subject:"Any improvement suggestions for main.cf \+ master.cf \?"

Any improvement suggestions for main.cf + master.cf ?

2009-01-23 Thread Richard Foley

Hi postfix profis,

I'm running postfix 2.1.5-9 for several domains.  Of course it handles the 
workload with ease, but when I tail the mail.log the screen scrolls 
constantly as it's just rejecting spam every second.  The good thing is that 
all these accesses are rejected, and logged.  Also good is that postfix seems 
to do most of the rejecting before handing off to amavis-new, for example, so 
the CPU is used fairly efficiently I suspect.  The bad thing is that this 
still seems as though this amount of data processing must surely be excessive 
for just a couple of domains, and and I'm wondering if I can reduce that 
overhead any more.  I've attached my main and master cf's and a few hundred 
lines of mail.log output which shows less than one minutes worth of logging, 
with the vain hope that someone might have some constructive criticisms to 
offer with which to improve this setup.

Thanks in advance for any (helpful ;) comments.

-- 
Richard Foley
Ciao - shorter than aufwiedersehen

http://www.rfi.net/
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
#
# postfix config - postfix reload
#

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no
append_at_myorigin  = no

# Uncomment the next line to generate delayed mail warnings
#delay_warning_time = 4h

myhostname = blix.rfi.net
mydomain = rfi.net
# alias_maps = pcre:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
alias_database = alias_maps
myorigin = /etc/mailname
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8, 195.10.223.184
mailbox_size_limit = 0
home_mailbox = mbox
# mailbox_command = 
mailbox_command = /usr/bin/procmail -t
recipient_delimiter = +
inet_interfaces = all

# rfi 
virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains
virtual_alias_maps = pcre:/etc/postfix/virtual_alias_maps
# relay_domains = lists.nakedeurope.org

# mailman
# transport_maps = hash:/etc/postfix/transport
# mailman_destination_recipient_limit = 1

# sasl
smtpd_sasl_local_domain = 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# clamav + spamassassin
# content_filter = smtp-amavis:[127.0.0.1]:10024
content_filter = amavisfeed:[127.0.0.1]:10024
# receive_override_options = no_address_mappings

# http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_delay_reject = yes
parent_domain_matches_subdomains = smtpd_access_maps

header_checks = pcre:/etc/postfix/header_checks
# mime_header_checks = pcre:/etc/postfix/mime_header_checks
# body_checks = pcre:/etc/postfix/body_checks 

smtpd_data_restrictions =
reject_unauth_pipelining
permit

smtpd_sender_restrictions = 
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_rhsbl_sender dsn.rfc-ignorant.org 
permit

smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_recipient_access pcre:/etc/postfix/recipient_checks
reject_multi_recipient_bounce
check_helo_access hash:/etc/postfix/helo_checks
reject_non_fqdn_hostname
reject_invalid_hostname
check_sender_access hash:/etc/postfix/sender_checks
check_client_access pcre:/etc/postfix/client_checks
#   reject_rbl_client cbl.abuseat.org
#   reject_rbl_client list.dsbl.org
#   reject_rbl_client sbl.spamhaus.org
#   reject_rbl_client pbl.spamhaus.org
#   NB. zen.spamhaus incorporates the CBL list from abuseat.org, as well as 
all
#   the zen.spamhaus.org SBL/XBL/PBL lists
reject_rbl_client zen.spamhaus.org 
reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl.njabl.org
permit


#
# Postfix master process configuration file.  Each logical line 
# describes how a Postfix daemon program should be run. 
#
# A logical line starts with non-whitespace, non-comment text.
# Empty lines and whitespace-only lines are ignored, as are comment 
# lines whose first non-whitespace character is a `#'.  
# A line that starts with whitespace continues a logical line.
#
# The fields that make up each line are described below. A - field
# value requests that a default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next

Re: Any improvement suggestions for main.cf + master.cf ?

