Cyconet Blog » policyd-weight

package updates

cyco — Thu, 10 Feb 2011 22:12:42 +0000

After Debian Squeeze was released last weekend, development will speed up again.
Today I uploaded a new postfwd package which ships also the postfwd2 script, a prefork server version.
I also started to orphan packages I’m not using anymore or having dead upstream. The first candidate was policyd-weight, fortunately Chris Butler took the package over.
I’m happy to be the first uploader into squeeze-backports with …. icinga.

[security] policyd-weight 0.1.14-beta-6etch1/0.1.14.15-1

cyco — Thu, 27 Mar 2008 20:12:21 +0000

This Tuesday Robert Felber released a new upstream version. It is a (local) security bugfix (and some minor fixes) which was reported on Sunday by Chris Howells to the Debian Security Team (as well as to other vendors). Today DSA-1531 was released.

Right from the DSA:
“… created its socket in an insecure way, which may be exploited to overwrite or remove arbitary files from the local system.”

So please update you systems if you use this package asap.

While we are at policyd-weight… there is one bug open (#471645) where I’m unsure if I want to fix it, cause only stable is effected and the problem can be solved by providing a adjusted array of rbl in the config file. Should I ask for inclusion directly into stable? But it’s a really minor issue. Or try to get 0.1.14.15 uploaded to volatile? I’m really unsure and suggestions are welcome.

bit nagios-plugin bugsquashing, stalling policyd-weight and my first perl module package

cyco — Mon, 10 Mar 2008 18:18:57 +0000

Last week I did again some work on nagios-plugins. After the announcement of Dann Frazier to upload NMU to fix a trivial bug, I thought it’s time again to give some extra care to the package. So I prepared 1.4.11-2 fixing the important bugs and uploaded it. I also commited some minor fixes to the svn, so these issues will get fixed by the next upload.

Since the development of policyd-weigh stalled and unfortunately maybe get stuck, I was looking for an alternative, which maybe found with postfwd. It’s quite flexible but it also will take more time (and care!) to get a reliable configuration, which maybe effective as policyd-weight (still) is right now. While checking the dependencies for postfwd I noticed that Net::DNS::Async isn’t available in Debian (yet). So I decided to create a package starting with dh-make-perl, join the Debian Perl Group and let it review. Damyan Ivanov was so kind to review and upload it, Gregor Herrmann did also give some much useful hints. Thanks to both!

And yes, I also found time to step forward with NM, since I was overloaded the last weeks with usual work and life. Thank to my AM to be so appreciative.

Conditional greylisting (with postfix, policyd-weight and postgrey)

cyco — Fri, 03 Aug 2007 08:02:46 +0000

In case you think that greylisting might have some disadvantages but give you also some benefits, you probably have thought about to use greylisting with some conditions. For example if you checked some parameters of the mail and you (or better your mailsystem) guess it may be spam, greylisting could be very usefull.
Until now, I was using plain policyd-weight. But mails with $REJECTLEVEL <= score <= $DEFER_LEVEL where in some conditions defered (see policyd-weight default) and if they come back with the same conditions, they will be defered twice. So it makes sence to me to greylist them and if they return within $DEFER_LEVEL, they will pass cause the greylist will allow them.
At first let’s create a restriction class which we can call from policyd-weight within main.cf of postfix:

# restriction class for use with polw (DEFER_ACTION)
smtpd_restriction_classes = greylist
greylist = check_policy_service inet:127.0.0.1:60000

To call postgrey for $REJECTLEVEL <= score <= $DEFER_LEVEL you need to make use of the restriction class “greylist” and let $DEFER_STRING match all defer strings, to get them all greylisted:

# echo “\$DEFER_STRING = ‘NOT’;” >> /etc/policyd-weight.conf
# echo “\$DEFER_ACTION = ‘rc:greylist’;” >> /etc/policyd-weight.conf
# /etc/init.d/postgrey restart

Also you may have a look into The DNSBL countries.nerd.dk. This might be a way to score connections comming from well known spamming countries. But keep in mind, that there may also legitim mails comming from those! ;)

Reduce spam significant

cyco — Fri, 15 Dec 2006 22:51:18 +0000

With policyd-weight you are able to reject mails before the body is received by your MTA, here postfix. No bounce mails, less wasted bandwidth and cpu time. policyd-weight scores characteristics of the mail positive or negative, is a defined value reached, it got rejected. The scores are currently:

– DNSBLs/RHSBLs
– HELO argument
– MAIL FROM: argument
– Client IP address
– DNS client/HELO/FROM entries (A/16 A/24 A/32), PTR/FQDN and Parent Domains (MX/16 MX/24 MX/32) for their correctness respectively whether they match.

It’s available in etch and bpo, installation is really easy:

# aptitude install [-t sarge-backports] policyd-weight

Remove unnecessary reject_rbl_client and reject_rhsbl_client checks from main.cf and insert the check_policy_service:

smtpd_recipient_restrictions =
        permit_mynetworks,
        ...
        reject_unauth_destination,
        check_policy_service inet:127.0.0.1:12525
        ...

You can create a “/etc/policyd-weight.conf” if you would like to adjusting scores or other policyd-weight parameters. You can get the defaults with “policyd-weight defaults”. For more informations have a look at “/usr/share/doc/policyd-weight/documentation.txt.gz” or http://policyd-weight.org.

A normal day on a backup MX with ~500 domain:

backup:~# zgrep -e “postfix.*: connect from” \
/var/log/mail.info.0 | wc -l
29936
backup:~# zgrep -e “policyd-weight.*decided action=5″ \
/var/log/mail.info.0 | wc -l
22738
backup:~# zgrep -e “postfix.*status=sent” \
/var/log/mail.info.0 | wc -l
5570

Running different policyd-weight instances

cyco — Wed, 20 Sep 2006 12:56:11 +0000

Why run different instances of policyd-weight? Cause you may want use different scorings based on Access Policy Delegation.

At first you need make a copy of policyd-weight and modify it, since Robert didn’t implement a switch to specify a config file (yet):

# cp policyd-weight policyd-weight-instance2
# sed “s/\/policyd-weight.conf/\/policyd-weight-instance2.conf/” \
policyd-weight-instance2

Required changes to the config file:

# echo “$syslog_ident = \
“postfix/policyd-weight-INSTANCE2″;” >> \
/etc/policyd-weight-mx.conf
# echo “$SPATH = \
$LOCKPATH.’/polw-instance2.sock’;” >> \
/etc/policyd-weight-mx.conf
# echo “$PIDFILE = \
“/var/run/policyd-weight-instance2.pid”;” >> \
/etc/policyd-weight-mx.conf
# echo “$TCP_PORT = \
12526;” >> /etc/policyd-weight-mx.conf

The difference in my case is to not score “bogus_mx_score”, which may cause trouble when mails coming in from backup MX:

# echo “@bogus_mx_score = (0, 0 );” >> \
/etc/policyd-weight-mx.conf