the same with each call, then that sucks. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] milter round robin
Hello, is there a way to use multiple milters in round-robin without using a load balancer? From what I can see in version 3.9, using multiple milters separated by commas results in them being used in sequence. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