2009-01-23 Thread ram


On Fri, 2009-01-23 at 11:04 +0100, Richard Foley wrote:
 Hi postfix profis,
 
 I'm running postfix 2.1.5-9 for several domains.  Of course it handles the 
 workload with ease, but when I tail the mail.log the screen scrolls 
 constantly as it's just rejecting spam every second.  The good thing is that 
 all these accesses are rejected, and logged.  Also good is that postfix seems 
 to do most of the rejecting before handing off to amavis-new, for example, so 
 the CPU is used fairly efficiently I suspect.  The bad thing is that this 
 still seems as though this amount of data processing must surely be excessive 
 for just a couple of domains, and and I'm wondering if I can reduce that 
 overhead any more.  I've attached my main and master cf's and a few hundred 
 lines of mail.log output which shows less than one minutes worth of logging, 
 with the vain hope that someone might have some constructive criticisms to 
 offer with which to improve this setup.
 
 Thanks in advance for any (helpful ;) comments.

If it isnt broken , dont fix it :-)

If you are seeing a lot of reject  lines ( because of spamhaus ? ). That
is natural. We get upto 400k connections per hour on some of our postfix
servers and postfix handles them all well. 80% get rejected. 

What are you trying to optimize ? Are you looking to upgrade your
postfix (2.1x is old )

1) Do you reject unknown users using 
check_recipient_access pcre:/etc/postfix/recipient_checks
a hash map or a cdb map file may be better

2) smtpd_sender_restrictions seems to duplicate checks in
smtpd_recipient_restrictions , so you may drop them 

3)The smtpd_recipient_restrictions  seems to have an unnecessary
reject_unknown_recipient_domain, If you are rejecting unknown users

Re: Any improvement suggestions for main.cf + master.cf ?

2009-01-23 Thread Richard Foley

On Friday 23 January 2009 11:32:04 ram wrote:
 
 On Fri, 2009-01-23 at 11:04 +0100, Richard Foley wrote:
  Hi postfix profis,
  
  I'm running postfix 2.1.5-9 

 If it isnt broken , dont fix it :-)

Sage advice :-)

 If you are seeing a lot of reject  lines ( because of spamhaus ? ). That
 is natural. We get upto 400k connections per hour on some of our postfix
 servers and postfix handles them all well. 80% get rejected. 

Yep, I think postfix is doing a fine job, and I've RTFM'd quite a bit as well 
and read this list (not back2back...), and I'm happy to see the rejects.  I 
was just wondering if I was doing anything obviously inefficient, given that 
I'm not an expert postfix admin.  I realise it's a bit of a 'how long is a 
piece of string' question, because there's almost always some room for 
improvement...
 
 What are you trying to optimize ? Are you looking to upgrade your
 postfix (2.1x is old )
 
Upgrade is imminent.

 1) Do you reject unknown users using 
 check_recipient_access pcre:/etc/postfix/recipient_checks
 a hash map or a cdb map file may be better

This file is very minimal:

/^\@/   550 invalid address
/[...@].*\@/550 weird addresses

 2) smtpd_sender_restrictions seems to duplicate checks in
 smtpd_recipient_restrictions , so you may drop them 
 
Ah, well spotted.

 3)The smtpd_recipient_restrictions  seems to have an unnecessary
 reject_unknown_recipient_domain, If you are rejecting unknown users
 
Ok.

Thanks for your feedback.

-- 
Richard Foley
Ciao - shorter than aufwiedersehen

http://www.rfi.net/

Re: Any improvement suggestions for main.cf + master.cf ?

2009-01-23 Thread Noel Jones


Richard Foley wrote:

This file is very minimal:

/^\@/   550 invalid address
/[...@].*\@/550 weird addresses



Don't escape @ in postfix regular expressions.
Don't escape characters inside [ ] classes.


/^@/550 invalid address
/[...@].*@/ 550 weird addresses

--
Noel Jones

Any improvement suggestions for main.cf + master.cf ?

Re: Any improvement suggestions for main.cf + master.cf ?

Re: Any improvement suggestions for main.cf + master.cf ?

Re: Any improvement suggestions for main.cf + master.cf ?

4 matches

Site Navigation

Mail list logo

Footer information